Microsoft’s move to Windows 10 continues with a release of a new build of the operating system and announcements of what the company has planned to make Windows more secure and easier to administer. In addition, Microsoft has released a new build of its Windows 10 Technical Preview, making good on its promise to keep users updated on its plans.
The new security plans were announced in a blog entry by Microsoft’s Jim Alkove, who heads the Windows enterprise program management team. Alkove stated that Microsoft is concerned about the growing number of security breaches enterprise users are experiencing and wants to make Windows 10 much more able to resist such breaches.
“We’re seeing network breaches resulting from techniques as simple as username and password theft. In a couple of recent cases, hackers infiltrated Fortune 500 companies using stolen usernames and passwords, which gave them access to point-of-sale systems and the credit card data being processed with them,” he said.
But Alkove noted that the security breaches aren’t just the province of cyber-criminals. “Even well-intended employees represent a substantial risk that requires mitigation,” he said, pointing to studies in which even senior managers admit to uploading sensitive information to personal email or cloud accounts.
To combat these problems, Alkove said that Windows 10 will include a number of built-in security protections he thinks will help reduce the problem of such breaches. These include multi-factor authentication, which will be part of Windows, rather than done as an add-on application. While Alkove wasn’t specific in exactly how this might work, he did say that Windows will be able to use the device itself as a security authentication factor.
Presumably using the device as one of the factors would mean that Windows is able to take a fingerprint of the device, and would be able to enroll new devices as needed. These factors would generate security tokens within Windows, and those tokens would exist in a secure container that would run on top of Hyper-V technology.
The idea of using security that runs outside the virtualized environment is somewhat akin to a feature in the physical universe that exists in a fifth spatial dimension, and thus can see what goes on inside, but can never be reached by anything not existing in the same dimensions. This same idea is one of the latest ideas in security because it prevents the common approach by malware writers of first disabling the security before taking over the machine.
But, of course, the device as authentication factor isn’t enough on its own because the loss or theft of such a device would render the authentication useless, so a second factor would then be a PIN or perhaps a biometric factor, such as what Apple uses as part of its authentication process in Apple Pay. Either of those would be useful, and it’s entirely possible to incorporate both methods as necessary.
Microsoft is also working on security that attaches to information. This means that you could protect specific items, perhaps a document or a data file, so that it can only be accessed after providing the correct security profile, regardless of whether the information resides on the computer where it was created, or whether it is in transit or is located on another device. This feature includes automatic encryption provided by Windows 10.
Microsoft Windows 10 to Offer New, Robust Security Features
Of course, we already know that the U.S. government is less than totally thrilled with automatic encryption, but it would appear that this ship has sailed. Government monitoring notwithstanding, companies have an urgent need to protect their data from malware, hackers and foreign governments, not to mention inadvertent loss when an employee accidentally sends sensitive information to their aunt at the retirement home in Florida.
Finally, Alkove said that Microsoft would be providing the ability to lock down devices so that IT managers could limit exactly what software would be allowed to run on a given computer. Effectively, this would be an application white list, and if an application isn’t on the list, it can’t run.
The ability to lock down a computer so that it can only run applications on a white list would presumably prevent malware from running, at least until malware writers find a way to make their wares appear to be legitimate applications.
But there remains a huge problem that Windows 10 can’t fix, no matter how well it’s engineered. That problem is Windows XP, and machines that haven’t been, and are unlikely to be, updated to a more secure platform.
Most of the point-of-sale systems that were the target of the Home Depot and Target breaches run unpatched versions of XP. These systems have little, if any, real security, and their manufacturers don’t seem to be in a hurry to fix this problem.
Perhaps in its future releases, Microsoft can make upgrading, especially for security, a basic condition of the license that’s provided with these products. That way, if the vendor doesn’t provide regular upgrades, the underlying copy of Windows simply stops working.
I realize that there would be a lot of complaining, but without paying attention to security on all levels, the consequences are dire, as we’ve already seen. Let’s hope that Microsoft and Alkove can find a way to make security updates required, and to make those requirements stick.