A raft of security features in Microsoft Vista will help many consumers become "secure enough", but for businesses they aren't going to be the improvements which drive sales -- and nor do they deserve to be, according to some experts.

Among more than a dozen security features within Vista are improvements; such as the malicious software removal tool, smart card and log-on authentication changes, user access controls, USB device controls, Windows defender and Windows firewall.

But none of these, even in combination, should be seen as a panacea. The need for a layered approach to security remains as critical as ever.

Stuart Okin, security partner at Accenture and former UK head of security at Microsoft, told ZDNet Australia sister site silicon.com: "As I see it there are 15 security features in Vista and none of them are this great panacea where if you install them the world will be OK.

Currently, promises from Microsoft relating to security are roughly on a par with promises from children about not looking for their Christmas presents.

"Security is about layers and you need to take a layered approach to security."

Of course that's nothing new but it's a message which will need to be repeated time and time again, especially to protect consumers from an over-reliance upon Vista's security features.

The net effect for consumers will undoubtedly be an improvement however. Okin said: "From a consumer point of view I think the biggest improvements are going to be around user-access controls and Internet Explorer.

"The downside is they are going to be prompted a lot more but if people and the wider industry get a sense that this is a more secure environment then I think that will have the biggest impact from a positive point of view."

It's those prompts which raise some questions among security experts about a perennial trade-off between security and usability. To what degree would Microsoft ever risk making an operating system less user-friendly in order to make it more secure?

Peter Wood, a penetration tester -- or ethical hacker -- from First Base Technologies, suggests the Redmond giant has made promising strides in answering this question.

He said: "If Microsoft wants to make a more secure OS then they need to weight the balance between usability and security more in favour of security and I believe they have done that by making more things turned on as default than turned off."

And the early impressions of Vista is that consumers, willing to leave features disabled and work with increased prompts and pop-up warnings, will be safer.

Jay Heiser, research vice president at Gartner, said: "For the end user, Vista is definitely a net benefit. Although Vista apparently exceeds expectations for robustness, which is a welcome surprise for everyone, my personal feeling is that Vista represents a much higher relative improvement for end users and small business than it does for the enterprise.

"Vista should be a much more robust environment for safe use by inexperienced, unsupported people on the internet."

But Vista was always going to sell to consumers from day one -- it's a given -- yet it is no doubt a hope within Microsoft that this greater emphasis on security will also help add greater enterprise sales.

Gartner's Heiser isn't convinced. "Many enterprises are experiencing a very acceptable level of security failure today, without Vista," he said of the fact businesses have been raised on an expectation to need to secure past Microsoft operating systems and are seeing a growing trend towards risk-based security.

However, Accenture's Okin said being able to simplify those very expensive security architectures -- while maintaining strong layers -- will appeal to many enterprises. And he adds there are a number of features which businesses will see the sense in bringing within their ever extending perimeter.

Okin said: "From a business perspective I think the one feature which will have the biggest social change will be the new architecture around log-ons and smart card authentication. For the first time ever it will be really very simple for applications to call upon smart card or biometric authentication."

Currently half of Accenture's security business is done around identity and access management -- largely at the back-end -- and, as such, Okin is confident his former bosses have hit something of a sweet spot with this feature in particular.

He said: "Over the next few years you're going to seeing the first apps which will find it very easy to say 'OK, you need your biometric authentication now or your smart card' whether it's online banking or ecommerce or anything else.

"Up until now it has been expensive and difficult to do, and as long as it is expensive and difficult people will find a reason why they don't want to do it."

And it's not just the identity and access management which Okin thinks will have CIOs thumbing their chequebooks. The USB device controls address the growing need to stop data leakage out of the enterprise on devices such as digital cameras, iPods and memory keys as well as the creep into the enterprise of unlicensed applications, copyrighted media and potentially infected files.

And Okin added: "I've got clients at the moment who are getting very excited about BitLocker."

This full disk encryption feature is a long-awaited improvement to a Windows operating system and one which ethical hacker Peter Wood says is a definite move in the right direction.

He said: "The BitLocker technology is quite an interesting approach. We've been pushing a long time for corporates to take whole disk encryption seriously -- particularly on laptops and other devices outside the physical perimeter -- and the majority of people we've spoken to still don't have a strategy in place."

However, security is only ever as good as its weakest link and Wood suggested BitLocker, like other Windows features, could yet be undermined.

Wood said: "We use PGP for our whole disk encryption because it is independent of the operating system and my experience to date with Microsoft's controls of these systems is that there is usually a way around it because it is so part of the Windows environment."

Wood said finding holes in the operating system may well prove the path of least resistance for determined hackers, however he admits he's yet to get his hands on Vista and bases his criticism on the ease with which he has cracked past Microsoft code.

And he remains to be convinced Microsoft can learn from all its past mistakes.

Probability plays a part, said Wood: "It's an enormous chunk of code and it is going to be full of holes because anybody's code would be."

However BitLocker will most definitely be an improvement. By its very nature even encryption that could potentially be cracked is better than nothing. And with data theft -- and related losses -- increasing, it will go some way to restore peace of mind and protect the low-hanging fruit whose laptops might previously have fallen into the hands of a fairly unskilled opportunist.

But as with any new technology, Wood's major concerns with Vista relates to the biggest flaw in its security: the end user.

And because encryption will be tied to individuals' Windows user accounts Wood fears this too will make BitLocker inherently insecure.

He doesn't share Okin's confidence that two-factor authentication -- and Vista's greater receptiveness to stronger authentication -- will make much difference, or even be used.

Wood fears for all Vista's improvements, passwords -- a "perpetual, primitive and stupid problem" -- will still be the Achilles' heel for many businesses rolling out Vista, though that is clearly not a problem relating to Vista's code. And while biometrics and smart cards are an improvement on passwords he says they are still only a superficial improvement, favouring pass phrases instead -- which he says could dramatically increase the security of any Vista environment and make these other features work more effectively.

But the bottom line is it seems Microsoft is going to need more than one generation of secure code under its belt before people start to believe the pre-release hype. Currently, promises from Microsoft relating to security are roughly on a par with promises from children about not looking for their Christmas presents.

And as the operating system rolls out either side of the festive season -- importantly missing the potential for bumper Christmas sales among consumers and instead hoping to pick up the long-tail of the January sales -- Accenture's Okin isn't convinced security will have much to do with how well Vista sells.

He said: "The clients I work with today are probably looking at migration because they are using Windows 2000 and they aren't about to switch to XP.

"I've seen economics around power usage and around lost laptops and savings that could be made from BitLocker and everything else but even jointly they are not compelling."

It's more likely businesses will be swayed by other factors, such as that natural replacement cycle or by a wish to not be out of step with employees using Vista's home edition outside of work.

CIOs are telling Okin: "I don't want my guys to go home and have a better experience."

He said: "If you are on Windows 2000 then of course it's compelling and you may as well go. Those on XP will be trialling and can pick their time to go.

"But are they doing it because of the security features? No. Have I seen security features as part of a business justification? Part of them yes, but really the business justification is weak as a whole."