Encryption and policy-control functions being built into Microsoft's Vista OS (operating system) will help make it easier for enterprises to protect against data compromises such as the one involving the VA (the US Department of Veterans Affairs) publicised earlier this week, a company executive said Wednesday.

On Monday the VA said the names, Social Security numbers and birth dates of more than 26 million veterans discharged since 1975 had been compromised when a computer containing the information was stolen from the home of a data analyst.

Vista technologies such as BitLocker and Group Policy Console will improve the ability of companies to protect against these kind of compromises, said Mike Chan, a senior technical product manager for Microsoft's Vista team, who delivered a keynote at the Microsoft Security Summit this week.

Vista's BitLocker, for instance, will allow companies to encrypt all of the data on their hard drives using 1,024bit encryption, Chan said. The key used for encrypting the data is not stored on the hard drive but on a separate Trusted Platform Module microchip mounted on the motherboard, allowing for full encryption of the hard drive. The goal is to give companies a way to protect sensitive data from compromise even when a computer or hard drive is lost or stolen, he said.

Vista's support for data encryption is useful, but a lot depends on the key-management and -recovery capabilities it offers, said Lloyd Hession, chief security officer at BT Radianz, a telecommunications company for financial companies based in New York.

Encryption at the OS level is a good thing, Hession said, but the big problem with encryption in general has been the issue of data recovery in the event of hardware failure or key loss. It's one of the reasons why few companies encrypt data at the desktop level despite the many benefits.

Microsoft therefore needs to make its encryption capabilities easy to use for it to make a difference among enterprise users, Hession added.

Meanwhile, enhanced group policy controls in Vista will allow administrators to exercise much greater control over end-user systems than current Windows technologies permit, Chan said. With the new controls, IT administrators could enforce polices that prevent users from connecting USB flash drives on their systems without explicit administrator authorisation he said.

"It's much superior, by the way, to the old method of caulking," Chan said. Or even supergluing USB ports to prevent them from being illegally used.