1. Managing BitLocker With
SafeGuard Enterprise
How Sophos provides one unified solution to manage
device encryption, compliance and Microsoft BitLocker
By Robert Zeh, Product Manager
Full-disk encryption is only the beginning
Full-disk encryption is rapidly becoming a standard security
solution, like antivirus or spam filters—a trend further accelerated
by widespread use of Microsoft BitLocker. However, to support the
flexibility of your workers today, full-disk encryption is not enough
to prevent data loss. Your users are no longer confined to the
office by their technology and their PCs, and work has become a
thing people do rather than a place they go to. This whitepaper
explains how Sophos SafeGuard Enterprise secures your data
wherever it’s stored; and how it allows you to support diverse
platforms and encryption products including BitLocker.
2. A Sophos Whitepaper January 2014 2
Managing BitLocker With SafeGuard Enterprise
Far from homogenous environments
Beginning with the Ultimate and Enterprise editions of Microsoft Windows Vista, and
continuing with Windows 7 Ultimate/Enterprise and Windows 8, Microsoft has provided
access to its integrated BitLocker encryption technology. The upside is that this has led to
many more companies recognizing the value of encryption.
The downside is that BitLocker does one main thing, although it does it very well—it encrypts
hard drives. Many large enterprises have deployed BitLocker in homogenous Windows 7 and
Windows 8 environments. But the reality of today’s enterprise IT infrastructure is far from
homogenous.
IT environments are rarely restricted to Windows, and many enterprises support legacy
operating systems even long after Microsoft’s regular service and support ceases.
Furthermore, third-party and proprietary applications that you’ve introduced over time
don’t always keep pace with Microsoft’s release cycles. Often vendors opt not to build
those updates, determining that it would be too costly to do further development. For your
business, these applications may be a key part of your operation, meaning that you’re forced
to support multiple operating systems.
Beyond Windows, Apple Macs are no longer restricted to use by creative professionals such
as designers. The Mac has successfully found its way into the heart of many businesses—
perhaps also into yours.
Microsoft added some new features in BitLocker 8, which make it more attractive for
some organizations. However, many of its limitations will remain. As your IT evolves, you
need to adapt what may have started out as an ideal set-up to suit your current business,
management and user requirements.
SafeGuard Enterprise protects your data
everywhere
To meet the needs of your mobile information workers today, you need seemless encryption
that supports the way your people work rather than restricting them. If you limit your
encryption to full-disk, that will inevitably open the door for data loss when your users take it
with them.
Particularly if you are required to conform to industry, national or state data protection
regulations, full-disk encryption may provide the baseline compliance for your PCs. But it
doesn’t guarantee that your company won’t make the headlines for the wrong reaons.
SafeGuard Enterprise enables you to secure your data wherever it’s stored while supporting
diverse platforms and encryption products. You can use it as a single platform for all your
data protection needs, or to integrate third-party encryption solutions.
Microsoft BitLocker
has helped to raise
management’s
awareness of the
need to encrypt
and protect data;
but is it the right
solution for your
IT environment?
3. A Sophos Whitepaper January 2014 3
Managing BitLocker With SafeGuard Enterprise
SafeGuard Enterprise supports all Windows platforms, from Windows XP through Windows
8, so no devices are left unencrypted and unprotected. SafeGuard Enterprise is the only
product on the market offering encryption for your hard drives, removable media, network
file shares, and files stored in the cloud. Plus, all these functions are managed through a
single console, giving you one place for data recovery, policy and key management.
In addition, SafeGuard Enterprise Native Device Encryption provides a way to integrate your
BitLocker encrypted devices within your SafeGuard Enterprise solution, so you can manage
devices encrypted by BitLocker alongside all other encryption within the same management
center. This integration removes the limitations of BitLocker—supporting a broader set
of production environments while providing multi-platform support with uniform key
management and data recovery.
SafeGuard Enterprise modules in detail
• Device Encryption: SafeGuard Enterprise provides full-disk encryption for
laptops, desktops and virtual desktops. It increases performance by leveraging
optimization on Intel i5 and i7 computers with AES-NI. It lets you run and
manage native encryption for Microsoft BitLocker, Mac FileVault 2, OPAL 1/2,
Windows 7, Vista, XP and virtual desktops—from one central management
console.
• Native Device Encryption: Manage built-in encryption in the OS: Microsoft
BitLocker and Mac FileVault 2. SafeGuard Enterprise embraces native
encryption functions and provides central encryption policy deployment,
recovery and compliance reporting. By leveraging OS-embedded encryption, it
provides the best encryption performance, reliability and robustness.
• Encryption for Cloud Storage: Sophos protects data everywhere, even when
it’s stored in the cloud. Data stays encrypted when uploading or downloading
from cloud storage services like Dropbox and Egnyte. The keys stay local to the client
and data is accessible only when using the keys. Encrypted files in the cloud are even
accessible through the Sophos Mobile Encryption app on iOS and Android devices.
• Encryption for File Shares: Sophos provides a comprehensive encryption solution,
allowing only authorized users to access data on a network—all managed from a single
console using the SafeGuard Enterprise client. This improves security of data in network
shares or infrastructure as a service, while sparing your IT staff auditor headaches.
System management can be isolated from data access.
• Data Exchange: Encrypts removable media, including USB drives and optical media,
across all Windows platforms, expanding platform support and portable encrypted file
access beyond what’s possible with BitLocker-To-Go.
• Support: Call one vendor for all your data security needs.
4. A Sophos Whitepaper January 2014 4
Managing BitLocker With SafeGuard Enterprise
Typical use case: Protecting sensitive customer
information
Here’s a typical use case for SafeGuard Enterprise. Your company started out with a
completely homogenous Windows environment. However, things changed over time: IT staff
and users came and went, management and people changed roles within the company. Also,
your computing requirements changed gradually—some users brought Macs on the network
and personally-owned devices needed to connect to corporate email.
Hardware refresh cycles grew longer, so the IT team had to support multiple operating
systems and different generations of hardware for an increasingly mobile workforce. Users
didn’t really care about security or compliance—they just expected to be able to use any tool
they wanted, anywhere they wanted, at any time.
But then the regulations changed and your company was forced by new legislation to deploy
encryption to protect your data—and to protect the IT manager’s job. Your newest laptops
were delivered with Windows 8 and you decided to activate BitLocker on these systems.
After all, it’s part of the operating system.
Faced with the new regulatory requirements, the issues around encryption quickly escalated
and it wasn’t long before the IT team was spending much of their time figuring out ways
around the holes in the encryption net rather than performing their normal tasks. Once users
started to move data to USB drives and cloud storage services, the CEO decided that the
company could no longer afford to have only some devices encrypted. The IT manager was
soon called in front of the legal team to answer questions about the breached security policies.
Solution: SafeGuard Enterprise
Sophos SafeGuard Enterprise is designed for scenarios like this and it allows over-stretched
IT teams to encrypt all devices and data, without getting in the way of users. Taking full
advantage of built-in disk encryption like BitLocker and FileVault, SafeGuard Enterprise is the
only product to offer encryption across Windows, Mac, removable media, cloud and mobile.
You can use SafeGuard Enterprise to manage all your PCs and Macs. It provides extensive
forensics and reporting to ensure full compliance, plus it manages all of your encrypted
laptops, BitLocker devices and OPAL self-encrypting drives, in one place. Apps for both iOS
and Android devices allow you to securely view encrypted files stored in cloud.
5. A Sophos Whitepaper January 2014 5
Managing BitLocker With SafeGuard Enterprise
Win-Win: SafeGuard Enterprise with BitLocker
Microsoft BitLocker is easy to deploy, fast and reliable, but its features are narrowly targeted
to homogenous Windows 7 and Windows 8 environments. BitLocker provides one function
and does it well: it encrypts hard drives. But full-disk encryption is not enough to meet all
the data protection challenges an organization may face. Below we explain some of the main
limitations stopping enterprises from implementing BitLocker today, and how SafeGuard
Enterprise can add the functionality you need to keep your data safe.
Compliance
Regulators and auditors don’t care where your data is stored. They want to know—and you
need to demonstrate—that the data is secure at all times, independent of its location. The
implications of a data breach are the same whether the data was on a Windows laptop,
MacBook, cloud storage service or USB device.
If you failed to properly protect the data, laws likely require you to disclose a breach to any
affected individuals. Depending on the laws that govern your business, you might have to
disclose to your customers, your patients, your employees, the media and to the government.
This means lawsuits, fines and loss of customers. It can also mean damage to the reputation
and goodwill you’ve built up over many years.
When used in combination with the Microsoft BitLocker Administration and Monitoring
application (MBAM), BitLocker provides compliance reports for the Windows 7 and Windows
8 devices it manages. As a result, additional compliance reports are required for other
devices and storage locations. With SafeGuard Enterprise it’s easy to manage and report on
encryption for data on Windows PCs, Macs, removable storage devices, network file shares
and data in the cloud, with one solution from one management center.
Network file share protection
Using access control lists and Active Directory rights to restrict access to data is a step in
the right direction, but it doesn’t address internal compliance. How do you keep the IT staff
that is authorized to support servers and infrastructure from accessing sensitive files?
How can you separate the ability to manage folders and back up files from the ability to
read a medical record or a payroll file? And what if those sensitive file shares aren’t in your
environment at all?
If you are leveraging infrastructure-as-a-service vendors such as Amazon Web Services, or
if you are using outsourced help desk staff, you also need to make sure your vendors' staff
can’t access your regulated or sensitive data.
Sophos provides encryption security with SafeGuard Encryption for File Shares, which lets
you encrypt that data at rest, so backup and management of file shares can be independent
from access to the files themselves. This keeps sensitive files in the hands of authorized
users, and keeps the auditors out of the IT department’s daily operations.
6. A Sophos Whitepaper January 2014 6
Managing BitLocker With SafeGuard Enterprise
Encryption of Non-Windows platforms
BitLocker is only available on certain versions of Windows. However, today most enterprises
use multiple platforms in one way or another. The use of Macs in business environments is
on the rise, driven partly by the growing trend of BYOD (bring your own device). And because
data on a Mac is likely to be as valuable as data on a Windows PC, any data protection
strategy must make securing data on Macs as well as on Windows an essential requirement.
SafeGuard Enterprise allows you to seamlessly run reports on your Mac encryption through
the same management console as your Windows PCs.
Legacy Windows platforms
BitLocker only encrypts PCs using certain versions of Windows: Vista, Windows 7 (Enterprise
and Ultimate Editions) or Windows 8. This is a serious issue for organizations with other
versions of Windows 7 or 8 in use, or who still have legacy Windows platforms in their
infrastructure. SafeGuard Enterprise encrypts all versions of Windows, from XP up.
Mobile computing is great … But where’s my laptop?
Mobility can boost productivity, but it also means that your data is at risk from simple loss
and theft of laptops. SafeGuard Enterprise is built with IIS web server as the communication
engine between the secure back end and your encrypted clients, making it possible to manage
those remote clients over the web—no network or VPN connection required. This means that
if a user has to be terminated or thinks they’ve misplaced the system, you can lock out that
machine via policy. If your IT team later recovers the device, an authorized security admin can
easily unlock the system while a thief would not be able to access the system.
7. A Sophos Whitepaper January 2014 7
Managing BitLocker With SafeGuard Enterprise
Deploying SafeGuard Enterprise
In this typical environment, SafeGuard Enterprise Management Console includes BitLocker
for Windows 7 and Windows 8; plus SafeGuard Enterprise for Mac, removable media,
network file shares, mobile devices and cloud storage.
There are many advantages to the above deployment architecture, for example:
• Central location to define policy for all your data, regardless of location or platform
• Single pane of glass for compliance reporting and auditing
• One place for recovery