WIXLIB

Managing BitLocker WithSafeGuard EnterpriseHow Sophos provides one unified solution to managedevice encryption, compliance and Microsoft BitLockerBy Robert Zeh, Product ManagerFull-disk encryption is only the beginningFull-disk encryption is rapidly becoming a standard securitysolution, like antivirus or spam filters—a trend further acceleratedby widespread use of Microsoft BitLocker. However, to support theflexibility of your workers today, full-disk encryption is not enoughto prevent data loss. Your users are no longer confined to theoffice by their technology and their PCs, and work has become athing people do rather than a place they go to. This whitepaperexplains how Sophos SafeGuard Enterprise secures your datawherever it’s stored; and how it allows you to support diverseplatforms and encryption products including BitLocker.

Managing BitLocker With SafeGuard EnterpriseFar from homogenous environmentsBeginning with the Ultimate and Enterprise editions of Microsoft Windows Vista, andcontinuing with Windows 7 Ultimate/Enterprise and Windows 8, Microsoft has providedaccess to its integrated BitLocker encryption technology. The upside is that this has led tomany more companies recognizing the value of encryption.The downside is that BitLocker does one main thing, although it does it very well—it encryptshard drives. Many large enterprises have deployed BitLocker in homogenous Windows 7 andWindows 8 environments. But the reality of today’s enterprise IT infrastructure is far fromhomogenous.IT environments are rarely restricted to Windows, and many enterprises support legacyoperating systems even long after Microsoft’s regular service and support ceases.Furthermore, third-party and proprietary applications that you’ve introduced over timedon’t always keep pace with Microsoft’s release cycles. Often vendors opt not to buildthose updates, determining that it would be too costly to do further development. For yourbusiness, these applications may be a key part of your operation, meaning that you’re forcedto support multiple operating systems.Microsoft BitLockerhas helped to raisemanagement’sawareness of theneed to encryptand protect data;but is it the rightsolution for yourIT environment?Beyond Windows, Apple Macs are no longer restricted to use by creative professionals suchas designers. The Mac has successfully found its way into the heart of many businesses—perhaps also into yours.Microsoft added some new features in BitLocker 8, which make it more attractive forsome organizations. However, many of its limitations will remain. As your IT evolves, youneed to adapt what may have started out as an ideal set-up to suit your current business,management and user requirements.SafeGuard Enterprise protects your dataeverywhereTo meet the needs of your mobile information workers today, you need seemless encryptionthat supports the way your people work rather than restricting them. If you limit yourencryption to full-disk, that will inevitably open the door for data loss when your users take itwith them.Particularly if you are required to conform to industry, national or state data protectionregulations, full-disk encryption may provide the baseline compliance for your PCs. But itdoesn’t guarantee that your company won’t make the headlines for the wrong reaons.SafeGuard Enterprise enables you to secure your data wherever it’s stored while supportingdiverse platforms and encryption products. You can use it as a single platform for all yourdata protection needs, or to integrate third-party encryption solutions.A Sophos Whitepaper January 20142

Managing BitLocker With SafeGuard EnterpriseSafeGuard Enterprise supports all Windows platforms, from Windows XP through Windows8, so no devices are left unencrypted and unprotected. SafeGuard Enterprise is the onlyproduct on the market offering encryption for your hard drives, removable media, networkfile shares, and files stored in the cloud. Plus, all these functions are managed through asingle console, giving you one place for data recovery, policy and key management.In addition, SafeGuard Enterprise Native Device Encryption provides a way to integrate yourBitLocker encrypted devices within your SafeGuard Enterprise solution, so you can managedevices encrypted by BitLocker alongside all other encryption within the same managementcenter. This integration removes the limitations of BitLocker—supporting a broader setof production environments while providing multi-platform support with uniform keymanagement and data recovery.SafeGuard Enterprise modules in detail Device Encryption: SafeGuard Enterprise provides full-disk encryption forlaptops, desktops and virtual desktops. It increases performance by leveragingoptimization on Intel i5 and i7 computers with AES-NI. It lets you run andmanage native encryption for Microsoft BitLocker, Mac FileVault 2, OPAL 1/2,Windows 7, Vista, XP and virtual desktops—from one central managementconsole. Native Device Encryption: Manage built-in encryption in the OS: MicrosoftBitLocker and Mac FileVault 2. SafeGuard Enterprise embraces nativeencryption functions and provides central encryption policy deployment,recovery and compliance reporting. By leveraging OS-embedded encryption, itprovides the best encryption performance, reliability and robustness. Encryption for Cloud Storage: Sophos protects data everywhere, even whenit’s stored in the cloud. Data stays encrypted when uploading or downloadingfrom cloud storage services like Dropbox and Egnyte. The keys stay local to the clientand data is accessible only when using the keys. Encrypted files in the cloud are evenaccessible through the Sophos Mobile Encryption app on iOS and Android devices. Encryption for File Shares: Sophos provides a comprehensive encryption solution,allowing only authorized users to access data on a network—all managed from a singleconsole using the SafeGuard Enterprise client. This improves security of data in networkshares or infrastructure as a service, while sparing your IT staff auditor headaches.System management can be isolated from data access. Data Exchange: Encrypts removable media, including USB drives and optical media,across all Windows platforms, expanding platform support and portable encrypted fileaccess beyond what’s possible with BitLocker-To-Go. Support: Call one vendor for all your data security needs.A Sophos Whitepaper January 20143

Managing BitLocker With SafeGuard EnterpriseTypical use case: Protecting sensitive customerinformationHere’s a typical use case for SafeGuard Enterprise. Your company started out with acompletely homogenous Windows environment. However, things changed over time: IT staffand users came and went, management and people changed roles within the company. Also,your computing requirements changed gradually—some users brought Macs on the networkand personally-owned devices needed to connect to corporate email.Hardware refresh cycles grew longer, so the IT team had to support multiple operatingsystems and different generations of hardware for an increasingly mobile workforce. Usersdidn’t really care about security or compliance—they just expected to be able to use any toolthey wanted, anywhere they wanted, at any time.But then the regulations changed and your company was forced by new legislation to deployencryption to protect your data—and to protect the IT manager’s job. Your newest laptopswere delivered with Windows 8 and you decided to activate BitLocker on these systems.After all, it’s part of the operating system.Faced with the new regulatory requirements, the issues around encryption quickly escalatedand it wasn’t long before the IT team was spending much of their time figuring out waysaround the holes in the encryption net rather than performing their normal tasks. Once usersstarted to move data to USB drives and cloud storage services, the CEO decided that thecompany could no longer afford to have only some devices encrypted. The IT manager wassoon called in front of the legal team to answer questions about the breached security policies.Solution: SafeGuard EnterpriseSophos SafeGuard Enterprise is designed for scenarios like this and it allows over-stretchedIT teams to encrypt all devices and data, without getting in the way of users. Taking fulladvantage of built-in disk encryption like BitLocker and FileVault, SafeGuard Enterprise is theonly product to offer encryption across Windows, Mac, removable media, cloud and mobile.You can use SafeGuard Enterprise to manage all your PCs and Macs. It provides extensiveforensics and reporting to ensure full compliance, plus it manages all of your encryptedlaptops, BitLocker devices and OPAL self-encrypting drives, in one place. Apps for both iOSand Android devices allow you to securely view encrypted files stored in cloud.A Sophos Whitepaper January 20144

Managing BitLocker With SafeGuard EnterpriseWin-Win: SafeGuard Enterprise with BitLockerMicrosoft BitLocker is easy to deploy, fast and reliable, but its features are narrowly targetedto homogenous Windows 7 and Windows 8 environments. BitLocker provides one functionand does it well: it encrypts hard drives. But full-disk encryption is not enough to meet allthe data protection challenges an organization may face. Below we explain some of the mainlimitations stopping enterprises from implementing BitLocker today, and how SafeGuardEnterprise can add the functionality you need to keep your data safe.ComplianceRegulators and auditors don’t care where your data is stored. They want to know—and youneed to demonstrate—that the data is secure at all times, independent of its location. Theimplications of a data breach are the same whether the data was on a Windows laptop,MacBook, cloud storage service or USB device.If you failed to properly protect the data, laws likely require you to disclose a breach to anyaffected individuals. Depending on the laws that govern your business, you might have todisclose to your customers, your patients, your employees, the media and to the government.This means lawsuits, fines and loss of customers. It can also mean damage to the reputationand goodwill you’ve built up over many years.When used in combination with the Microsoft BitLocker Administration and Monitoringapplication (MBAM), BitLocker provides compliance reports for the Windows 7 and Windows8 devices it manages. As a result, additional compliance reports are required for otherdevices and storage locations. With SafeGuard Enterprise it’s easy to manage and report onencryption for data on Windows PCs, Macs, removable storage devices, network file sharesand data in the cloud, with one solution from one management center.Network file share protectionUsing access control lists and Active Directory rights to restrict access to data is a step inthe right direction, but it doesn’t address internal compliance. How do you keep the IT staffthat is authorized to support servers and infrastructure from accessing sensitive files?How can you separate the ability to manage folders and back up files from the ability toread a medical record or a payroll file? And what if those sensitive file shares aren’t in yourenvironment at all?If you are leveraging infrastructure-as-a-service vendors such as Amazon Web Services, orif you are using outsourced help desk staff, you also need to make sure your vendors' staffcan’t access your regulated or sensitive data.Sophos provides encryption security with SafeGuard Encryption for File Shares, which letsyou encrypt that data at rest, so backup and management of file shares can be independentfrom access to the files themselves. This keeps sensitive files in the hands of authorizedusers, and keeps the auditors out of the IT department’s daily operations.A Sophos Whitepaper January 20145