Windows Vista and the secret of full disk encryption

When I talk to large enterprises, they tend to be either deploying or planning to deploy PC encryption tools, especially for laptops. This is no longer a "nice to have;" it has become a "gotta have."

With Windows XP or older versions, this means adding on full disk encryption utilities from vendors like GuardianEdge, PGP, PointSec or SafeBoot for $100 to $200 per system. That can add up to a pretty big chunk of change in acquisition costs, let alone the dough needed for installation, configuration, and ongoing support.

Enter Windows Vista. Everyone talks about the new GUI or kernel modification restrictions, but enterprise-class versions of Windows Vista also come with BitLocker full disk encryption (note: BitLocker is bundled into Windows Vista versions for Microsoft Software Assurance customers). Like the software utilities, BitLocker provides protection against the "oops" factor -- lost or stolen systems. Windows Vista also supports the Encrypted File System which offers additional safeguards against malicious internal threats which are more likely to lead to a real data breach, not just regulatory-driven data disclosure.

So here's my thought. Since most large shops are going to upgrade to Windows Vista anyway, why not eschew the add-on tools and fast track the migration? In other words, use your need for laptop encryption as a rationale to jump on the Windows Vista bandwagon in 2007?

Now I realize that my suggestion borders on Analyst blasphemy. It is common wisdom to recommend waiting to upgrade to new operating systems while Microsoft "gets the bugs out." Operating system migrations are also more difficult and costly than simply deploying an encryption utility. Clearly, I am comparing apples and oranges and am way off base.

I don't think so. Here's my logic:

1. Rolling out a tactical security tool with a two-year life span is nuts. Do you really want to install software, disrupt users, and train support staff in 2007 then throw all this effort away in mid-2008? You can't even depreciate the software in that time frame so good luck getting this strategy by the CFO.

2. Windows Vista has a whole bunch of other ROI-type features in it that should help cost justify a more aggressive upgrade cycle. For example, patching systems with Windows Vista is a whole lot easier and efficient than with XP. On this benefit alone, users can recover the incremental cost of a Windows Vista migration.

3. You're gonna go to Windows Vista anyway, so weighing the decision based on the relative work needed to install a security tools versus an OS upgrade doesn't flush. Buying an encryption software utilities seems like retrofitting a 1955 Dodge with air bags and seat belts. You can do it, but why would you?

Full disk encryption has become a laptop requirement and Windows Vista can provide this functionality for the price of admission. Seems pretty straightforward to me.