Black Hat 2013: Windows 8.1 Helps Keep Data Secure in a Modern Environment
As the Group Program Manager for Windows Security & Identity, I look forward to attending Black Hat and this year was no exception. It’s a great experience to join my colleagues from the Trustworthy Computing (TwC) team at Microsoft and meet with some of the world’s leading security experts.
While TwC announced updates to its MAPP program, for my part I was at the event to discuss Windows’ security vision and how this translates into new security enhancements we’re delivering in Windows 8.1.
The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home.
For all of you that couldn’t make it to Black Hat in Las Vegas this week, I wanted to summarize the major takeaways we shared at the event.
#1 Trustworthy Hardware
Trusted hardware is a key investment area for Microsoft in Windows 8.1. Often in a BYOD scenario, if an employee buys a new computer, it can be hit-or-miss as to whether the device will have all the tools baked in that an IT department needs to make sure any data on that device is secure. With Windows 8.1 we take away the guesswork.
- The Trusted Platform Module: TPM is a hardware security device or chip that provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. It’s a great tool for the enterprise, but has been an optional piece of technology for consumer devices.
- TPM 2.0 is required for all InstantGo (Connected Standby) devices which will ensure modern devices are ready for BYOD scenarios. And in Windows 8.1, we expand on the strategy behind TPM, with features such as key attestation, which allows you to ensure your private key is safely bound to hardware instead of malware, and virtual smartcard management WinRT APIs to enable Windows Store apps to set up and manage virtual smartcards.
- We are working towards requiring TPM 2.0 on all devices by January 2015. This helps IT departments be confident that the device their employees bring to work are fully capable of complying with corporate security policies.
#2 Modern Access Control
With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device.
- First Class Biometrics: It’s no secret creating and remembering passwords is a nuisance at best and a gaping security vulnerability for companies at worst. We believe that biometrics is the solution to replace passwords over time. While biometric capabilities have been available since Windows XP, innovations in Windows 8.1, along with the new hardware coming from our hardware partners, will make your fingerprint easier and more secure than anything you’ve used before.
- Biometrics goes beyond swipe, which we previously supported, to capacitive full fingerprint and can be set up on any Windows 8.1 device through Modern Settings using a standard, consistent Windows experience.
- Before, we supported biometrics when a customer first signed into the device. Now any time a user sees a Windows credential prompt, he or she can use biometrics, effectively eliminating the password for logging into secure sites and in-app user account validations.
- Finally, we have created new APIs to support biometrics on the WinRT platform. Using biometrics in a Windows Store app is as simple as making one API call.
- Multifactor Authentication for BYOD: With Windows 8.1, we are building on the work done in Windows 8 to streamline the Virtual Smart Card (VSC) management process. In Windows 8.1 we have added support for enrollment and management via WinRT APIs so all of these scenarios can be supported through a modern app experience. With this, businesses will have more flexibility and control over how devices connect to internal networks and make it easier to securely allow access to personal devices in a BYOD environment.
- Trustworthy Identities and Devices: We have recently seen how Public Key Infrastructures (PKIs) or Certificate Authorities can be targeted by hackers, leaving a system vulnerable to attack. In Windows 8.1, we increase the trustworthiness of the PKI by helping manage and drive certificate best practices and adherence to standards within the ecosystem.
- We have a service now that scans the top two million SSL/TLS sites on the web daily to look for anomalies or bad practices and will notify partners (certificate authorities or companies that had a fraudulent certificate issued in their name) quickly when we see issues.
- We have also taken the “assumption factor” away from the server side of private key verification. For example, if an employee has malware on their personal device, the malware can intercept the private key during enrollment or renewal, effectively compromising your identity. With Windows 8.1, a server or service can require proof (attestation) that private certificates and keys are protected by hardware. If that can’t be proven, access is denied.
#3 Protecting Sensitive Data
We’ve also put a lot of thought into how businesses can protect their data even when it resides on employees’ personal devices.
- Pervasive Device Encryption: With Windows 8.1, device encryption is now available on all editions of Windows for devices that support InstantGo. If the device supports InstantGo, device encryption can be automatically enabled. As InstantGo will be available on the vast majority of devices, this functionality will be pervasive throughout the enterprise. Windows 8.1 Pro and Windows 8.1 Enterprise also benefit from the full feature functionality of BitLocker, including BitLocker To Go, additional key protectors such as the network key protector, automatic recovery key escrow to Active Directory, and other powerful enterprise features ensuring a physical drive won’t be compromised when machines are lost or stolen.
- Selective Wipe of Corporate Data: With Windows 8.1, we introduce Remote Data Removal which will allow an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.
#4 Malware Resistance
As security threats continue to evolve, we continue to step up our built-in malware resistance measures to stay ahead of attackers.
- Improved Windows Defender: We are introducing high performance behavior monitoring to Windows Defender that enable Defender to detect certain bad behaviors in memory, the registry, or the file system; even before signatures have been created.
- Enhancements to Internet Explorer: Currently, malicious websites can sometimes access sensitive data by exploiting vulnerabilities in binary extensions (such as ActiveX controls). These are executed immediately, bypassing the antimalware solution. In Windows 8.1, we offer an API for Internet Explorer that enables anti-malware solutions to make a security determination before a binary extension is loaded. In addition, Enhanced Protection Mode is on by default in Internet Explorer 11, helping to ensure safer browsing.
Security continues to be a top priority for Microsoft, from secure development practices, to addressing any emerging vulnerabilities, to collaborating with others in the industry to protect our customers. As part of this commitment, I’m excited for businesses and consumer alike to experience the added security measures that we are introducing with this iteration of Windows.
The Windows 8.1 Preview is currently available for download here. And, as we shared earlier this week, the Windows 8.1 Enterprise Preview is also available for enterprise customers to begin deploying on test machines. With Windows 8.1 Enterprise, you will see all of these new security features, as well as unique features specific to the enterprise customers using Windows Server.