Mortgage Software Solutions Blog

Can Your Mortgage Business Use BitLocker Without TPM?

Bitlocker_vs_TPM_.jpgThe theft of a computer can be bad news for your mortgage business. It's not just the cost of replacing it; insurance should cover that. It's the prospect of letting confidential information into the hands of thieves. Confidentiality is vital to the mortgage business. Even computers sitting on desktops can be stolen.

Encrypting the entire disk drive helps to protect against data theft. As long as a user isn't logged in and active, thieves won't be able to read anything on the drive. It just needs to be set up once and after that, it's transparent. A logged-in user sees files just as if they weren't encrypted.

BitLocker for Full Disk Encryption

On Windows, there are several ways to do this. Windows 10 Professional and some older versions include a tool called BitLocker. An open-source alternative called TrueCrypt used to be available, but it's no longer supported and may have uncorrected problems.

There's a limitation on BitLocker, though. It requires a hardware device called the TPM, or Trusted Platform Module. The TPM provides an extra layer of security by storing passwords and keys in a secure form. Not all computers come with one, but some machines let you add one. It's logically tied to one computer and won't disclose its information if moved to another one. Windows 10 requires a version 1.2 TPM.

The way the encryption works may need a little explaining. You access the encrypted disk by logging in, but your password isn't the encryption key. The actual key is a long string of characters, and the TPM is needed to get it.

BitLocker Without TPM

It's not clear whether a TPM really makes BitLocker much more secure. If someone steals a computer, they're usually stealing the motherboard, disk drive, and TPM all at the same time. If your computer doesn't have one, it's still possible to use BitLocker, though it takes extra work.

The TPM provides other security benefits, though, so it is worth having. It checks if a drive or the boot loader has been tampered with. It lets the user store passwords and other credentials safely. Some older computers, however, don't support it.

Security Options

You can set up BitLocker to write a USB key, or you can have it require an additional password. If you use the USB key, you'll have to insert it each time you boot the computer. This approach may provide better security, since it requires an external device or piece of information. You can also use one or both of these options, if you do have a TPM, for the highest possible security.

BitLocker, even without a TPM, provides a reasonable level of security, but only if the user is careful. Don't carry the USB key around in the same bag as the computer (or permanently plugged into the computer). That defeats the whole point of having it. At the same time, don't lose the key.

If you're worried about losing the USB key, you can set up your Microsoft account so that you can get a recovery key if you ever need to. This creates an additional risk at the same time, since someone could conceivably steal it from the account. If this is a concern, you can print out the key, put it in a locked box, and delete it from the server. (Don't store a written copy of either your recovery key or your Microsoft password with your computer!)

Keep it Safe

Whichever approach you prefer, having an encrypted drive is significantly safer than having an unencrypted drive. If someone steals a laptop computer with customer information, it's better if the thief gets only the hardware. Requiring BitLocker on all Windows computers that your business uses gives security a strong boost. Even if not all of them have TPM hardware, they still benefit from encryption. Just make sure employees don't take shortcuts that undercut the benefits.

Access Business Technologies provides secure cloud hosting services for the mortgage industry. Our state-of-the-art vulnerability management solutions, like DeviceGuardian™ and DocumentGuardian™, help provide you with the added security you need against mortgage cyber-attackers. This type of added security can be especially crucial when used with computer equipment utilized in mortgage operations. For more information, please contact us.

Learn More

Topics: encryption bitlocker

Why Hard Drive Encryption is Important for Mortgage Companies

Hard_drive_encryption_.jpgIs your mortgage company encrypting the hard drives of the devices it uses to conduct daily business? Here’s a better question: Could your mortgage company withstand the potentially catastrophic fallout that would occur if a computer containing confidential client information was stolen and fell into the wrong hands? What about the regulatory repercussions and lack of customer confidence that such an event would cause?

Implementing hard drive encryption today could save you from potential disaster tomorrow.

The Importance of Protecting Your Data

Securing your computers with passwords or behind locked doors is not enough. Passwords may stop an unauthorized person from logging into one of your computers, but it will not stop them from stealing the entire computer. Once they have the computer, accessing any file on your hard drive is easy. Anyone with the right knowledge or tools can bypass the operating system security and access the files directly.

Consider for a moment what kind of confidential information your mortgage company gathers on its clients: social security numbers, birth dates, addresses, employment history, and credit history. Now, imagine if all that confidential data was stolen. In the right hands, this data could lead to hundreds of thousands of dollars in financial losses to your customers, and to your company.

Identity theft is serious business, and keeping your client data safe from theft is a serious part of your business. This is why mortgage industry regulators strongly recommend that mortgage companies encrypt the hard drives on all computers used to handle client data.

How Much Encryption is Enough?

Encrypting specific files or types of files is a good start. Unfortunately, due to the way in which computers access and handle data, anything short of full drive encryption is simply not enough.

Encrypted files on an otherwise unencrypted drive must be unencrypted on the fly by the operating system. These files, or pieces of them, are then stored in an area of the hard drive known as the swap file for easy access and editing once they are opened. For example, if you have ever used the undo function in Microsoft Word or Excel, it is the swap file that makes this possible.

Files and pieces of files in this area of the disk may linger for a considerable amount of time, leaving them vulnerable to access by anyone who can get to the unencrypted part of the file.

The unencrypted part of a partially encrypted drive can also be used as a sort of “back door” to access and circumvent the encryption. This vulnerability can be easily exploited by a fairly inexperienced person with the right software tools.

It is for these reasons that mortgage industry regulations now require businesses to use full disk encryption of all data on laptops and other devices. As such, full drive encryption is the only real option to both protect your confidential data and maintain full regulatory compliance.

Drawbacks of Encryption

Unfortunately, this level of security does come at a cost and with considerable risk.

There are a number of ways you can permanently lose access to the data on your computer or effectively ‘brick’ your computer during or after encrypting the drive. For instance, if you suffer a power outage or system failure while encrypting a drive, you will almost certainly lose the data on that drive. If you lose or forget the password that you used to encrypt your drive, you will be effectively locked out of your drive. If the encrypted drive becomes damaged or the data becomes corrupted, you can also permanently lose access to your data.

We Can Help

ABT can help you avoid those potential pitfalls while assuring your customers—and regulators—that client data at your mortgage company is being protected by a state-of-the-art security solution.

Our DeviceGuardian™ PC and Device Protection technology will ensure mobile device management for all of your computers and mobile devices. We make sure you are fully compliant with Financial Protection Bureau (CFPB) regulations by providing cutting-edge enterprise security and data encryption to protect your sensitive client data.

ABT is your one-stop IT provider with the specialized services and 24/7 support you need to take your mortgage company to the next level.

Contact us to today to discuss the many ways we can manage your specialized IT needs.

Learn More

Topics: DeviceGuardian encryption