Saying things the right way can make all the difference
Working with the security team in our organization can be challenging. Often they come into meetings with preconceived ideas about how things work or how things are supposed to work. The default answer to a new technology or new request from the business or a user is “no” rather than the “how can we do this securely” that I would prefer.
That changed on a very important technology yesterday, and that was because of someone being able to say the right thing the right way.
The story starts two years ago, which makes it over a year before I got here. Security was working on a requirement that drives on all laptops and tablets be encrypted. Microsoft was brought in for a POC to get MBAM up and running in the environment. Everything was working great until someone from the Security Team said “well now we need to turn on FIPS compliance.” The Security Team wanted to be compliant to the Federal Information Processing Standards. This is fine, until you turn FIPS on for the Desktop. When you do that, every certificate and every connection then becomes FIPS compliant. When that happens it changes how everything is encrypted and it basically breaks EVERYTHING. Additionally the MBAM clients stop talking to the MBAM server, and you have no way of reporting on what is encrypted and what is not. Because of this issue it was decided to use Symantec Endpoint Encryption instead of Bitlocker.
Recently the Security team was given a presentation on security by Microsoft and the question of Bitlocker came up yet again. The response from the security team was “have you fixed FIPS compliance yet?” To Microsoft’s credit, they asked some important questions that found some interesting answers. The way that FIPS had been enabled earlier is well known to break everything. In fact Microsoft recommends against doing it that way. In addition, they noted that it is not required to have FIPS “turned on” on each endpoint to be FIPS compliant. They provided resources to the security team that showed why this works and how other organizations are using Bitlocker in FIPS compliant environments.
The bottom line was, in order to be FIPS compliant an organization does not need to turn on the FIPS switch on the computers and break everything. FIPS compliance can also be achieved by using FIPS compliant algorithms in the encryption. News flash, the default algorithms for Bitlocker are already FIPS compliant.
Once this was explained and accepted, we are now moving down the road to removing SEE from the environment and installing Bitlocker. And we are right back where we should have been two years ago.