Microsoft Backs Off, Axes Private Folder ToolMicrosoft Backs Off, Axes Private Folder Tool

Most IT administrators demand control over how employees use their PCs and other IT equipment, and last week Microsoft decided to give them what they want. Or more to the point, what they don't want, as Microsoft stopped making its Private Folder 1.0 available as a bonus download for Windows XP users as part of the company's Windows Genuine Advantage program.

Offered to customers who verified their purchase of Windows XP through Windows Genuine Advantage, Private Folder was essentially a password-protected file folder. Admins didn't like it because it kept data out of their reach, and its elimination could protect XP shops from problems arising from users storing illegal or inappropriate data. Private Folder also could have been used to protect sensitive information on PCs that are stolen or used without authorization. It was no substitute for centrally managed data encryption or identity and access management systems, but it served as an extra layer of defense. Private Folder used the Advanced Encryption Standard 256-bit algorithm, the same used by Vista's BitLocker DriveEncryption and by Microsoft's Encrypting File System, which enables the encryption of individual files, folders, or entire data drives.

Debate over Microsoft's decision raged on a number of blogs last week. Most who weighed in agreed that Private Folder, while useful for home users, was a nightmare for systems administrators, as the tool has no feature for recovering forgotten passwords. Microsoft has no plans to release it again.

Encryption is important for protecting sensitive data in the event a company's systems are lost, stolen, or hacked, but the demise of Private Folder points to corporate apprehension about managing encryption technology in general. Safeguarding encryption and decryption keys worries companies even more than the cost of deploying encryption technology, says Paul Stamp, an analyst at Forrester Research. "The fear of losing access to encrypted data causes encryption to be seen as more of a hindrance than a help," he says.

Encryption management is difficult enough when data resides on a laptop or in a database, but it's even harder when data is moved over a network or in a removable storage device. Exchanging decryption keys between a person sending data and another receiving it is difficult, particularly if the sender and receiver work for different companies. For that reason, encrypted data is more likely to be decrypted before it's put on the network, leaving it vulnerable in transit.

Tech vendors are looking to address those concerns. NCipher, one of several companies that offers encryption and key management, this week will introduce an upgraded version of its keyAuthority encryption management software, which centrally manages encryption and decryption keys across several devices and applications. The latest version of keyAuthority supports a broader range of keys, including those based on Data Encryption Standard, or DES, and Advanced Encryption Standard, or AES. The tool also supports more end points and applications than it did before.

Another way for companies to implement enterprisewide data encryption is to integrate key management systems with their existing identity and access management systems. That approach gives administrators a single directory that tells them the types of data users are permitted to access and the keys they can use to unlock encrypted data. Recognizing the benefit customers may get from combining these applications, data storage vendor EMC recently agreed to buy RSA Security, which offers both key and identity management products, for $2.1 billion.

Microsoft's yanking Private Folder may have scored it points with admins, but managing broader data encryption is something they'll to have to face sooner rather than later.