Microsoft ups security in Vista

30.05.2006
A Microsoft official said last week that encryption and policy-control functions being built into Windows Vista are designed to make it easier for corporate users to protect themselves against data compromises such as the one disclosed by the U.S. Department of Veterans Affairs last Monday.

For instance, Windows Vista includes BitLocker, a technology that will enable companies to encrypt all of the data on their hard drives using 1,024-bit encryption, said Mike Chan, a senior technical product manager for Microsoft's Vista team. With BitLocker, the keys used to encrypt data aren't stored on a PC's hard drive. Instead, they're kept on a separate Trusted Platform Module microchip mounted on the system's motherboard, allowing for full encryption of the hard drive, Chan said.

During a speech at the Microsoft Security Summit here last week, Chan said that the software vendor's goal is to give users a way to protect sensitive data from being compromised even if a computer or hard drive is lost or stolen.

The built-in support for data encryption is useful, but a lot depends on the key-management and key-recovery capabilities that Microsoft offers in Windows Vista, said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that provides telecommunications services to financial services firms.

"Encryption at the OS level is a good thing," Hession said. But the problem with encryption in general has been the issue of data recovery, he added. It's one of the reasons why few companies encrypt data at the desktop level, despite the potential benefits, Hession said.

Meanwhile, the Group Policy Console feature in Windows Vista will give IT administrators much greater control over end-user systems, Chan said. For instance, with the new controls, administrators could enforce policies that prevent end users from connecting USB thumb drives to their systems without explicit authorization, he said. That approach is "much superior to the old method of caulking" USB ports, or even using Super Glue on them, to prevent improper used, Chan added.