Siemens AG uses the BitLocker drive encryption feature in Windows 7 to help safeguard computers. It joined a Technology Adoption Program to evaluate the Microsoft BitLocker Administration and Monitoring (MBAM) solution as a way to easily manage BitLocker. By using MBAM, Siemens can ensure that its computers are encrypted, instantly run detailed compliance reports, and simplify BitLocker management while freeing IT resources for strategic projects.

Business Needs
Siemens IT Solutions and Services (SIS) supports approximately 370,000 computers for Siemens AG, a Munich, Germany–based global electronics manufacturer that generated about €76 billion (U.S.$110 billion) in revenues in 2010. The company wanted to safeguard its computers. Its employees were using the Windows XP operating system when, in 2007, Siemens mandated that all portable computers have hard disk encryption. “With Windows XP, we used Sophos SafeGuard on nearly all notebooks. This generated substantial license costs,” says John Minnick, Director of the Global Siemens IT Solutions and Services Workplace Architecture Team (SWAT).

In line with its commitment to technology excellence and innovation, Siemens decided to upgrade to the Windows 7 Enterprise operating system. “Windows 7 has great performance and has been widely accepted in the industry as the standard operating system,” says Minnick.

When the company chose Windows 7, it became clear that it should also use the BitLocker Drive Encryption feature to comply with the Siemens encryption mandate. “BitLocker is a robust, enterprise-ready technology. And because it is built into Windows, Siemens business groups can get a strong encryption solution at no additional cost,” says Minnick. In July 2010, SIS launched a pilot project and rolled out Windows 7 to about 2,000 Siemens employees, and by May 2011, business units will have the option to begin deploying Windows 7 and BitLocker. SIS expects that about 80 percent of the global Siemens workforce will be using Windows 7 by November 2012.

To aid administration of BitLocker, SIS developed its own software tool. “We needed to simplify configuration and management of large-scale BitLocker implementations. Our tool helps us to centrally deploy and manage BitLocker; however, some of the functionality is rather basic,” says Markus Dauberschmidt, Senior System Architect at Siemens SIS.

For instance, when customers want to verify encryption status, SIS runs a script that pulls encryption data, but it only does so from computers that are connected to the network. To maintain and develop the tool, SIS would have to devote ongoing resources to this project and that could take away from other initiatives. “We wanted to make it easier to deploy, manage, and verify compliance of BitLocker, while minimizing the time and resources that are needed to maintain it,” says Dauberschmidt.

Solution
In April 2010, the Siemens SWAT team was working with the Windows product team when it learned about the Microsoft BitLocker Administration and Monitoring (MBAM) technology, part of the Microsoft Desktop Optimization Pack. SIS wanted to test MBAM

We believe that using MBAM could make it easy to centrally configure BitLocker and help us ensure compliance and improve protection through better reporting and an intuitive web interface. Markus Dauberschmidt Senior System Architect, Siemens IT Solutions and Services

because it simplifies BitLocker deployment and key recovery; centralizes provisioning, monitoring, and reporting of encryption status; and minimizes costs.

Siemens joined the Technology Adoption Program for MBAM in September 2010 and began testing the product the next month. SIS installed pre-beta versions of MBAM on computers in its lab throughout 2010. Then in March 2011, SIS downloaded and started using the beta version.

“We believe that using MBAM could make it easy to centrally configure BitLocker and help us ensure compliance and improve protection through better reporting and an intuitive web interface,” says Dauberschmidt.

Benefits
By using Microsoft BitLocker Administration and Monitoring, Siemens IT Solutions and Services can help ensure compliance with corporate encryption policies, speed reporting, and simplify BitLocker management while freeing IT resources for more strategic projects.

Meet Encryption Mandate
“As a service provider, we’re contractually obligated to ensure that every Siemens managed PC is encrypted. When used on its own, BitLocker requires manual interaction for deployment—and employees may not enable it. A central management is essential, so that we can be confident that employee devices are encrypted,” says Dauberschmidt.

SIS can also use MBAM to specify which hardware models to encrypt. “By restricting the use of BitLocker to corporate-approved computers, we can more easily provide the support that our customer agreements require,” says Minnick.

Speed Compliance Reporting
SIS can enhance reporting of compliance. “Instead of running a script to collect data from computers—and worrying that devices that are not connected won’t be accounted for—MBAM automatically sends compliance data to a central database at regular intervals and so eliminates the risk of incomplete data. That´s a clear advantage compared to our homegrown tool,” says Dauberschmidt.

SIS can create compliance reports quickly. “We can run in-depth reports about BitLocker enablement on demand. This can help improve responsiveness to requests for last-minute encryption verification,” says Minnick.

Simplify Management, Free Resources
SIS can use MBAM to simplify and improve management of BitLocker tasks, including automatically changing a recovery key after it has been used so that no one can reuse the original key, allowing users with standard rights to activate encryption, and enabling the service desk to access recovery keys through a simple web portal.

SIS can also redirect IT resources to more strategic initiatives. “”MBAM is the management solution to work hand in hand with BitLocker. We know that Microsoft will support and continually evolve both the central and the client side of MBAM. So in the future, by using MBAM instead of our internal tool, we will free up resources that would be spent maintaining and developing homegrown software,” says Dauberschmidt.

For more information about other Microsoft customer successes, please visit:
www.microsoft.com/casestudies