Microsoft is finally getting serious about USB flash drive security. It recently disabled the AutoRun and AutoPlay features in Windows (all older versions plus Windows 7), meaning users will no longer have directory trees and execution options presented when they pop a flash drive into a PC.

More significant, though, is Microsoft adding flash drive encryption to Windows 7. Through a few, albeit not so simple steps (see below), users can encrypt and manage the files on these small, portable storage devices.

Both are significant moves by Microsoft to improve the security of USB flash drives, which are increasingly being leveraged by hackers and malware writers to capture data and exploit machines. They are also increasingly a source of data loss and leakage.

But how significant are these security measures by Microsoft? That's a difficult question to answer.

USB flash drives have evolved in recent years from low-volume, low-capacity novelties to indispensable business tools and the foundation for countless electronic devices. Flash drives' small profile, ever-increasing capacity, high read-write rates, low energy consumption and, most significantly, declining costs have made them as ubiquitous as floppies were in the '90s. They are extremely useful in making data portable without overburdening users the way floppies and discs did.

But those same elements have made flash drives a tempting carrier of malicious activity. Malware writers have revived the “sneakernets” of old with flash drives, hiding viruses and Trojans on the portable devices. The Windows AutoPlay feature made the sneakernet viable again by allowing executables to automatically surface with little to no user action. Some critics on various blogs have stated that Microsoft should take the additional step of eliminating AutoPlay on the optical drives; that's also a good idea but increasingly less relevant as CDs and their drives go the way of floppies.

Flash drives are increasingly a source of data loss. Users often plug in flash drives or flash-enabled electronics, such as an iPhone, to take data outside the corporate domain. Sometimes the data is being outright pilfered, such as in several identity theft cases. Other times, data is being exposed because the device is lost or stolen.

Flash drive encryption has been available for some time, but typically as a value-add solution. Microsoft's inclusion of the “BitLocker to Go” application will go a long way in preventing the accidental loss or disclosure of confidential data. According to Win7News, Windows 7's Bitlocker feature works this way:

1. Insert the flash drive.
2. Click Start | My Computer
3. Right-click the flash drive's icon.
4. Select "Turn on BitLocker ..."
5. Wait for BitLocker to initialize the drive; enter a password for unlocking the drive (smart card options are available).
6. Select to either save the recovery key to a file, or print it. If you save it as a file, it should be on a drive other than the one you're encrypting (duh).
7. Click the “Start Encrypting” button. A “Lock and Key” symbol will appear on the drive when completed.

We haven't actually used the encryption feature, but it looks relatively simple to use and will probably provide strong enough protection for average users. What it seemingly lacks is central manageability of both encryption keys and devices, such as provided by SanDisk's Enterprise Secure USB Drive. Enterprise users will likely appreciate the encryption function, but will probably turn to solution providers for more robust packages that afford centralized manageability, auditing and compliance.