Microsoft just kicked client side security up a huge notch for Windows 10. Boy, how things have changed. Over a decade ago, the young kids who were forming Google were gleefully pointing out how unsecure Windows is, and here we are, a little over a decade later. Android is the security problem that folks are concerned about and, with Windows 10, Microsoft is attempting to set the bar for client side access security.
In one way or another, I’ve actually been in the security business since I was a child, with various family holdings and stints in private security and law enforcement while I was getting my degrees. Since then, it has either been part of my job to manage security or to audit or analyze it. And for the vast majority of that time, and I mean way back to the early 80s, my industry seemed to agree on few things other than that passwords were inadequate. Yep, we’ve known that passwords sucked for well over 30 years, yet that is still the most common way we access things. This, even though we have solutions like biometrics, RSA tokens, and more recently smartphones that could have substantially reduced our security exposure.
With Windows 10, Microsoft is stepping up and it is about time.
Dual-Factor PCs vs. Smartphones
While passwords and PIN numbers are easily compromised, if you can introduce another factor that isn’t easy to replicate, the combination can be secure enough. This second factor could be a known device; this is a method increasingly used by banks and other financial institutions. Even if you have someone’s password, if you don’t have their PC, you still won’t get access unless you can somehow fool the system into authorizing your device. Unfortunately, that process tends to involve challenge questions like “where were you born.” During this age of social media, the answers are way too easy to figure out.
A smartphone is far better because, given that carriers have not allowed phone cloning because it puts too much stress on their network, you only have one and it is with you. If someone attempts to change your phone number, because you use your phone a lot, you’ll likely be aware of the successful attempt far more quickly. And the process is far more involved and difficult for a third party than just figuring out a few challenge questions.
Even if you get rid of the phone, as a user, you keep the number, which is tied to the validation process. With a PC, there is a chance that someone could figure out how to restore the token on it and have it become a trusted machine by recovering the hard drive.
From an ease of use standpoint, the “authorize multiple devices approach” is the easiest because all the user does is use the device for the transaction and the second factor is invisible. With the smartphone approach, the smartphone is part of the login process and that does add an extra step, which can be painful if the smartphone isn’t with the user at the time.
Microsoft will be providing the option of using either of these two approaches. I’m recommending the smartphone approach because, while it is slightly more difficult, it should be vastly more secure.
Securing the Tokens
If this were 10 years ago, this would be enough — but it isn’t, and it’s not. Once authenticated, users are issued tokens so they can continue to have access to the service. These tokens currently are vulnerable to capture and replication. These tokens must be placed into a secure container, otherwise the user will still get compromised. Virtualization is an ideal technology to use for creating the secure container because it isolates the container from the system, providing a limited and observable number of viable ways into the container. Microsoft is using Hyper-V, its virtualization solution, to create the secure container and protect the tokens.
Transparent Dual Mode
Going beyond access protection, there is an ongoing problem with users keeping confidential company data in unsecure repositories on their PCs. BitLocker, Microsoft’s existing secure repository for information, is often not turned on or used because it is simply easier, particularly when the user has both personal and company information on their machines. To fix this, an automatic method is needed that separates and keeps separate company and personal information and assures compliance with security policy. BlackBerry has implemented a solution like this in its phones.
Fortunately, Microsoft didn’t miss this meeting and has a DLP (data loss prevention) component in Windows 10 that does this. It has implemented an automatic process controlled by IT policy that assures the protection of corporate data and applications (both of which can be automatically encrypted) transparently to the user, so the user is less likely to bypass security policy.
While this does create a dual-mode PC, the switch between modes should largely be invisible to the user. IT gets the benefit of a dual-mode system while the user gets the experience they prefer and are used to.
Beating Bad Apps
This actually has been the source of much of the exposure on Android devices of late, tied to compromised games and free apps, but we’ve had no shortage of these things on Windows, either. The final part of Microsoft’s security announcement has to do with assuring that apps can be trusted. Really, the only reliable way to do this is through some form of lock down, making sure the user can’t install any unauthorized apps. Microsoft is providing flexibility so that IT can decide just how draconian they need to be in picking the app approval process, ranging from apps that are signed to only apps that are specifically approved. This approval process can be applied to older apps as well to ensure that the process is comprehensive.
Wrapping Up: Leading in Security
One of the fundamental mistakes both Microsoft and Google made at the start of their platforms was not taking security seriously enough and believing it could be adequately done by others. Security is hardly fun and it tends to run against the user experience, but IBM learned decades ago that if you are going to create a business solution, security has to be part of it and not an afterthought. Microsoft has gradually been adding more and more security to its solutions and with Windows 10, it appears to be turning this effort into a major differentiator both against competitors and against earlier versions of its own product.
Unlike earlier versions, Windows 10 is getting an interesting cadence. A well-timed release of IT-focused features early will be followed by user-focused features as we approach the launch. This is a practice that I’d thought Microsoft forgot. It appears they have remembered that IT needs a long lead and users are more tactical and need a push closer to the launch. Nadella’s Microsoft is reminding me more and more of ‘90s Microsoft under Gates, before the arrogance kicked in. From a macro perspective, this is a very good thing for IT and users and likely will assure Windows 10 is what we all wanted this time.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+