BitLocker Disk Encryption Boom or Bust Computer Science 199r

Document Sample
BitLocker Disk Encryption Boom or Bust Computer Science 199r Powered By Docstoc
					                           BitLocker Disk Encryption: Boom or Bust?
                          Computer Science 199r Final Project Write-up
                                         Kristen Lovin


In August 2006, a laptop was stolen from the home of a staff worker of the U.S. Department of
Veterans Affairs that contained the names, birth dates, and social security numbers of about
18,000 veterans and active-duty military personnel.1 This caused a huge wave of concern
throughout the United States about the safety of private data—many realized for the first time
that personal information given out even to trusted entities is never really safe, and there was
really nothing they could do to absolutely ensure the security of their private data. The
individual had no control at all—they had to provide this data to receive needed services, and
they had no control over what was done with this data or how it was protected once given out.
This was a very scary idea to many.

Unfortunately, this case of data leakages resulting from stolen laptops is neither novel nor new.
This incidence was only one of many cases of stolen laptops that have been reported within the
last year: in December 2006, Boeing reported a laptop was stolen that contained the personal
information of 382,000 employees, in March 2006, a laptop from Fidelity Investments was stolen
that contained the data of 1,960,000 Hewlett-Packard employees, and in February 2007, the
UK’s Nationwide Building Society reported a stolen laptop that contained personal information
about 11 million customers and faced fines of £980,000. In today’s world of large-scale
electronic data storage, security vulnerabilities through stolen laptops has become an
increasingly serious problem and poses massive problems for the process of securing privacy in a
digital world.

In 2006, Microsoft announced the development of a new tool intended to protect against data
vulnerabilities associated with the problem of the stolen laptop that will ship as a part of
Windows Vista Enterprise and Ultimate: BitLocker Disk Encryption. Designed to protect
against unauthorized accesses to hard drives from other operating systems or hacking tools,
BitLocker encrypts the entire Windows volume—including swap and hibernation files—and
relies on hardware support of a Trusted Platform Module (TPM) to lock the encryption keys that
protect this data. Overall, BitLocker has received positive reviews from the tech community,
and Microsoft has used it as one of Vista’s main selling points.

In theory, BitLocker sounds great. But is it really? The costs of implementing BitLocker are
incredibly high: it requires a relatively new computer that has:
    • Windows Vista Ultimate or Enterprise
    • Trusted Platform Module (TPM) chip built-in, version 1.2 or later
    • Trusted Computing Group (TCG)-compliant BIOS
In most cases, organizations and individuals seeking the protection of BitLocker must buy an
entirely new computer. BitLocker is also relatively complicated to set up. The laptop’s hard
drive must be divided into two partitions before Vista is installed (one for BitLocker, one for
 “Latest Information on Veterans Affairs Data Security.” September 6, 2006.
Windows), and many times a BIOS upgrade is in order. Encrypted disks also function more
slowly than non-encrypted disks, and this has the potential to negatively impact performance.
(Please see the appendix for a complete technical description of BitLocker.) With such
extraordinary costs, it is very important that laptop owners understand the conditions under
which BitLocker is both an effective and practical safeguard against the stolen laptop problem.

Problem Statement and Methods

The goal of this project is to assess whether BitLocker disk encryption is an appropriate solution
to the privacy issues raised by the stolen laptop problem. Specifically, this problem breaks down
into three separate questions:
    • Does BitLocker effectively prevent data leakage when laptops are stolen?
    • Is BitLocker a practical solution?
    • When should an individual or institution adopt BitLocker?

To answer these questions, this project employed a comprehensive series of case studies that
examined how the presence of BitLocker would affect different types of stolen laptop scenarios.
The different “types” of scenarios investigated involved differing combinations of the following
key variables:
   • Budget of laptop owner
   • Amount of data lost
   • Sensitivity of data lost
   • Whether data was recovered or not
   • Cost of loss to owner

Case studies were taken from real, recently reported instances of laptop theft that resulted in the
loss of personal data, and chosen such that each case involved the same base story (a stolen
laptop resulted in loss of personal information), but significantly differed in the variables
identified above. Each case was analyzed as follows: I retraced the details of the incident,
assessing how differently it would have played out if the stolen laptop had BitLocker on it.
Then, using data collected about the owner in question, I identified what would have had to have
happened to ensure the stolen laptop did have BitLocker, and judged how appropriate those
actions would have been for that owner.

After conducting this analysis on every case study, I combined my findings to reach more
general conclusions about the nature of BitLocker and the conditions under which its adoption is

Stolen Laptop Case Studies

Large Corporation with Potential Cost: Fidelity Investments / Hewlett Packard

On March 15, 2006, Fidelity Investments announced that a laptop containing the personal
information of roughly 196,000 Hewlett Packard (HP) employees was stolen during a meeting
that took place at an off-campus site.2 Data stored on the laptop included names, addresses,
Social Security numbers, dates of birth and other employment-related information, but not the
personal identification numbers required to log on to Fidelity services, according to Fidelity
officials.3 Fidelity claimed the laptop was loaded with this information specifically for the
purposes of the meeting, and is not typical of the amount of personal data stored on company
laptops. “We limit significantly the use of such confidential data outside of Fidelity to only
those instances where the information is appropriate or required for meetings,” Anne Crowley, a
Fidelity spokeswoman, told the press.4 “It is not our practice to have that level of data on a
laptop,” she asserted.5 Fidelity claimed that the data on the laptop was used by a piece of third-
party software with a temporary license that had since expired, but cited no other protection of
this data. Data stored on the laptop included names, addresses, Social Security numbers, dates of
birth and other employment-related information, but not the personal identification numbers
required to log on to Fidelity services. In response to the incident, Fidelity offered affected HP
free enrollment in a one-year credit monitoring service, and promised to require extra
authentification for these accounts. It also pledged to take responsibility for any money that was
stolen from these accounts in connection with this data breach. No information was offered on
how many HP employees took advantage of these promises, and what the overall cost for this
breach was to Fidelity.

Had BitLocker been installed on the stolen laptop, it would have been very unlikely that the thief
could have gained access to this information. Because most corporate networks require a
username and password to log in, it is likely that this computer would have been password
protected. Without knowledge of username or password, the thief could not have logged into the
computer to view the information normally, and, because of BitLocker, the hard drive itself
would have been unreadable if the thief had removed it and tried to read it with another
computer. Simply put, BitLocker would have been an effective means of preventing this data

I then move to considerations of feasibility and practicality. Fidelity Investments is the largest
mutual fund company in the United States, claiming revenues of $11.1 billion and net income of
$1.3 billion in 2005.6 This indicates that it does possess the financial ability to shoulder
relatively large costs (to support a move, for example, to BitLocker), although the structure of its
budget ultimately dictates where it spends this money. Nevertheless, the cost of introducing
BitLocker as a security measure is still a significant cost. The cost of full implementation of
BitLocker can be estimated as follows: Fidelity employs roughly 32,000 people7.
Conservatively estimating that 30% of these people are laptop bearing, this means that roughly
10,000 new BitLocker-ready laptops need to be purchased. If they get a good deal on this
purchase and buy these machines for $2000 each, this translates roughly into a total cost of $20

There are also other costs associated with implementing a complete BitLocker scheme. Even
with the right hardware, BitLocker would require a significant amount of IT power to roll out, as
BitLocker computers require very specific setup and installation procedures. In a large, profit-
maximizing firm like Fidelity, IT is never the priority, and it is unlikely that amount of resources
needed to roll out such an extensive change will be at Fidelity’s disposal.

All these costs, then, must be weighed against the costs Fidelity would incur if data was breached
to ultimately determine the practicality of such an implementation. The cost of the promises
Fidelity made with response to this incident can be estimated as follows: Credit reporting
services average $15 a month,8 so enrollment in one of these services for a year for all 196,000
HP employees would roughly cost $35.28 million. Extra authentification is relatively
inexpensive, but might require some changes to the system, in which case the cost would just be
the salary of the developer hired to make these changes. Compared to $35.28 million, this cost is
very small, so it can be neglected from the estimation. Stopping here, it is clear that Fidelity was
already willing to pay more than what the estimated cost of a full implementation of BitLocker
would be. In all likelihood, not all HP employees took advantage of the credit monitoring
service, so the actual cost of this data breach was significantly lower. However, Fidelity’s
willingness to pay this amount in damages indicates that it is likely it would also be willing to
pay for a full BitLocker implementation.

Other options exist, too, other than completely adopting BitLocker or not. Fidelity could also
choose to phase in BitLocker, first adopting it for employees who handle the highest amount of
sensitive data and then work down. This would ease the financial burden of implementation, and
makes a BitLocker solution all the more enticing.

Large Corporation with Automatic and Potential Cost: Nationwide (U.K.)

In August 2006, Nationwide Building Society, Britain’s largest building society, reported a
laptop was stolen from an employee’s home that contained personal information about 11
million customers.9 The computer contained customer names and account numbers, information,
experts said, that “identity thieves…could [use] to take out credit cards in customer’s names.”10
Despite these claims, Philip Williamson, Nationwide’s chief executive officer asserted that
“[t]here is no chance of any customer suffering any financial loss on their accounts as a result of
this” and promised customers that the company has “tightened up our already high security
procedures and this should ensure it couldn't happen again.”11 Nevertheless, Britain’s Financial
Services Authority (FSA) fined Nationwide over £980,000 ($1.935 million) for this
carelessness.12 “Nationwide is the UK's largest building society and holds confidential
information for over 11 million customers,” the FSA said in defense of the fines. “Nationwide’s
customers were entitled to rely upon it to take reasonable steps to make sure their personal
information was secure.”13 Nationwide reported that no loss of money on customer accounts

was reported in response to this incident, and made no guarantees about how they would handle
such instances if they arose.

BitLocker would have effectively guarded this data against unauthorized access. Because most
corporate networks require a username/password to log in, it is likely that the laptop was
password-protected, preventing the thief from being able to log in and view the data normally.
BitLocker, then, would have prevented the thief from gaining access to the data via the hard
drive. These two protections combined, BitLocker would have effectively kept the data safe
from any kind of identity theft.

From a feasibility standpoint, Nationwide’s financial capability does seem to be more
appropriately aligned with the implementation requirements of BitLocker. Nationwide is
Britain’s largest building society, reporting revenue of £1.63 billion ($3.22 billion) and profits of
£539.4 million ($1.066 billion) for the year in 2006.14 Such profits do suggest that Nationwide is
financially capable of relatively large costs (such as that of implementing BitLocker), if it makes
room for it in its budget. Using similar methods to the Fidelity case study, it is possible to
estimate the cost of implementing a BitLocker scheme for Nationwide: according to a 2006
report, Nationwide has 16,644 employees.15 Assuming 30% of this group is laptop-bearing and
it costs about $2000 to outfit each employee with a BitLocker-enabled laptop, adopting a full
BitLocker scheme would roughly cost Nationwide $10 million. Although this is still a
significant amount of money, it does seem to be a more appropriate order of magnitude for

Considerations for the cost of this last incident of data loss additionally informs this analysis.
Comparing fines Nationwide faced (over $2 million) with the estimated cost of implementing
BitLocker ($10 million) and also taking into account the tightening of Nationwide’s policies in
response to this first theft might decrease fines in the case of a second theft, implementing a full
BitLocker scheme still does not seem justifiable.

Although full implementation might not seem appropriate given this comparison, it may seem
feasible to phase-in BitLocker. If, for example, Nationwide began by purchasing BitLocker-
enabled laptops for 1,000 of its employees who handled the most personal data, it would greatly
reduce the risk of personal data loss in further incidents of theft and would break even with
respect to its original costs. This seems an appropriate alternative for Nationwide.

Smaller Nonprofit with no Cost: Louisiana State University

On April 4, 2007, a business professor’s laptop that contained the personal information (social
security numbers, names, and grades) of roughly 750 students at Louisiana State University
(LSU) was stolen from his house.16 Unlike the Fidelity incident, this case seemed to involve
much greater degree of ignorance on the part of the laptop owner regarding the risk his laptop

     Sustainability Report 68
     Sustainability Report
posed to personal data. According to the LSU Daily Reveille, “the faculty member did not
immediately realize that the laptop could contain personal information.”17 “People aren't
necessarily aware of what they've got on their computers,” it cited a university official as saying.
“Thinking about what was lost on the computer is sometimes an afterthought.”18 According to
LSU, the laptop is still missing, but no students have reported suspicious activity on their student
or bank accounts since the incident. The university made no guarantees about covering the cost
of associated damages to this incident, if ever some arise.

Because this was the personal laptop of a professor and because it is very likely the professor
was not too technically inclined (based on comments above and the assumption that business
professors are not usually very techy), it is highly likely that this laptop was not password-
protected. In this case, BitLocker would have only been very limitedly effective. The student’s
data still would have been protected if the laptop’s hard drive were taken out and connected to
another computer, but nothing would have stopped the thief from simply turning on the computer
and attaining the data this way.

BitLocker also renders itself relatively impractical in the case of LSU. A non-profit organization
that is largely funded by the state (it expects $758 million for the coming year19), LSU has no
extra room in its budget to pay for technology as expensive as BitLocker. In a university with an
enrollment of over 26,000 students and over 1,000 professors, it would cost (using the same
estimations applied to Fidelity) well over $2 million to outfit all faculty members with BitLocker
laptops, a cost too great and objective too narrow for its budget to support. Phasing-in BitLocker
also still proves to be too expensive, and would be incredibly difficult, given that all professors
handle equally sensitive student data and it would be hard to chose how the distribution should
be handled.

Adopting BitLocker further seems inappropriate in light of the fact that LSU never offered to
reimburse students for damages suffered from this lost information. Because of this, LSU
effectively suffered no financial cost (other than potentially needing to replace that professor’s
laptop) due to this incident. Although it is possible that the university could get sued, or be
forced to pay some damages for this infraction, the current state of this incident provides no
motivation to adopt BitLocker. Why pay a lot to prevent an incident that would cost relatively
little in the first place?

Smaller Nonprofit with Recovery and little Cost: Highland Hospital

In April 13, 2007, two laptops—one of which contained sensitive patient data (name, contact
information, and social security numbers)—were stolen from a business office in Highland
Hospital in Rochester, New York.20 Over 13,000 people were affected by this breach, the

hospital reported. The laptop containing the patient data was later recovered, after being put up
for auction on Ebay. Hospital officials reported that they could find no evidence that any of the
personal information on the laptop was accessed by the thief.21 Rather, it stated, “the burglary
was committed by thieves who immediately erased any information and sold the computers for
quick profit.”22 It also noted that the machine was password-protected, which further decreased
the likelihood that the thief accessed the patient data. In response to this incident, the hospital
promised to change its security procedures, and created an information line for concerned

From an effectiveness standpoint, BitLocker could have helped this situation in two different
ways: first, because the computer was password-protected, the addition of BitLocker would
have made it nearly impossible for the thieves to access the data stored on the computers. With
password protection guarding entry at the login level and BitLocker guarding entry at the hard
drive level, BitLocker would have effectively prevented unauthorized access of this data.
Second, because the laptop was recovered, BitLocker would have helped authorities conclude if
the thief had attempted to access the data on the laptop, as BitLocker’s locking-out feature
indicates if an unauthorized attempt to access hard drive data has occurred. In sum, BitLocker
would have been very effective both in protecting the data and ensuring patients that it had been
kept safe from identity theft.

Despite these expected benefits, BitLocker still may not prove to be the most practical solution in
the case of Highland Hospital. Highland Hospital is a small to mid-sized teaching hospital for
the University of Rochester Medical Center, with, according to a dean’s report, census levels of
about 250 patients.24 According to a recent newsletter, the hospital’s budget is already relatively
tight, and is expected to grow even tighter with recent cuts to state Medicaid payments.25
Although it is hard to estimate the exact cost of instituting BitLocker laptops in this hospital (in
hospitals, most employees do not get their own laptop and it is hard to say how many would at
Highland), it seems highly unlikely that a suffering budget would be willing to make room for an
expensive piece of equipment that addresses such a limited problem.

However, further considerations of the context of this case condition this finding. Maintaining
the security of patient data is incredibly important to maintaining patient trust in that hospital,
and ensuring the continuation of their business. Even though Highland did not have much
money to work with, it still tried very earnestly to work within its budget to atone for this
mistake, and maintain patient trust. Changing security procedures and establishing a hotline did
not require any real, monetary cost to the hospital, but it took time that the hospital was willing
to spend. Even though a full implementation of BitLocker on all laptops is out of reach
financially for Highland, if just implementing BitLocker on even a few computers became
financially possible, Highland seems willing to do it.


A summary of the cases discussed is shown below:

             Amount        Cost of       Sensitivity          Laptop        Budget           Size        Cost of
              data          loss         of data lost        recovered                                  BitLocker
Fidelity     196,000       Relatively    Most sensitive      No           Large:            32,000      $20 million, IT
             records       large:        (names,                          reported          employe     support
                           estimated     addresses, Social                revenues of       es
                           at $35.28     Security                         $11.1 billion
                           million       numbers, dates of                and net income
                                         birth and other                  of $1.3 billion
                                         employment-                      in 2005
Nation-      11,000,000    $1.935        Less sensitive      No           Large: revenue    16,644      $10 million, IT
             records       million       (customer names                  of $3.22          employe     support
wide                                     and account                      billion and       es
                                         numbers)                         profit of
                                                                          $1.066 billion
LSU          750 records   $0 (no loss   Sensitive (social   No           Small and         Over        Over $2
                           in            security numbers,                limited: $758     1,000       million, IT
                           business…     names, and                       million from      professor   support
                           students      grades)                          the state for     s
                           are stuck                                      the coming
                           at                                             year
Highland     13,000        $0 + loss     More sensitive      Yes          Small and         250         Hard to say –
             records       in patient    (name, contact                   limited:          patients    less expensive
Hospital                   trust/busin   information, and                 numbers not                   than LSU, but
                           ess           social security                  published                     too much for
                                         numbers)                                                       budget

A summary of findings from these cases is shown below:

                       Effective?           Practical?                   Outlook on adopting BitLocker?
Fidelity               Yes                  Yes                          Favorable
Nationwide             Yes                  If phased-in                 Limitedly favorable
LSU                    No                   No                           Unfavorable
Highland               Yes                  Only if used on just a       Limitedly unfavorable
Hospital                                    few computers

In all cases where the stolen laptop was password-protected, BitLocker would have been an
effective means of safeguarding the personal data that was stored on it. With a
username/password protecting the data from exposure through means of normal computer usage
and BitLocker protecting the data from exposure through reading the data off of another
machine, the data was safe from unauthorized access.

In cases where the laptop was recovered, BitLocker also would have been helpful in detecting
whether the thief did attempt to access the data and assure customers that the protected disk
withstood the attack.
In assessing the practicality of BitLocker, the budget of the laptop owner was by far the biggest
determinant in practicality assessment. In both cases of smaller organizations with limited
budgets (LSU and Highland Hospital), a full implementation of BitLocker proved to be
impossible. Indeed, a laptop owners budget is the enable switch on the BitLocker question.

The cost of an individual instance of data loss (and related to this, the amount of data lost) was
also an important factor in determining the practicality of BitLocker. This included both
financial costs as well as cost in customer trust/satisfaction (and in turn future business). All
cases where the cost of the lost records was nonzero also proved to be cases where BitLocker
was determined practical to some extent, even if it was limited. Cost also worked the other way
too: in cases where the cost was smaller than that of a full BitLocker implementation (such as
Nationwide), a full BitLocker implementation was determined impractical, and the extent to
which it could be implemented was scaled down.

Sensitivity of data had an effect on the practicality assessment as well. This makes sense: the
more sensitive data was, the more willing that organization would be to make room for it in its
budget. Such was the case with Highland Hospital. However, financial issues took precedence
over this issue whenever relevant.

The issue of recovery does not have a big effect on whether a company should adopt BitLocker.
Because the likelihood of recovering a laptop is really small, this benefit, overall, is not that

One issue that this data does not address directly is the issue of risk. Because these case studies
looked at individual instances of data loss


In summary, BitLocker is effective, but not necessarily practical in all circumstances. In many
cases, it proves to be too heavy of an instrument, too costly for the relatively limited problem it
seeks to correct. Several case studies examined evidence this behavior.

Following the data collected in these case studies, we can then make recommendations as to the
conditions under which the adoption of BitLocker is desirable. Specifically, an individual or
institution should adopt a fully implementation of BitLocker under the following circumstances,
listed from most important to least important:
     • It fit the profile of the cases investigated above – private information is stored on a laptop
         that is not 100% guaranteed to be safe from theft.
     • The owner has enough money to cover the costs of adopting a full BitLocker scheme
     • The series of actions that that individual or institution plans to take in that the laptop does
         get stolen costs more than what it would take to adopt BitLocker

If that individual or institution does meet all these requirements, they should only adopt a limited
BitLocker scheme (i.e. phase it in), depending on what money is available and how sensitive the
data is that they are trying to protect. This limited adoption of BitLocker could be supplemented
by changes in policy that only allow certain employees to download certain types of data, or
restrict where laptops can be taken or used.

Of course, this study has its limitations. The method of looking at cases of laptop theft only
exposes the limitations of BitLocker within this context. It neglects other limitations, such as:
   • BitLocker is not effective if personal data is left unprotected in other places (i.e. on
        PDAs, external hard drives, paper files)
   • BitLocker does not help locate the stolen laptop – this remains lost forever
   • BitLocker may encourage carelessness with laptops, because individuals no longer have
        to worry about data loss
This study also does not consider the effectiveness of other disk encryption solutions relative to
BitLocker. This was beyond the scope of this study, but would be an interesting topic for later

Although it may seem somewhat heavy in some circumstances, BitLocker is an effective solution
to data loss in laptop theft that should be given serious consideration when companies are
investigating potential solutions to this problem. As technology continues to advance, hardware
will become cheaper and this may become more effective for a wider array of laptop owners. In
such circumstances, new iterations of this study are necessary, to continue to determine the most
effective means of protecting private information in our evolving, ever-more digital world.


Technical Specification of BitLocker

[omitted for time’s sake… see presentation for overview]

Interview with individual about laptop theft

I also interviewed one of my friends who had his laptop stolen this semester to see what
interesting comparisons I could make between institutions and individuals. I did not have time to
complete this analysis, but here is the text of this interview:

   1. When/where/how was the laptop stolen? Give a brief account of the crime.

The laptop was stolen in January, from the Lowell Dining Hall. I had left it there between lunch
and dinner while I went to work. It was inside my backpack, at the high table; the backpack was
entirely closed, with the exception of the cord coming out of it in order to charge the laptop.
When I returned for dinner, it was gone; cord, laptop, and all. The backpack was still there,
though; someone had opened my backpack and taken the laptop.

   2. What were some of your biggest concerns after this happened?
My biggest concern was, of course, the open-ness of Lowell House. Granted, I never should have
left the laptop in the dining hall for an extended period of time, but it seemed apalling to me that
someone would actually open my backpack and take my laptop out, in the middle of the dining
hall, which is a place that I feel is close to home for me. So, I guess my biggest concern was
people coming into Lowell from outside (I still don't believe it was a Lowellian) and invading
our space, and especially stealing our things.

   3. How costly would you say this incident was? (financial, psychological, etc.) Explain.

It wasn't nearly as costly as it could have been. I had just backed up my laptop, because I was
installing Windows Vista on it, so I didn't lose very much information. My mom's insurance
actually covered 1/2 of the cost of the laptop, so that was a huge help financially.
Psychologically, it kind of just sucked. I still am wary of leaving anything at all of value out in
the house, even with people I trust. I think the most telling cost is the reaction I personally have
when people ask me to watch things now; it kind of freaks me out, because I always wonder
what would happen if, while I was supposed to be watching someone's stuff in the dining hall, it
was stolen.

   4. What type of data did you have stored on the laptop? Any personal information (about
      you or others) that would be useful to a thief (credit card numbers, bank account info,
      social security numbers, etc.)? How valuable was this data to you?

I had some personal information on the laptop, such as my student ID, etc., but not financial
informaiton. Also, to the best of my knowledge, none of this information has ever been used.

   5. If you did have sensitive data on the laptop, were you concerned about the security of this
      data after the laptop was stolen? (In other words, were you ever worried that the thief
      would log into your computer, grab this data off of it, and use it for identity-theft type

I actually wasn't really concerned about it at all, until HUPD asked me about it. Then, I was a tad
concerned, but not really after I changed my passwords on my accounts.

   6. Was your computer password protected?

   7. Suppose a product (software or hardware) existed that insured that the thief would not be
      able to access the data on your laptop. How much would you be willing to pay for this?

Not really that much; at this point in my life, I don't really keep sensitive data on my computers.
Perhaps around $50 or so.

Shared By: