New encryption and policy control functions being built into Microsoft’s Vista operating system will help make it easier for enterprises to protect against data compromises such as the one involving the US Department of Veterans Affairs publicised last week, a company executive says.
The department says that the names, social security numbers and birth dates of more than 26 million veterans discharged since 1975 were compromised when a computer containing the information was stolen from the home of a data analyst.
Vista technologies, such as BitLocker and Group Policy Console, will improve the ability of companies to protect against these kind of compromises, says Mike Chan, a senior technical product manager for Microsoft’s Vista team who delivered a keynote speech at the Microsoft Security Summit recently.
Vista’s BitLocker, for instance, will allow companies to encrypt all of the data on their hard drivers using 1024-bit encryption, Chan says. The key used for encrypting the data is not stored on the hard drive but on a separate Trusted Platform Module microchip mounted on the motherboard, allowing for full encryption of the hard drive. The goal is to give companies a way to protect sensitive data from compromise even when a computer or hard drive is lost or stolen, he says.
Vista’s support for data encryption is useful, but a lot depends on the key management and key recovery capabilities it offers, says Lloyd Hession, chief security officer at BT Radianz, a tele-communications company for financial companies based in New York.
“Encryption at the OS level is a good thing,” Hession says. But the big problem with encryption in general has been the issue of data recovery in the event of hardware failure or key loss, he says. It’s one of the reasons why few companies encrypt data at the desktop-level, despite the many benefits. As a result, Microsoft needs to make its encryption capabilities easy to use for it to make a difference among enterprise users, he says.
Meanwhile, enhanced group policy controls in Vista will allow administrators to exercise much greater control over end-user systems than current Windows technologies permit, Chan says. With the new controls, IT administrators could enforce polices that prevent end users from connecting USB flash drives on their systems — which are used to download and store data — without explicit administrator authorisation, he says.
“It’s much superior, by the way, to the old method of caulking”, or even gluing USB ports shut to prevent them from being illegally used, Chan says.
The lockdown capability is part of a broader set of User Account Control (UAC) features in Vista, aimed at limiting the traditional administrator-level access that Windows users have enjoyed until now. UAC will allow IT administrators to maintain greater control over enterprise Windows systems, by limiting users’ ability to install software or modify certain system settings.
Support for functions like UAC will finally give Windows some of the same security functions that have been available in operating systems such as Unix for years, says Andrew Jacquith, an analyst with the Yankee Group in Boston. But the company needs to ensure that the functionality doesn’t come at the cost of usability and compatibility with previous applications, he says. The same is true of the BitLocker encryption ability, he says.
“It is a very important technology, but it is going to be version one,” and, therefore, unlikely to be as ready as some of the more mature products in the market, he says.
In the end, though, integrating such functions will make a difference, he says. For at least some users, “free and ‘good enough’ beats elegant and expensive,” he says. “So there’s going to be a class of customers who are going to say the functionality is enough for whatever [they] want and [they will] use it.”