A Microsoft official said last week that encryption and policy-control functions being built into Windows Vista are designed to make it easier for corporate users to protect themselves against data compromise.
For instance, Windows Vista includes BitLocker, a technology that will enable companies to encrypt all of the data on their hard drives using 1,024-bit encryption, said Mike Chan, a senior technical product manager for Microsoft's Vista team. With BitLocker, the keys used to encrypt data aren't stored on a PC's hard drive. Instead, they're kept on a separate Trusted Platform Module microchip mounted on the system's motherboard, allowing for full encryption of the hard drive, Chan said.
During a speech at the Microsoft Security Summit here last week, Chan said that the software vendor's goal is to give users a way to protect sensitive data from being compromised even if a computer or hard drive is lost or stolen.
The built-in support for data encryption is useful, but a lot depends on the key-management and key-recovery capabilities that Microsoft offers in Windows Vista, said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that provides telecommunications services to financial services firms.
"Encryption at the OS level is a good thing," Hession said. But the problem with encryption in general has been the issue of data recovery, he added. It's one of the reasons why few companies encrypt data at the desktop level, despite the potential benefits, Hession said.
Meanwhile, the Group Policy Console feature in Windows Vista will give IT administrators much greater control over end-user systems, Chan said. For instance, with the new controls, administrators could enforce policies that prevent end users from connecting USB thumb drives to their systems without explicit authorization, he said. That approach is "much superior to the old method of caulking" USB ports, or even using Super Glue on them, to prevent improper used, Chan added.
The lockdown capability is part of the broader set of User Account Control (UAC) features aimed at limiting the administrator-level access that Windows users typically have had on their PCs.
Support for functions like UAC will finally give Windows some of the security functions that have been available in rival operating systems such as Unix for years, said Andrew Jacquith, an analyst at Yankee Group Research Inc. in Boston. But Microsoft needs to ensure that the functionality doesn't come at the cost of usability and compatibility with previous applications, he noted.