Now that much of the world works remotely, IT admins have their hands full. A key part of their job now is to secure remote systems. Out of the many problems involved with securing remote systems, one issue in particular is how to set up full disk encryption (FDE) for remote systems.
Securing Remote Systems with FDE
IT admins always want to be sure that their corporate data is safe, but with a fully remote workforce, IT has less control over the systems that have access to that data. After all, systems can be easily stolen or compromised, and when they are outside of IT’s sphere of influence, that risk is multiplied.
A best practice to enforce when IT admins are unsure of their systems’ security is full disk encryption. FDE — called BitLocker on Windows® machines and FileVault 2 on macOS® systems — uses system software components to ensure that hard drives are encrypted when at rest.
With FDE, a hard drive is constantly encrypted until a user logs in to the system. That means that if the user’s system is stolen, the data stored inside is inaccessible unless the user’s identity is compromised as well. If the user forgets their password, the drive can only be decrypted through its unique recovery key, which IT needs to store in escrow for safekeeping.
In order to implement FDE, IT organizations often need to be able to remotely activate system-level configurations through a group policy tool or similar solution. This can often be accomplished through a directory service or a device management tool, although remote workers add another layer of complexity if those solutions aren’t cloud-based, since they fall outside of the immediate domain of on-prem tools.
Of course, the issue isn’t just enabling FDE but also managing the entire process. Although FDE is great to protect against data loss via hard drive theft, it can also lead to data loss if users forget their passwords. Thus, IT admins want to ensure that each system has a recovery key that’s stored securely and accessible to the IT admin in the case of an issue.
Leveraging the Cloud to Set Up FDE Remotely
With a cloud directory service, or Directory-as-a-Service®, IT admins can apply system security policies, including FDE, through a web-based admin console. Using an agent downloaded to the Windows/Mac system, this Directory-as-a-Service remotely updates the requisite settings to enable FDE on that system. Directory-as-a-Service then stores recovery keys in escrow, keeping them safe until they’re needed by the IT admin.
Check out this blog to learn more about using a cloud directory service to remotely enforce Policies to manage systems.