As the Group Program Manager for Windows Security & Identity, I look forward to attending Black Hat and this year was no exception. It’s a great experience to join my colleagues from the Trustworthy Computing (TwC) team at Microsoft and meet with some of the world’s leading security experts.
While TwC announced updates to its MAPP program, for my part I was at the event to discuss Windows’ security vision and how this translates into new security enhancements we’re delivering in Windows 8.1.
The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home.
For all of you that couldn’t make it to Black Hat in Las Vegas this week, I wanted to summarize the major takeaways we shared at the event.
#1 Trustworthy Hardware
Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork.
- The Trusted Platform Module: TPM is a hardware security device or chip that provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. It’s a great tool for the enterprise, but has been an optional piece of technology for consumer devices.
- TPM 2.0 is required for all InstantGo (Connected Standby) devices which will ensure modern devices are ready for BYOD scenarios. And in Windows 8.1, we expand on the strategy behind TPM, with features such as key attestation, which allows you to ensure your private key is safely bound to hardware instead of malware, and virtual smartcard management WinRT APIs to enable Windows Store apps to set up and manage virtual smartcards.
- We are working towards requiring TPM 2.0 on all devices by January 2015. This helps IT departments be confident that the device their employees bring to work are fully capable of complying with corporate security policies.
With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device.
- First Class Biometrics: It’s no secret creating and remembering passwords is a nuisance at best and a gaping security vulnerability for companies at worst. We believe that biometrics is the solution to replace passwords over time. While biometric capabilities have been available since Windows XP, innovations in Windows 8.1, along with the new hardware coming from our hardware partners, will make your fingerprint easier and more secure than anything you’ve used before.
- Biometrics goes beyond swipe, which we previously supported, to capacitive full fingerprint and can be set up on any Windows 8.1 device through Modern Settings using a standard, consistent Windows experience.
- Before, we supported biometrics when a customer first signed into the device. Now any time a user sees a Windows credential prompt, he or she can use biometrics, effectively eliminating the password for logging into secure sites and in-app user account validations.
- Finally, we have created new APIs to support biometrics on the WinRT platform. Using biometrics in a Windows Store app is as simple as making one API call.
- Multifactor Authentication for BYOD: With Windows 8.1, we are building on the work done in Windows 8 to streamline the Virtual Smart Card (VSC) management process. In Windows 8.1 we have added support for enrollment and management via WinRT APIs so all of these scenarios can be supported through a modern app experience. With this, businesses will have more flexibility and control over how devices connect to internal networks and make it easier to securely allow access to personal devices in a BYOD environment.
- Trustworthy Identities and Devices: We have recently seen how Public Key Infrastructures (PKIs) or Certificate Authorities can be targeted by hackers, leaving a system vulnerable to attack. In Windows 8.1, we increase the trustworthiness of the PKI by helping manage and drive certificate best practices and adherence to standards within the ecosystem.
- We have a service now that scans the top two million SSL/TLS sites on the web daily to look for anomalies or bad practices and will notify partners (certificate authorities or companies that had a fraudulent certificate issued in their name) quickly when we see issues.
- We have also taken the “assumption factor” away from the server side of private key verification. For example, if an employee has malware on their personal device, the malware can intercept the private key during enrollment or renewal, effectively compromising your identity. With Windows 8.1, a server or service can require proof (attestation) that private certificates and keys are protected by hardware. If that can’t be proven, access is denied.
We’ve also put a lot of thought into how businesses can protect their data even when it resides on employees’ personal devices.
- Pervasive Device Encryption: With Windows 8.1, device encryption is now available on all editions of Windows for devices that support InstantGo. If the device supports InstantGo, device encryption can be automatically enabled. As InstantGo will be available on the vast majority of devices, this functionality will be pervasive throughout the enterprise. Windows 8.1 Pro and Windows 8.1 Enterprise also benefit from the full feature functionality of BitLocker, including BitLocker To Go, additional key protectors such as the network key protector, automatic recovery key escrow to Active Directory, and other powerful enterprise features ensuring a physical drive won’t be compromised when machines are lost or stolen.
- Selective Wipe of Corporate Data: With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.
Read the rest of this post ----->
0 comentarii:
Post a Comment