4-page Case Study
Posted: 9/7/2011
384
Rate This Evidence:

General Mills General Mills to Simplify Encryption Tasks, Monitoring, with Robust Administration Tools

To help safeguard data on employee computers, General Mills is deploying the BitLocker drive encryption feature in the Windows 7 Enterprise operating system. However, with approximately 22,000 employees scheduled to receive BitLocker, the company was concerned about the number of IT staff that would have access to recovery information and potential difficulties with encryption-related tasks. General Mills joined the Technology Adoption Program for Microsoft BitLocker Administration and Monitoring (MBAM) and plans to roll out the beta version of MBAM as part of its Windows 7 image. The company expects to boost security by using an encrypted recovery key database and by creating an audit trail of database access activities. The IT team will be able to quickly generate up-to-date encryption status reports, and service-desk staff and business users will find it easy to manage BitLocker tasks.

Situation
General Mills, a Fortune 500 producer of food products, generated U.S.$14.9 billion in global net sales in fiscal year 2011. Renowned for its trusted products—which include more than 100 consumer brands, including Betty Crocker, Green Giant, and Pillsbury—the Minneapolis, Minnesota-based company is also known for driving innovation in everything from food development and recipe promotion to the technologies that run its business.

For the Global Infrastructure Services (GIS) group—which provides IT support for the entire company—this commitment to modernization was exemplified in its decision to upgrade all client computers to the Windows 7 Enterprise operating system. “Our employees are very excited about getting Windows 7 because of its ease of use and performance. It’s one of the first software upgrades that they have actually been asking for,” says Shelly Halford, Information Systems Program Manager at General Mills.

*
* MBAM will help us streamline deployment of Windows 7 by enabling us to centralize BitLocker management and ensure that computers are encrypted with minimal effort. *

Shelly Halford
Information Systems Program Manager, General Mills

*
The GIS team was looking forward to Windows 7 Enterprise for its security enhancements—specifically, the BitLocker drive encryption feature. “We have always been very security conscious. For instance, we’ve used Microsoft Encrypting File System on our employees’ My Documents folders and third-party encryption products on computers with our most sensitive data. Now there is an increasing need for hard drive encryption because of government and credit union regulations, human resources requirements to protect sensitive data, and laws pertaining to data loss and reporting,” says Halford.

By using BitLocker, General Mills believed that it could meet widespread encryption needs. “By deploying Windows 7 and BitLocker enterprisewide, we can help safeguard the data residing on devices that may be lost, stolen, or removed from corporate premises,” says Bernard Carter, Technical Architect at General Mills.

As part of a pilot project for Windows 7 Enterprise that began in January 2011, the GIS team installed BitLocker on about 100 computers. Although it was very pleased with BitLocker, General Mills had concerns about encryption management and reporting. One major concern was the large number of support personnel who could potentially access recovery key information without the company’s knowledge. “We thought about limiting recovery key access to domain administrators, but that would have put too much of a burden on those people, since requests from all global employees would be funneled through a subset of our tier three support staff,” says Halford.

Instead, General Mills decided to give access to all service-desk employees. “This meant that when BitLocker is installed enterprisewide, about 125 support team members could retrieve keys for all our devices, and there would be no way to track who retrieved the information. That could leave us exposed to unknown, untrusted insiders who are motivated to do harm—which, of course, was something we wanted to avoid,” says Carter.

General Mills also wanted an accurate, timely way to report on BitLocker compliance status. “BitLocker doesn’t come with out-of-the-box reports. We knew that we could gather information through Microsoft System Center Configuration Manager and create custom reports to tell us whether devices had BitLocker turned on when they were last inventoried, however, the data wouldn’t necessarily be up-to-date, especially if employees are travelling and their portable computers haven’t been online in a while. And generating reports would be time-consuming if we have to gather information each time we receive an inquiry,” notes Carter.

Although the GIS team will be enabling BitLocker so that it will be turned on when employees receive Windows 7 during the operating system upgrade, employees will have to set their own PINs. “It might be confusing when a window on the user’s screen opens, asking for a PIN. Employees may not understand what the PIN is being used for and therefore may not follow the instructions,” says Carter. He notes that General Mills could custom develop a more intuitive, front-end user interface for the PIN, but then it would need to maintain and support it over time, and that would divert IT resources from other projects.

General Mills wanted a solution that would make it easy for employees to reset their BitLocker PIN and for IT staff to access recovery keys and report on compliance.

Solution
In late January 2011, the General Mills GIS team shared its concerns about BitLocker management with its Microsoft representative. “She told us that Microsoft BitLocker Administration and Monitoring could help us address our challenges and recommended that we consider joining the Technology Adoption Program,” says Halford.

*
* MBAM fulfilled our three needs: an intuitive user interface for employees, functional reports that show up-to-date compliance status, and robust recovery key and auditing capabilities. *

Bernard Carter
Technical Architect, General Mills

*
Microsoft BitLocker Administration and Monitoring (MBAM), soon to be part of the Microsoft Desktop Optimization Pack for Software Assurance, takes BitLocker to the next level by simplifying deployment and key recovery; centralizing provisioning, monitoring, and reporting of hard disk encryption status; and minimizing support costs. The company joined the Technology Adoption Program for MBAM in February 2011, testing the pre-beta version, and then began using the beta version when it was released the following month.

“We tested MBAM in our lab, and everything worked great. MBAM fulfilled our three needs: an intuitive user interface for employees, functional reports that show up-to-date compliance status, and robust recovery key and auditing capabilities. Having met those goals, we feel comfortable rolling it out in production,” says Carter. General Mills also liked the one-time-use recovery key feature, which automatically generates a new key after an employee has used an existing key, thereby adding a layer of security.

In May 2011, the company began rolling out MBAM to the 1,200 participants in the Windows 7 pilot, beginning with 100 computers that are used by service-desk personnel. General Mills deployed MBAM to the remaining 1,100 employees in the pilot by the end of June 2011. It has put MBAM into its production image of Windows 7, which began deploying companywide in July 2011. General Mills expects to implement Windows 7, BitLocker, and MBAM on about 80 percent of its desktop and portable computers by February 2013.

Benefits
By using Microsoft BitLocker Administration and Monitoring, General Mills expects to boost security of enterprisewide computers while making it easy to create compliance reports and simplifying encryption-related tasks for service-desk personnel and business users.

“MBAM will help us streamline deployment of Windows 7 by enabling us to centralize BitLocker management and ensure that computers are encrypted with minimal effort,” says Halford.

Boosts Security with Enhanced Key Recovery Process, Audit Trail
General Mills no longer has to worry about exposing recovery keys to a large global support team. “The fact that so many service-desk personnel will be able to access recovery key data doesn’t pose any concern, as it would have without MBAM. We’ll know who is accessing which keys and when, and keys will automatically change if they are used. We feel more confident that we won’t have issues with personnel breaching security,” says Carter.

*
* We’ll know who is accessing which keys and when, and keys will automatically change if they are used. We feel more confident that we won’t have issues with personnel breaching security. *

Bernard Carter
Technical Architect, General Mills

*
The company will boost security further by storing recovery key information in a Microsoft SQL Server database that General Mills can encrypt and configure with specific controls. “Our security and audit departments will appreciate that the MBAM recovery key database is encrypted and only accessible by authorized employees. That, plus the ability to create an audit trial, will be critical to our data protection efforts,” notes Halford.

Easily Generates Up-to-Date Compliance Reports
Reporting on the status of device encryption will be easy and accurate. Although, by default, MBAM checks devices for BitLocker enablement every 12 hours, General Mills reset that to 90 minutes in its testing phase. “We’re in the process of determining what interval makes the most sense long term. But in the meantime, we’re happy to know that we can quickly generate reports on real-time encryption status. And because all devices are automatically captured, we know the reports will be accurate. If someone calls because a computer is stolen, and our MBAM report shows that encryption was turned on, I can make assurances that the data on that computer is protected,” says Carter.

The reports also will help the GIS staff meet General Mills’ management needs. According to Carter, “By using MBAM, we can quickly respond to management requests. The enterprise compliance report that depicts the status of BitLocker enablement from a dashboard perspective is a great example. If a manager calls at the last minute for an update on the encryption landscape, we can instantly generate a report that highlights results through easy-to-read pie charts and graphs, without any custom work.”

Simplifies Encryption Tasks for Help-Desk Staff and Business Users
Interacting with BitLocker is easier when employees can use MBAM to manage the encryption tasks. “The user experience with MBAM is great. It will be easy for support staff to access keys through the web portal. They won’t have to type in additional credentials like they would have without MBAM, and finding recovery key information is simple,” says Carter.

And, by using MBAM, General Mills can ease the PIN reset process for employees. “When they’re prompted to input PINs, it will be very clear to employees what the prompt is for and why they should follow it. That should result in more users resetting their PIN without the help desk having to get involved or distracting us from the overall Windows 7 deployment process. And because we’re using a solution from Microsoft, we won’t have to set aside time or resources to maintain an internally developed user interface,” adds Carter.

Microsoft Desktop Optimization
Microsoft Desktop Optimization Pack (MDOP) for Software Assurance makes it easy for an organization to administer its applications, offering tools for virtualizing and inventorying software installations, for managing Group Policy settings, and for system repair and data recovery.

For more information about MDOP, go to:
www.microsoft.com/mdop  

For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com

For more information about General Mills products and services, visit the website at:
www.GeneralMills.com

Solution Overview



Organization Size: 27000 employees

Organization Profile

General Mills is one of the world’s largest food manufacturers, with operations in more than 100 countries. It has about 35,000 employees.


Business Situation

General Mills wanted to make it easy for IT staff to recover keys and report on compliance with the BitLocker drive encryption feature in the Windows 7 operating system, and for employees to reset PINs.


Solution

General Mills plans to use Microsoft BitLocker Administration and Monitoring to streamline BitLocker management and compliance reporting.


Benefits

  • Boosts security with enhanced key recovery process and audit trail
  • Easily generates up-to-date compliance reports
  • Simplifies encryption tasks for help-desk staff and business users


Software and Services
  • Windows 7 Enterprise
  • Microsoft BitLocker Administration and Monitoring
  • Microsoft Desktop Optimization Pack
  • Windows BitLocker Drive Encryption

Vertical Industries
Consumer Goods

Country/Region
United States

Business Need
Data Protection and Recovery

IT Issue
Desktop, Device and Server Management

Languages
English

RSS