Microsoft touts Vista security features

Computerworld - CHICAGO -- New encryption and policy control functions being built into Microsoft Corp.'s Vista operating system will help make it easier for enterprises to protect against data compromises such as the one involving the Department of Veterans Affairs publicized earlier this week, a company executive said yesterday.

The VA on Monday said that the names, Social Security numbers and birth dates of more than 26 million veterans discharged since 1975 had been compromised when a computer containing the information was stolen from the home of a data analyst (see "Personal data on millions of U.S. veterans stolen").

Vista technologies such as BitLocker and Group Policy Console will improve the ability of companies to protect against these kind of compromises, said Mike Chan, a senior technical product manager for Microsoft's Vista team who delivered a keynote at the Microsoft Security Summit here this week.

Vista's BitLocker, for instance, will allow companies to encrypt all of the data on their hard drives using 1,024-bit encryption, Chan said. The key used for encrypting the data is not stored on the hard drive but on a separate Trusted Platform Module microchip mounted on the motherboard, allowing for full encryption of the hard drive. The goal is to give companies a way to protect sensitive data from compromise even when a computer or hard drive is lost or stolen, he said.

Vista's support for data encryption is useful, but a lot depends on the key management and key recovery capabilities it offers, said Lloyd Hession, chief security officer at BT Radianz, a telecommunications company for financial companies based in New York.

"Encryption at the OS level is a good thing," Hession said. But the big problem with encryption in general has been the issue of data recovery in the event of hardware failure or key loss, he said. It's one of the reasons why few companies encrypt data at the desktop level, despite the many benefits. As a result, Microsoft needs to make its encryption capabilities easy to use for it to make a difference among enterprise users, he said.

Meanwhile, enhanced group policy controls in Vista will allow administrators to exercise much greater control over end-user systems than current Windows technologies permit, Chan said. With the new controls, IT administrators could enforce polices that prevent end users from connecting USB flash drives on their systems -- which are used to download and store data -- without explicit administrator authorization he said.

"It's much superior, by the way, to the old method of caulking" or even super-gluing USB ports to prevent them from being illegally used, Chan said.