NEWS
The USB device controls address the growing need to stop data leakage out of the enterprise on devices such as digital cameras, iPods and memory keys as well as the creep into the enterprise of unlicensed applications, copyrighted media and potentially infected files.
And Okin added: "I've got clients at the moment who are getting very excited about BitLocker."
This full disk encryption feature is a long-awaited improvement to a Windows operating system and one which ethical hacker Peter Wood says is a definite move in the right direction.
He said: "The BitLocker technology is quite an interesting approach. We've been pushing a long time for corporates to take whole disk encryption seriously particularly on laptops and other devices outside the physical perimeter and the majority of people we've spoken to still don't have a strategy in place."
However, security is only ever as good as its weakest link and Wood suggested BitLocker, like other Windows features, could yet be undermined.
Wood said: "We use PGP for our whole disk encryption because it is independent of the operating system and my experience to date with Microsoft's controls of these systems is that there is usually a way around it because it is so part of the Windows environment."
Wood said finding holes in the operating system may well prove the path of least resistance for determined hackers, however he admits he's yet to get his hands on Vista and bases his criticism on the ease with which he has cracked past Microsoft code.
And he remains to be convinced Microsoft can learn from all its past mistakes.
Probability plays a part, said Wood: "It's an enormous chunk of code and it is going to be full of holes because anybody's code would be."
However BitLocker will most definitely be an improvement. By its very nature even encryption that could potentially be cracked is better than nothing. And with data theft – and related losses – increasing it will go some way to restore peace of mind and protect the low-hanging fruit whose laptops might previously have fallen into the hands of a fairly unskilled opportunist.
But as with any new technology, Wood's major concerns with Vista relates to the biggest flaw in its security: the end user.
And because encryption will be tied to individuals' Windows user accounts Wood fears this too will make BitLocker inherently insecure.
He doesn't share Okin's confidence that two-factor authentication - and Vista's greater receptiveness to stronger authentication - will make much difference, or even be used.
Wood fears for all Vista's improvements, passwords - a "perpetual, primitive and stupid problem" - will still be the Achilles' heel for many businesses rolling out Vista, though that is clearly not a problem relating to Vista's code. And while biometrics and smart cards are an improvement on passwords he says they are still only a superficial improvement, favouring pass phrases instead - which he says could dramatically increase the security of any Vista environment and make these other features work more effectively.
But the bottom line is it seems Microsoft is going to need more than one generation of secure code under its belt before people start to believe the pre-release hype. Currently promises from Microsoft relating to security are roughly on a par with promises from children about not hunting out where their Christmas presents are hidden.
And as the operating system rolls out either side of the festive season - importantly missing the potential for bumper Christmas sales among consumers and instead hoping to pick up the long-tail of the January sales - Accenture's Okin isn't convinced security will have much to do with how well Vista sells.
He said: "The clients I work with today are probably looking at migration because they are using Windows 2000 and they aren't about to switch to XP.
"I've seen economics around power usage and around lost laptops and savings that could be made from BitLocker and everything else but even jointly they are not compelling."
It's more likely businesses will be swayed by other factors, such as that natural replacement cycle or by a wish to not be out of step with employees using Vista's home edition outside of work.
CIOs are telling Okin: "I don't want my guys to go home and have a better experience."
He said: "If you are on Windows 2000 then of course it's compelling and you may as well go. Those on XP will be trialling and can pick their time to go.
"But are they doing it because of the security features? No. Have I seen security features as part of a business justification? Part of them yes but really the business justification is weak as a whole."
Comments
There is 1 comment. Join the discussion
1. Paul Jacques
Why would anyone get excited about bitlocker? This type of technology has been around for 8 years; from RSA early and simple (but now defunct) SecurPC to the modern (and over-engineered) Utimaco SGE, it's always been available. Why go through all the trouble of upgrading the PC's OS just to gain a feature that you can by now at 1/3 the price of Vista? I won't even mention that it also avoids the hassle of having to upgrade everything to meet Vista's specifications?
C'mon Accenture, you can do better than that as a business cost justification .
(Ed note. To be fair to Stuart Okin, he not only makes it clear security doesn't present a business case, he also states clearly it is customers who are getting interested in bitlocker, not Accenture.)