This is the third part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.
In this post I’ll review the usage scenarios and explore the benefits and caveats of Bitlocker and Bitlocker To Go; hopefully it will help you decide if Bitlocker contributes to the case for the extra cost of the Enterprise license.
Bitlocker has been a feature of Microsoft’s client operating systems since Windows Vista, but Windows 7 adds some compelling new features, most notable of which is Bitlocker To Go, which enables protection of USB flash drives.
Bitlocker offers data protection in scenarios where loss or theft of storage media is a concern, so it’s ideal for protecting portable storage media, laptops and physically vulnerable desktops. It works by encrypting the entire volume, and only allowing access to the disk after the system has been started by a trusted party. This trust is established during the boot process when the user either keys in a PIN, inserts a USB key or both.
On the plus side, Bitlocker trumps EFS (Microsoft’s file-level encryption technology) as it is transparent to users and does not rely on them remembering to encrypt sensitive data. On the down side, it offers no protection once the system is up and running. Bitlocker can also cause administrators headaches if there is no centralised management of data encryption. Bitlocker has the potential to render important information inaccessible if users enter the incorrect PIN too many times and then can’t remember their recovery password. Fortunately Bitlocker can be managed with a variety of Group Policy settings that allow comprehensive management of Bitlocker, including saving the recovery password information to Active Directory.
Group Policy makes it possible to manage Bitlocker on an enterprise scale but this not guarantee everything will be plain sailing. It is advisable to invest some time and resources in evaluating and testing Bitlocker in your environment. I’d recommend that you only roll out Bitlocker once you have a tried and tested recovery procedure in place and you’ve trained support staff and end users how to use it.
In summary, Bitlocker offers protection against attackers who try to access your sensitive data by booting compromised systems with other operating systems or by installing stolen disks in another system and either booting from or slaving them. When properly managed, it offers an important layer of security to enterprises who’s mobile users travel with sensitive data.
For more information, including a FAQ page and detailed deployment guides, visit the Windows 7 Bitlocker page on TechNet