Where most enterprises go wrong: Enterprises using BitLocker should treat the recovery keys as highly sensitive, and avoid default cloud backup unless there is a clear business requirement and the associated risks are well understood and mitigated.The safest configuration is to redirect those keys to on-premises Active Directory or a controlled enterprise key vault. Even if stored in corporate-controlled directory or service such as Microsoft Entra ID or Intune, there should be strong governance on who can read the keys, with effective logging and just-in-time access, said Amit Jaju, a global partner at Ankura Consulting. This can cut Microsoft out of the recovery loop, he said.If keys have to reside in Microsoft’s cloud, use strong multi-factor authentication for admin roles, with conditional access and privileged-access workstations so a compromise of admin credentials does not automatically become a compromise of all keys, he said.Enterprises should ensure strict access control and separation of duties. “Only a small, vetted group such as security operations, endpoint engineering, should have rights to view or export recovery keys. Approvals should be workflow-based, not ad hoc. Every key retrieval should leave an auditable, immutable trail, and ideally be tied to an incident or ticket ID,” said Jaju.CISOs should also ensure that when devices are repurposed, decommissioned, or moved across jurisdictions, keys should be regenerated as part of the workflow to ensure old keys cannot be used.Gogia warned of the long tail of insecure setups. Personal accounts linked during provisioning, or BYOD devices that silently sync keys to consumer dashboards, are invisible pathways for leakage. “If those keys sit outside your boundary, you no longer have a clean chain of custody. That’s not a theoretical risk. It’s something auditors are now actively checking,” he said.As many breaches are not cryptographic but procedural, enterprises should have a formal playbook for when a recovery key can be used (lost PIN, internal investigation with legal approval, lawful order) and when it cannot (informal manager request to access an employee’s data), noted Jaju.
Geopolitics reshaping enterprise data and key control: Geopolitical tensions are also reshaping global trade and technology policies, something enterprises increasingly need to factor into their security strategies. As governments assert greater control over data, trade secrets and proprietary information risk becoming entangled in broader state interests.Gogia warned, “The US CLOUD Act allows law enforcement to compel US-based providers to hand over data and keys, even if that data is hosted in Europe or Asia. Similarly, Chinese data localisation rules require keys and data to be accessible to state regulators. In India, recent legislation has introduced broad access rights for security agencies. And the EU is debating whether sovereignty must include key custody by design, not just data residency.”If recovery keys are stored with a cloud provider, that provider may be compelled, at least in its home jurisdiction, to hand them over under lawful order, even if the data subject or company is elsewhere without notifying the company. This becomes even more critical from the point of view of a pharma company, semiconductor firm, defence contractor, or critical-infrastructure operator, as it exposes them to risks such as exposure of trade secrets in cross”‘border investigations.Jaju added, “Enterprises should assume that where keys are held, they can potentially be compelled. So where practical, ensure that the entities controlling keys are legally anchored in the jurisdiction whose laws and due-process standards you trust most. Establish board-level oversight on cross-border data access, including a register of government data-access requests, where legally permitted. For multinational companies, legal and security teams must work together to understand mutual legal-assistance treaties, CLOUD Act implications, and local interception laws.”This article first appeared on Computerworld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4122151/microsoft-handed-over-bitlocker-keys-to-law-enforcement-raising-enterprise-data-control-concerns-2.html
