There have been a number of cases where laptops and mobile devices containing sensitive data have been stolen. Using host encryption technologies such as BitLocker can secure data on the device – meaning that the impact of the theft is reduced to the loss of the asset and not the data in contains.
BitLocker Drive Encryption
BitLocker Drive Encryption is an integral new security feature in Windows Vista and in Windows Server 2008. It can therefore protect servers at locations, such as in a GP Surgery, and mobile computers for roaming users.
The Group Policy feature of Windows Server 2008 allows administrators to set a corporate encryption policy. When combined with BitLocker encryption, this provides additional security for GP Surgeries, sites with limited IT support, or sites at risk for security breaches. BitLocker provides off-line data and operating system protection by ensuring that data stored on the computer is not revealed if the machine is tampered with when the installed operating system is offline. BitLocker Drive Encryption optionally uses a Trusted Platform Module, or TPM, to provide enhanced protection for data and to assure early boot component integrity. This helps protect data from theft or unauthorized viewing by encrypting the entire Windows volume.
BitLocker prevents a thief who boots another operating system or runs a malicious software tool from breaking Windows file and system protections, or performing offline viewing of the files stored on the protected drive. BitLocker Drive Encryption protects data while the system is offline because it encrypts the entire Windows volume, including both user data and system files, the hibernation file, the page file, and temporary files. This provides umbrella protection for third-party applications because they receive the benefits of BitLocker automatically when they are installed on an encrypted volume.
Yes, with Windows XP we introduced a technology called the encrypting file system (EFS), this also available on Windows Vista). EFS provides the core file encryption technology used to store encrypted files on NTFS file system volumes (Unlike BitLocker EFS encrypts specific volumes rather than the whole drive). After you encrypt a file or folder with EFS, you work with the encrypted file or folder just as you do with any other files and folders i.e. encryption is transparent to the user that encrypted the file. This means that you do not have to manually decrypt an encrypted file before you can use it. You can open and change the file as you normally do.
Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. An intruder who gains unauthorised physical access to your encrypted files or folders will be prevented from reading them. Similarly, an intruder who tries to open or copy your encrypted file or folder will receive an access-denied message.
What's more there's CUI guidance (and tools) available for running EFS in the NHS!
As part of the Enterprise Agreement all machines in the NHS are licensed to use Forefront Client Security. Forefront delivers unified protection against emerging threats such as spyware and rootkits, as well as traditional threats such as viruses, worms, and Trojan horses. It provides a single agent for protection, detection, and removal of viruses, spyware, rootkits, and other malware threats.
A frighteningly large number of mobile telephones are mislaid, lost and stolen each year. As these devices get smarter we are storing more and more business data on them. With Windows Mobile and Microsoft Exchange and System Centre Mobile Device Manager we can start to effectively manage these devices over the air.
Example Mobile Policy
You can now add Windows Mobile Devices to your active directory (as you do your network resources such as PC’s, Servers & Printers today) this allows IT professionals to set and control policies in a single environment. This helps make Windows Mobile Devices “first-class citizens” in the organisation's IT infrastructure. This allows IT administrators to lock down communications for compliance and confidentiality purposes, including disablement of Bluetooth, SMS/MMS, WLAN, Infrared, POP/IMAP e-mail, as well as camera functionality.
The application allow and deny feature helps empower IT professionals to decide which software applications may run on which devices for productivity, compliance, or other business reasons. This feature helps provide enterprise control over what software can be installed and run on the organisation's Windows Mobile Devices. It also enables full file encryption on the Windows Mobile—powered device, which is designed to increase security for sensitive files or NHS data. Coupled with storage card encryption, Windows Mobile software is designed to offer full data encryption capabilities.
In terms of access to internal resources the Mobile Device Manager Mobile VPN is designed specifically for mobile devices to help ensure the best possible user experience. It also offers the IT professional key services such as device provisioning, software deployment, Device Inventory and Reporting Helpdesk Console and Role-Based Administration and device wipe
So if a senior executive is separated from their mobile device they can execute remote device wipe themselves through Outlook Web Access, which helps reduce the chances of corporate data falling into the wrong hands. This “wipe now” feature does not require involvement from the IT Support team or to wait for the device to sync with the server.
Most information workers in the NHS have at least one USB drive (maybe even from a Microsoft event!), these are great for carrying around data, however, they can introduce security issues. I just wanted to highlight a couple of solutions that immediately assist with this that don’t involve physically blocking the USB ports on all of your machines. In Windows Vista we have extended group policy to enable control of the USB ports and more importantly the USB devices that are supported inside the organisation. Also, in the previous article I described the Windows Rights Management Service – this provides persistent protection i.e. the files are protected whether they are on someone’s hard-drive, sent over email or indeed moved around on a USB stick.