August 3, 2015

Windows 10 Security - Part 3

From our previous conversation, where we talked about the theory, this final piece of the Windows 10 Security conversation picks up on the technical side. Again, lots of lists but they can be used to develop a useful playbook. Let's start with a reminder of the four main components of the Microsoft security posture:

  1. Device Security
  2. Identity Security
  3. Threat Resistance
  4. Information Protection

In the Device Security space, there are some great enhancements that get people going with Windows 10. These speak to making the physical device a secure platform to store sensitive data on to begin with:

  1. Maintain the integrity of the device itself (like the firmware)
  2. Start with a tamper free version of the desired operating system - preferably something new, shiny, patched - like Windows 10 RTM.
  3. Deploy hardware based cryptographic processing - like a TPM - to help create keys, sign sensitive data, assist in integrity validation (which gets a big play with remote attestation described below).
  4. Make use of hardware based technologies so that we can move some of the most sensitive Windows processes into containers that can help prevent tampering even if the Windows kernel has been compromised (which is just awesome if you think about it).
  5. Move to stronger forms of identity - biometric sensors (finger print readers, Windows Hello, etc) offer us a means to eliminate the use of passwords entirely and other shareable secrets to access resources.

That last item speaks more broadly to Identity Security in my next list of wonder. I'll also have a deeper dive into Identity in the coming weeks so stay tuned for that. To start with, here is a list of the two most damaging items that can happen in IT: the compromise of the certificate authority or the need to deploy a 'thing' to make multi-factor authentication work. With Identity Security, we're introducing or enhancing upon major ticket items:

  1. Make two factor authentication mainstream for the OS. It already is for Twitter, Facebook and others, why should social networks have better security than your OS? The answer: they shouldn't. But it still needs to be easy to use, cost effective and be a natural extension, not something crammed in at the last minute.
  2. Make credential theft a non-event. Make them phishing proof such that even a breach of the data center like the Certificate Authority or even the identity provider itself is not that big of a deal.
  3. The identity platform must be able to be useful for the 'average consumer' and needs to be able to be used from any device, even non-Windows.

Windows 10 delivers on these promises with foundational elements like Windows Hello, Microsoft Passport, enhancements with tooling and automation and the reliance on hardware assistance to complete the circle. Now that we have the device and the identity secured, we need to think about the security of the information that is on the device itself, so that when data leaves that device, via email, USB stick or otherwise, the data is still protected. This is Information Protection and it comes in several key flavors:

  1. Start with device and identity security - McAfee, Sophos and Dell are leaders here in that they are now retooling to provide management interfaces to native Windows technology like Bitlocker, instead of attempting to "roll their own." This is because third party vendors don't have access to the signing and security infrastructure of the OS itself and allows them to concentrate on management as a great value add.
  2. Enhances the concepts introduced in Windows 8 (then backported to Windows 7) around Work Folders. Now, the split brain containerization of the device is part of the OS itself, similar to mobile device management. Take those concepts all the way into applications themselves: Outlook corporate managed is just like Outlook not corporate managed - same experience, different levels of security.
  3. Expect data leak, therefore, secure it by default. This is lit up by using things like Azure RMS, or even the above mentioned containerization system to keep unauthorized apps from accessing unauthorized data. It also has to be really, REALLY easy to use. So when deployed, the default File/Save experience now has "Personal" vs. "Corporate" modes that allow you to save files, regardless of application, in a secure manner.

Finally, the OS needs to be able to evolve to protect itself against Advanced Persistent Threats. It is best described in a manner like this: "We know the bad guys are going to crack Windows 10 at some point, therefore, we want to make that surface of attack ever changing and tiny." Some of the key features here are:

  1. Device Guard - it's a lot like the iOS app store - all apps are signed and vetted. This works great on iOS and the Microsoft Store but what about Win32 apps? With Windows 10, Microsoft is providing tools for companies to sign 3rd party apps, however, that can be pretty hard to do. As more companies push their apps to the Microsoft store, that problem goes away. To aid in that process, the corporate side of the Microsoft Store is now fully built out and easily managed.
  2. The alternative to Device Guard is to continue to 'trust first, then verify.' Not great, but many will still have to go about it this way for a while. There is some tooling being built in and extended (particularly with Intune and SCCM) to help the verification of what is running and where.
  3. UEFI has a few new things in Windows 10 like Trusted Boot that protects the kernel, certain drivers and system defenses. The Trusted Boot platform happens before the kernel even loads which is really impressive but also explains why many 3rd party encryption tools are now refactoring to use Bitlocker and provide value in the management world instead of re-inventing a new thing.
  4. Address Space Layout Randomization and Data Execution Prevention have gotten substantial improvements and there is a new Control Flow Guard to deal with bypass techniques which are the bane of many people's lives.
  5. All universal apps (consumer or corporate apps) run in a sandbox and substantially limit device exposure.
  6. Windows Defender helps consumers re-enable it if a third party provided solution is no longer functional or expired. Many of the threats being dealt with today are caused by people forgetting to renew their third party AV product subscriptions.
  7. Scads of improvements in Internet Explorer - my favorite being the replacement of Internet Explorer :)
  8. Provable PC Health - it's like Network Access Protection (NAP) but for the device and the user - provided by Intune or third parties. This requires devices to prove they are healthy before being granted access not just to corporate resources but data on their own devices. Very cool!

Shew - that's a lot to digest but we're extremely excited about the massive security improvements in Windows 10. Sure, something will happen sooner or later, but by focusing on four main challenges consistently and in an ongoing fashion, Microsoft has delivered on the promise of creating an incredibly secure and stable environment to work on.