New encryption and policy control functions being built into Microsoft's Vista operating system will help make it easier for enterprises to protect against data compromises such as the one involving the Department of Veterans Affairs publicized earlier this week, a company executive said Wednesday.
The V.A. on Monday said that the names, Social Security numbers and birth dates of more than 26 million veterans discharged since 1975 had been compromised when a computer containing the information was stolen from the home of a data analyst.
Vista technologies such as BitLocker and Group Policy Console will improve the ability of companies to protect against these kind of compromises, said Mike Chan, a senior technical product manager for Microsoft's Vista team who delivered a keynote at the Microsoft Security Summit here this week.
Vista's BitLocker, for instance, will allow companies to encrypt all of the data on their hard drivers using 1024-bit encryption, Chan said. The key used for encrypting the data is not stored on the hard drive but on a separate Trusted Platform Module microchip mounted on the motherboard, allowing for full encryption of the hard drive. The goal is to give companies a way to protect sensitive data from compromise even when a computer or hard drive is lost or stolen, he said.
Vista's support for data encryption is useful, but a lot depends on the key management and key recovery capabilities it offers, said Lloyd Hession, chief security officer at BT Radianz, a telecommunications company for financial companies based in New York.
"Encryption at the OS level is a good thing," Hession said. But the big problem with encryption in general has been the issue of data recovery in the event of hardware failure or key loss, he said. It's one of the reasons why few companies encrypt data at the desktop level despite the many benefits. As a result, Microsoft needs to make its encryption capabilities easy to use for it to make a difference among enterprise users, he said.
Meanwhile, enhanced group policy controls in Vista will allow administrators to exercise much greater control over end-user systems than current Windows technologies permit, Chan said. With the new controls, IT administrators could enforce polices that prevent end users from connecting USB flash drives on their systems -- which are used to download and store data -- without explicit administrator authorization he said.
"It's much superior, by the way, to the old method of caulking" or even super-gluing USB ports to prevent them from being illegally used, Chan said.
The lockdown capability is part of a broader set of User Account Control (UAC) features in Vista aimed at limiting the traditional administrator-level access that Windows users have until now enjoyed. UAC will allow IT administrators to maintain greater control over enterprise Windows systems by limiting users' ability to install software or modify certain system settings.
Support for functions like UAC will finally give Windows some of the same security functions available in operating systems such as Unix for years, said Andrew Jacquith, an analyst with the Yankee Group in Boston. But the company needs to ensure that the functionality doesn't come at the cost of usability and compatibility with previous applications, he said. The same is true of the BitLocker encryption ability, he said.
"It is a very important technology but it is going to be version one," and therefore unlikely to be as ready as some of the more mature products in the market, he said.
In the end, though, integrating such functions will make a difference, he said. For at least some users, "free and 'good enough' beats elegant and expensive," he said. "So there's going to be a class of customers who are going to say the functionality is enough for whatever [they] want and use it."