In My previous blogs , I have been emphasizing on implementing best practices around endpoint Security Compliance , Password Management, Information Protection and Cloud Security as these are the areas which need absolute attention as per the constantly evolving security threat landscape in enterprises or consumer world.
Also, we all have seen that primarily, “endpoints” (Devices and People both) are targets or at least facilitator for a security breach as those are in the billions in numbers, have large and unfortunately ever-changing threat surface area. Since compromised endpoints can become multiple unsecured gateways for the attackers to enter in to the enterprise network making business & personal “information” vulnerable , it has been super critical always to “keep security evolving for the endpoints and information”.
With Windows 10 launch on June 29, it is really exciting to see how even client’s operating systems have started to deliver in this direction of protecting Information, Identities and System Integrity to make our world more secured and to empower every person and every organization on the planet to achieve more.
Windows 10 – Enterprise Data Protection
Any Data protection is frame work should cover following scenarios –
While it resides on a device – Disk and File Level encryption solutions have been available from Microsoft (Bitlocker) and from other vendors which protect system and data when device is lost or stolen
While it leaves from the Device – Rights Management service and Information Rights Management solutions have been available from Microsoft and from other vendors to protect data when shared with others, or shared outside of organizational devices and control.
Information Rights Management (IRM) and File level encryption typically require that a user should “manually” activate the protection. This leaves a gap, such that, if users either aren’t proactive or not intelligent enough, it’s relatively easy for them to accidentally leak corporate data.
Alternatively, there have been administrator level approaches where discovery and Data classification engines are run and appropriate IRM and encryption controls can be applied automatically.
Enterprise Data Protection in Windows 10, addresses this problem by enabling automatic encryption of data if it arrives on the device from corporate apps and network locations. And if users create new original content, it helps users define which documents are corporate versus personal and companies can even designate all new content created on the device as corporate by policy.
It prevents unauthorized apps from accessing business data and Additional policies can also be enabled to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks.
Windows 10 – Device guard
There are 300K’s+ malware new threats per day and there is no way for anti-virus to keep up the battle. If for script and executable based malware, corresponding anti-virus signatures are not available then proactive protection mechanism is to define a white list of applications that should only run and everything else should get blocked.
AppLocker which is available since Windows 7 and similar Apps control solutions from other vendors do help on this front to some extent. But these technologies some times are subject to tampering by administrator itself or malware that have managed to gain full system privilege.
Device Guard in Windows 10 can help in two ways –
App must earn Trust before use i.e. first, it makes determination on whether that app is trustworthy, and notifies the user if it is not.
And 2nd, it uses hardware technology and virtualization to isolate that decision-making function from the rest of the Windows operating system so that if the Windows kernel is compromised, Device Guard is not.
And hence provides better security against malware and zero days by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor.
In practice, Device Guard can be extremely helpful in combination with traditional Anti-Virus and app control technologies to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents. Using App control technologies, IT can ensure to provide a means for govern productivity and compliance.
Device Guard supports point-of-sale systems, ATM machines, and other Internet of Things-type devices running Windows.
Microsoft Passport & Windows Hello in Windows 10
Single factor Identity options like password have been insufficient to provide a secured mechanism to access the application, websites and networks. Moreover for end users password management have been irritating and vulnerable.
On top of that Users credentials (Identities) are on threat always when breaches occurs in the data Centre and in today’s world of advanced persistent threats (APT), Next part is to protect the user access tokens that are generated once your users have been authenticated. Today, these access tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket, etc. Once an attacker has these tokens they can access resources by effectively impersonating the user’s identity without needing the user’s actual credentials.
Also, most of us are familiar with the concept of authenticating to a system using a combination of what we know and what we have, usually in the form of a smart card, and PIN or password. But traditionally smart cards have been the preserve of large corporates, not least because of the extra hardware required, but also the need to maintain a PKI, which can be complex to say the least
Windows 10 brings multi-factor security to a next level by building it right into the operating system and device itself, eliminating the need for additional hardware security peripherals and middleware as that has been there in current technologies like smart card.
Microsoft Passport in Windows 10 will ask you to verify that –
You have possession of “your (enrolled ) ” device before that authenticates on your behalf as a First factor
And with a PIN or Windows Hello (Finger Print, Iris and Face Detection) as 2nd factor.
To strengthen more, Windows 10 has an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised.
From a security standpoint, this means that an attacker would need to have a user’s physical device and access to the users PIN or biometric information which is stored locally in Trusted Platform Module.
Features like Device Guard, Enterprise Data Protection, Microsoft Passport and Windows Hello, can provide robust protection for enterprises and consumers.
So, Do Windows 10 ……………