• Home

  • Documents

  • sophos_managing_bitlocker_w_safeguard_enterprise_wpna
8
Managing BitLocker With SafeGuard Enterprise How Sophos provides one unified solution to manage device encryption, compliance and Microsoft BitLocker By Robert Zeh, Product Manager Full-disk encryption is only the beginning Full-disk encryption is rapidly becoming a standard security solution, like antivirus or spam filters—a trend further accelerated by widespread use of Microsoft BitLocker. However, to support the flexibility of your workers today, full-disk encryption is not enough to prevent data loss. Your users are no longer confined to the office by their technology and their PCs, and work has become a thing people do rather than a place they go to. This whitepaper explains how Sophos SafeGuard Enterprise secures your data wherever it’s stored; and how it allows you to support diverse platforms and encryption products including BitLocker.

sophos_managing_bitlocker_w_safeguard_enterprise_wpna

Embed Size (px)

Citation preview

Page 1: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

Managing BitLocker With SafeGuard EnterpriseHow Sophos provides one unified solution to manage device encryption, compliance and Microsoft BitLocker

By Robert Zeh, Product Manager

Full-disk encryption is only the beginning

Full-disk encryption is rapidly becoming a standard security solution, like antivirus or spam filters—a trend further accelerated by widespread use of Microsoft BitLocker. However, to support the flexibility of your workers today, full-disk encryption is not enough to prevent data loss. Your users are no longer confined to the office by their technology and their PCs, and work has become a thing people do rather than a place they go to. This whitepaper explains how Sophos SafeGuard Enterprise secures your data wherever it’s stored; and how it allows you to support diverse platforms and encryption products including BitLocker.

Page 2: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

A Sophos Whitepaper January 2014 2

Managing BitLocker With SafeGuard Enterprise

Far from homogenous environmentsBeginning with the Ultimate and Enterprise editions of Microsoft Windows Vista, and continuing with Windows 7 Ultimate/Enterprise and Windows 8, Microsoft has provided access to its integrated BitLocker encryption technology. The upside is that this has led to many more companies recognizing the value of encryption.

The downside is that BitLocker does one main thing, although it does it very well—it encrypts hard drives. Many large enterprises have deployed BitLocker in homogenous Windows 7 and Windows 8 environments. But the reality of today’s enterprise IT infrastructure is far from homogenous.

IT environments are rarely restricted to Windows, and many enterprises support legacy operating systems even long after Microsoft’s regular service and support ceases.

Furthermore, third-party and proprietary applications that you’ve introduced over time don’t always keep pace with Microsoft’s release cycles. Often vendors opt not to build those updates, determining that it would be too costly to do further development. For your business, these applications may be a key part of your operation, meaning that you’re forced to support multiple operating systems.

Beyond Windows, Apple Macs are no longer restricted to use by creative professionals such as designers. The Mac has successfully found its way into the heart of many businesses—perhaps also into yours.

Microsoft added some new features in BitLocker 8, which make it more attractive for some organizations. However, many of its limitations will remain. As your IT evolves, you need to adapt what may have started out as an ideal set-up to suit your current business, management and user requirements.

SafeGuard Enterprise protects your data everywhereTo meet the needs of your mobile information workers today, you need seemless encryption that supports the way your people work rather than restricting them. If you limit your encryption to full-disk, that will inevitably open the door for data loss when your users take it with them.

Particularly if you are required to conform to industry, national or state data protection regulations, full-disk encryption may provide the baseline compliance for your PCs. But it doesn’t guarantee that your company won’t make the headlines for the wrong reaons.

SafeGuard Enterprise enables you to secure your data wherever it’s stored while supporting diverse platforms and encryption products. You can use it as a single platform for all your data protection needs, or to integrate third-party encryption solutions.

Microsoft BitLocker

has helped to raise

management’s

awareness of the

need to encrypt

and protect data;

but is it the right

solution for your

IT environment?

Page 3: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

A Sophos Whitepaper January 2014 3

Managing BitLocker With SafeGuard Enterprise

SafeGuard Enterprise supports all Windows platforms, from Windows XP through Windows 8, so no devices are left unencrypted and unprotected. SafeGuard Enterprise is the only product on the market offering encryption for your hard drives, removable media, network file shares, and files stored in the cloud. Plus, all these functions are managed through a single console, giving you one place for data recovery, policy and key management.

In addition, SafeGuard Enterprise Native Device Encryption provides a way to integrate your BitLocker encrypted devices within your SafeGuard Enterprise solution, so you can manage devices encrypted by BitLocker alongside all other encryption within the same management center. This integration removes the limitations of BitLocker—supporting a broader set of production environments while providing multi-platform support with uniform key management and data recovery.

SafeGuard Enterprise modules in detail• Device Encryption: SafeGuard Enterprise provides full-disk encryption for

laptops, desktops and virtual desktops. It increases performance by leveraging optimization on Intel i5 and i7 computers with AES-NI. It lets you run and manage native encryption for Microsoft BitLocker, Mac FileVault 2, OPAL 1/2, Windows 7, Vista, XP and virtual desktops—from one central management console.

• Native Device Encryption: Manage built-in encryption in the OS: Microsoft BitLocker and Mac FileVault 2. SafeGuard Enterprise embraces native encryption functions and provides central encryption policy deployment, recovery and compliance reporting. By leveraging OS-embedded encryption, it provides the best encryption performance, reliability and robustness.

• Encryption for Cloud Storage: Sophos protects data everywhere, even when it’s stored in the cloud. Data stays encrypted when uploading or downloading from cloud storage services like Dropbox and Egnyte. The keys stay local to the client and data is accessible only when using the keys. Encrypted files in the cloud are even accessible through the Sophos Mobile Encryption app on iOS and Android devices.

• Encryption for File Shares: Sophos provides a comprehensive encryption solution, allowing only authorized users to access data on a network—all managed from a single console using the SafeGuard Enterprise client. This improves security of data in network shares or infrastructure as a service, while sparing your IT staff auditor headaches. System management can be isolated from data access.

• Data Exchange: Encrypts removable media, including USB drives and optical media, across all Windows platforms, expanding platform support and portable encrypted file access beyond what’s possible with BitLocker-To-Go.

• Support: Call one vendor for all your data security needs.

Page 4: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

A Sophos Whitepaper January 2014 4

Managing BitLocker With SafeGuard Enterprise

Typical use case: Protecting sensitive customer informationHere’s a typical use case for SafeGuard Enterprise. Your company started out with a completely homogenous Windows environment. However, things changed over time: IT staff and users came and went, management and people changed roles within the company. Also, your computing requirements changed gradually—some users brought Macs on the network and personally-owned devices needed to connect to corporate email.

Hardware refresh cycles grew longer, so the IT team had to support multiple operating systems and different generations of hardware for an increasingly mobile workforce. Users didn’t really care about security or compliance—they just expected to be able to use any tool they wanted, anywhere they wanted, at any time.

But then the regulations changed and your company was forced by new legislation to deploy encryption to protect your data—and to protect the IT manager’s job. Your newest laptops were delivered with Windows 8 and you decided to activate BitLocker on these systems. After all, it’s part of the operating system.

Faced with the new regulatory requirements, the issues around encryption quickly escalated and it wasn’t long before the IT team was spending much of their time figuring out ways around the holes in the encryption net rather than performing their normal tasks. Once users started to move data to USB drives and cloud storage services, the CEO decided that the company could no longer afford to have only some devices encrypted. The IT manager was soon called in front of the legal team to answer questions about the breached security policies.

Solution: SafeGuard EnterpriseSophos SafeGuard Enterprise is designed for scenarios like this and it allows over-stretched IT teams to encrypt all devices and data, without getting in the way of users. Taking full advantage of built-in disk encryption like BitLocker and FileVault, SafeGuard Enterprise is the only product to offer encryption across Windows, Mac, removable media, cloud and mobile.

You can use SafeGuard Enterprise to manage all your PCs and Macs. It provides extensive forensics and reporting to ensure full compliance, plus it manages all of your encrypted laptops, BitLocker devices and OPAL self-encrypting drives, in one place. Apps for both iOS and Android devices allow you to securely view encrypted files stored in cloud.

Page 5: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

A Sophos Whitepaper January 2014 5

Managing BitLocker With SafeGuard Enterprise

Win-Win: SafeGuard Enterprise with BitLockerMicrosoft BitLocker is easy to deploy, fast and reliable, but its features are narrowly targeted to homogenous Windows 7 and Windows 8 environments. BitLocker provides one function and does it well: it encrypts hard drives. But full-disk encryption is not enough to meet all the data protection challenges an organization may face. Below we explain some of the main limitations stopping enterprises from implementing BitLocker today, and how SafeGuard Enterprise can add the functionality you need to keep your data safe.

Compliance

Regulators and auditors don’t care where your data is stored. They want to know—and you need to demonstrate—that the data is secure at all times, independent of its location. The implications of a data breach are the same whether the data was on a Windows laptop, MacBook, cloud storage service or USB device.

If you failed to properly protect the data, laws likely require you to disclose a breach to any affected individuals. Depending on the laws that govern your business, you might have to disclose to your customers, your patients, your employees, the media and to the government. This means lawsuits, fines and loss of customers. It can also mean damage to the reputation and goodwill you’ve built up over many years.

When used in combination with the Microsoft BitLocker Administration and Monitoring application (MBAM), BitLocker provides compliance reports for the Windows 7 and Windows 8 devices it manages. As a result, additional compliance reports are required for other devices and storage locations. With SafeGuard Enterprise it’s easy to manage and report on encryption for data on Windows PCs, Macs, removable storage devices, network file shares and data in the cloud, with one solution from one management center.

Network file share protection

Using access control lists and Active Directory rights to restrict access to data is a step in the right direction, but it doesn’t address internal compliance. How do you keep the IT staff that is authorized to support servers and infrastructure from accessing sensitive files? How can you separate the ability to manage folders and back up files from the ability to read a medical record or a payroll file? And what if those sensitive file shares aren’t in your environment at all?

If you are leveraging infrastructure-as-a-service vendors such as Amazon Web Services, or if you are using outsourced help desk staff, you also need to make sure your vendors' staff can’t access your regulated or sensitive data.

Sophos provides encryption security with SafeGuard Encryption for File Shares, which lets you encrypt that data at rest, so backup and management of file shares can be independent from access to the files themselves. This keeps sensitive files in the hands of authorized users, and keeps the auditors out of the IT department’s daily operations.

Page 6: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

A Sophos Whitepaper January 2014 6

Managing BitLocker With SafeGuard Enterprise

Encryption of Non-Windows platforms

BitLocker is only available on certain versions of Windows. However, today most enterprises use multiple platforms in one way or another. The use of Macs in business environments is on the rise, driven partly by the growing trend of BYOD (bring your own device). And because data on a Mac is likely to be as valuable as data on a Windows PC, any data protection strategy must make securing data on Macs as well as on Windows an essential requirement. SafeGuard Enterprise allows you to seamlessly run reports on your Mac encryption through the same management console as your Windows PCs.

Legacy Windows platforms

BitLocker only encrypts PCs using certain versions of Windows: Vista, Windows 7 (Enterprise and Ultimate Editions) or Windows 8. This is a serious issue for organizations with other versions of Windows 7 or 8 in use, or who still have legacy Windows platforms in their infrastructure. SafeGuard Enterprise encrypts all versions of Windows, from XP up.

Mobile computing is great … But where’s my laptop?

Mobility can boost productivity, but it also means that your data is at risk from simple loss and theft of laptops. SafeGuard Enterprise is built with IIS web server as the communication engine between the secure back end and your encrypted clients, making it possible to manage those remote clients over the web—no network or VPN connection required. This means that if a user has to be terminated or thinks they’ve misplaced the system, you can lock out that machine via policy. If your IT team later recovers the device, an authorized security admin can easily unlock the system while a thief would not be able to access the system.

Page 7: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

A Sophos Whitepaper January 2014 7

Managing BitLocker With SafeGuard Enterprise

Deploying SafeGuard EnterpriseIn this typical environment, SafeGuard Enterprise Management Console includes BitLocker for Windows 7 and Windows 8; plus SafeGuard Enterprise for Mac, removable media, network file shares, mobile devices and cloud storage.

There are many advantages to the above deployment architecture, for example:

• Central location to define policy for all your data, regardless of location or platform

• Single pane of glass for compliance reporting and auditing

• One place for recovery

Page 8: sophos_managing_bitlocker_w_safeguard_enterprise_wpna

Managing BitLocker With SafeGuard Enterprise

United Kingdom and Worldwide SalesTel: +44 (0)8447 671131Email: [email protected]

North American SalesToll Free: 1-866-866-2802Email: [email protected]

Australia and New Zealand SalesTel: +61 2 9409 9100Email: [email protected]

Asia SalesTel: +65 62244168Email: [email protected]

Oxford, UK | Boston, USA© Copyright 2014. Sophos Ltd. All rights reserved.Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UKSophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

1.14.GH.wpna.simple

SafeGuard Enterprise: Delivering data protection everywhereSafeGuard Enterprise provides a single platform for all your data protection needs. By securing sensitive information wherever it’s stored throughout your business, SafeGuard Enterprise meets your compliance requirements, keeps your users working, and provides your IT team with the tools to keep your business running.

SafeGuard EnterpriseGet a free trial at sophos.com

http://www.sophos.com/en-us/products/safeguard-encryption.aspx?utm_source=DP&utm_medium=PDF-link&utm_campaign=DP-NA-PDF-SafeguardBitlocker
http://www.sophos.com/en-us/products/safeguard-encryption.aspx?utm_source=DP&utm_medium=PDF-link&utm_campaign=DP-NA-PDF-SafeguardBitlocker
http://www.sophos.com/en-us/products/safeguard-encryption.aspx?utm_source=DP&utm_medium=PDF-link&utm_campaign=DP-NA-PDF-SafeguardBitlocker

Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents
Venture Capital

Venture Capital

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents
Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Documents
Simple Functions in Haskell

Simple Functions in Haskell

Documents
Steve Jobs' Commencement Speech at Stanford

Steve Jobs' Commencement Speech at Stanford

Documents
Chapter-01

Chapter-01

Documents
Compressing And Decompressing Folders

Compressing And Decompressing Folders

Documents
Bhagavad Gita

Bhagavad Gita

Documents
Heidegger Kritik

Heidegger Kritik

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents
xCDC14a

xCDC14a

Documents
Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers

Documents
Barclays1

Barclays1

Documents
Introduction to Six Sigma

Introduction to Six Sigma

Documents
The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Documents
Plato - Symposium

Plato - Symposium

Documents
Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Documents
Rubik's cube solution

Rubik's cube solution

Documents
How Computer Monitors Work

How Computer Monitors Work

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents
Disclaimer

Disclaimer

Documents
Iron Mills Essay

Iron Mills Essay

Documents
Tragic Heroes

Tragic Heroes

Documents
Improve the Color Quality Of Your Monitor

Improve the Color Quality Of Your Monitor

Documents
(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Documents
Algorithms

Algorithms

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
Who Killed God

Who Killed God

Documents