In Blog, Security

Full disk encryption (FDE) solutions are more important than ever. With data breaches costing organizations both significant dollars and reputational damage, IT admins aren’t willing to take the risk of a lost or stolen laptop with unencrypted confidential data. For example, the average data breach typically costs a company $3.86M, and when the stakes are this high, it’s important to operate with vigilance. One way that IT admins are being proactive is that they’re implementing FDE tools like BitLocker on Windows® and FileVault® 2 on macOS®. But, before we go any further we must first ask, what is Bitlocker management and similar solutions that can help IT admins execute on FDE?

BitLocker Origins

BitLocker FileVault FDEMicrosoft® introduced their FDE utility many years ago and dubbed it BitLocker. This utility encrypts hard drives while they are at rest. All a user has to do is enter their password to decrypt the hard drive. From an end user’s perspective, it’s a seamless experience. For IT admins, it’s also pretty easy to enable FDE for individual users. But, across an entire enterprise, the challenge ratchets up quickly. When you consider that most IT environments are not homogenous, the ability to remotely execute commands across entire computing fleets to enable FDE is not a simple task. And, once FDE is enabled, another challenge confronting IT admins stems from password management. IT admins know that a forgotten password can spell disaster for endpoints protected by FDE solutions, because the problem represents lost data and downtime for users.

The Key to a Forgotten Password

Luckily, for users that have forgotten their password, both BitLocker and FileVault create recovery keys to decrypt drives where the need arises. So, while that’s welcome news for the user, the process of storing recovery keys is a major hassle for IT admins. The reason recovery key storage represents a hardship for IT admins is that it is a very manual process and one rife with insecure practices. IT admins could write down all the recovery keys and keep them hidden in a file cabinet. Or, they could store the recovery keys in a spreadsheet. Either way, the keys are stored in plaintext, which as we all know, is a major security issue. In light of these challenges, IT organizations are less likely to enforce this critical security feature, despite the fact that they really should. So, how can IT admins both implement FDE and remain secure with the handling of recovery keys? That’s a concept we will refer to as BitLocker management.

What is BitLocker Management?

FDE for Mac and Windows machinesThe concept of BitLocker management has three major parts to it. The first is actually enabling BitLocker remotely. This can be done relatively easily through a Policy. The second issue is to ensure that individual recovery keys are created for each machine and those BitLocker recovery keys are securely vaulted. Of course, this process requires automation and it calls for the ability to be performed at scale and without manual intervention. The third key aspect of BitLocker management involves reporting of which endpoints FDE has been implemented and which ones it has not. These requirements ensure that your organization’s valuable data is encrypted, the keys are securely stored, and IT admins have the visibility they require to ensure that all the endpoints they manage are protected. But, how can IT admins actually make this all happen?

Cloud-based Directory Services

Unlike traditional, on-prem directory service solutions like Microsoft® Active Directory® and OpenLDAP™, JumpCloud® Directory-as-a-Service® is designed with ease of use and platform agnostic principles in mind. With JumpCloud, IT admins can remotely enable BitLocker on Windows and FileVault on Mac. Also, JumpCloud has the ability to escrow individual private recovery keys so that a forgotten password no longer equates to lost data and downtime. Plus, the ability to escrow keys prevents IT admins from having to manually store recovery keys in insecure ways. Finally, the JumpCloud console allows admins to see which systems have FDE enabled and which ones do not. Now, IT admins have the power to enable FDE, secure their organizations, and a whole lot more from a centralized location.

Learn More About JumpCloud

If you’re ready to boost your security posture, sign up today for a free JumpCloud account. Your free account comes with the ability to manage up to 10 users and their systems for free. Need to manage more than that? Visit our pricing page to see how JumpCloud can scale with you as your company grows. Be sure to visit our Knowledge Base and YouTube channel for additional information to help you get the most out of your account.

Recent Posts