Windows 8 Enables Microsoft to Take Stronger Role in Trusted Security

Trusted Computing features were little noticed in Windows 7, but will get more attention in the new Windows 8 as DirectAccess technology bolsters PC security with support for virtual smart cards.

Microsoft is going to draw more attention to the Trusted Computing features in Windows 8 that were already available in Windows 7 to increase secure adoption of Windows in enterprises.

Three security features in the Trusted Platform Module (TPM) are at the core of Windows, said Steven Sprague, CEO of Wave Systems, a maker of third-party security software for Windows systems.

They include the Secured Measured Boot Infrastructure, which does a security check as a machine is being booted up; Modern Access Control, where access technology is built into the hardware and not dependent on passwords; and Pervasive Encryption, which includes self-encrypting drives.

Although these features of Trusted Computing are in Windows 7, a lot of users may not be aware of them, said Sprague.

“Most people don’t know that it’s in the box, and so we’re actually very pleased to see Microsoft really for the first time in the operating system [offer] the full use of Trusted Computing with the Windows 8 operating system,” he said.

Instead of security being marketed by third-party companies, such as Wave Systems, Sprague said, the market is going to get the full benefit of Microsoft marketing support.

Wave Systems is introducing new capabilities to its Embassy Remote Administration Server (ERAS) technology to enable IT security staff to use “virtual smart cards” for identity and access management. ERAS version 2.9 is based on the Microsoft DirectAccess standard for providing remote access to a corporate network without the need for a virtual private network (VPN) connection, Sprague said.

Enterprises running Windows Server 2008 R2 in their data centers can make better use of DirectAccess security for Windows 7 and Windows 8 machines as they upgrade to Windows Server 2012, he said. DirectAccess was in Server 2008 but was complicated to set up. DirectAccess in Windows Server 2012, by contrast, “is massively simplified.”

The virtual smart card is embedded in a chip installed in the motherboard of the computer, Sprague explained. When a user boots up their computer, they enter a personal identification number (PIN) instead of a username and password, activating a private key that interacts with the public key in the TPM.

“The PIN is between me and my device,” he explained. “I can tell you what my PIN is and it’s completely irrelevant because you also have to steal my machine.”

If a username and password are stolen, or guessed, an attacker could enter it on any computer or Web browser to gain access.

The virtual smart card gives the enterprise better control over employees’ endpoint devices, particularly laptops and tablet computers, over that provided by third parties such as a wireless carrier or a financial institution.

“In the enterprise it’s really important that they’re not relying on Verizon or AT&T to be in control or Citibank. They want to be in control of their own keys,” Sprague said.

Many industry observers believe that enterprise adoption of Windows 8 will be slow, with real traction not happening until sometime in 2015 because many are only now migrating to Windows 7. But Sprague expects Windows 8 to start appearing in the enterprise as soon as January 2013 when employees start bringing their own Windows 8 tablets to the office loaded with the popular Office software suite that they also purchased themselves.