It's No Joke, Microsoft Got This Security Question Right

There are two schools of thought on the intersection of computer security and computer users.

Some say that IT should be left to the IT pros -- that's why they're called pros -- so that end users can focus on business activities. The successfully configured system is implemented and maintained by a constantly vigilant IT team that uses layers of security to create a reliable and safe work environment for end users. Period.

Others counter that there's no need for ignorant end users. Indeed, the less they know, the more problems they cause, so better to keep them involved in some way, lest they become too comfortably oblivious of how difficult it actually is to protect their digital lives and how easily it can all go downhill because of some clueless move. Or because of a more sinister or at least deliberate user move -- some users need to be clued in to how their actions are being monitored by the security pros, too.

Apparently, last week at the RSA Conference Microsoft's David Cross told an audience that the much-maligned User Account Control (UAC) feature in Windows Vista was actually designed to "annoy users," reports Information Age.

Well, of course it was. And it surely did. Thus the whining and protesting during beta OS testing and after that the feature was ... highly annoying.

But the larger goal here was to raise users' awareness level, along with the focus from independent software vendors on making their applications more secure -- and thus less annoying to users dealing with the UAC's pop-up warnings when those apps didn't adhere to requirements set by the OS.

Was it successful? Cross says initially 80 percent of those UAC prompts were caused by 10 applications and the total number of sessions containing prompts is falling, according to PC Retail Magazine.

Further, says Cross, 88 percent of users have not disabled UAC, as critics predicted they would, and they are not just clicking away without reading and taking in the warnings.

And it's not just the users who are embracing the knowledge foisted upon them by the UAC. Kaspersky Labs, after dissing the feature a year ago, has joined security firms like Symantec, that said all along that it was a necessary inconvenience.

As much as many of us would love to avoid responsibility for any aspect of protecting our own work, data or hardware, aside from a password here and there, we as users just can't remain in the dark much longer. IT knows it, too, but often is in as much denial as the rest of us. Postive Networks' Evan Conway told IT Business Edge blogger Carl Weinschenk in a February interview that when his firm surveyed IT security pros at small companies and enterprises, 20 percent had experienced a personal data breach -- and 20 percent had also experienced a data breach in their companies. The consensus among those IT pros was that stronger security, specifically two-factor, was necessary but not present within their IT departments. And the breaches just keep happening.

Looking forward at RSA conference, Microsoft officials spoke of layering old-school (but effective) offensive tactics like whitelisting applications, as well.

In a world of rapidly evolving malware, a shift toward SaaS, and organized criminals who need not fear breaking a sweat whether they're after personal data records by the millions or government secrets, we're a long, long way from "most people don't even know what a rootkit is," and Microsoft is on the right side of keeping both IT professionals and end users aware of security.