RSA 2020 day 1: Windows 10X & secured core PCs; Hysolate updates; LastPass passwordless login

Microsoft secured core PCs and Windows 10X

I spoke with David Weston, partner director of enterprise and OS security at Microsoft, who discussed the latest around Microsoft's "secured core PCs" and Windows 10X.

In October, Microsoft announced what are known as secured core PCs from a number of OEM vendors, with the goal to provide users with hardened laptops that are protected even earlier in the boot stage from malicious attacks. One aspect they protect is firmware, which often isn’t as secure as it probably should be (e.g., it’s not often updated unless someone is aware there’s an update). So, with secured core PCs, firmware is separated within its own hardware container and has actually been deprivileged (firmware often has among the highest privilege on a device). 

Within the next year or so, expect further updates to the secured core line, including an ARM laptop and the addition of a new Intel feature that David called Control-flow Enforcement Technology (it doesn’t appear Intel has officially released it elsewhere yet). Next, they’re moving Windows Hello into the secure enclave, in order to reduce the chance an attacker could intercept biometrics data. 

We also spoke about Windows 10X, which I covered recently. David explained that Windows 10X was an opportunity to completely modernize Windows 10. There will be a second layer of encryption for files alongside the existing BitLocker feature, but he didn’t elaborate further. (Apparently, Microsoft will break down Windows 10X at Black Hat, so I’ll be checking that session out.) 

In the first announcement for 10X, Microsoft said that it would only run on Intel processors initially. While David wouldn’t comment on whether we’ll see Windows 10X on ARM, he did say that he likes ARM and it is a direction they’ll continue to invest in. After the 10X announcement, some speculated that Windows 10S (or Windows 10 in S Mode) was dead, but no, it’ll continue on as its own separate product. David noted that 10S is actually the most secure version of Windows available—but that aspect got lost in the marketing shuffle as more focus was put into it being a Chromebook competitor.

Newest Hysolate features

Rachel Berry and I each covered Hysolate and their secure VM product early last year, so I met up with Mark Gaffan, CEO, and Tal Zamir, founder and CTO, to see what the vendor has been up to.

On the business side, they remain focused on customers with privileged access use cases, but also found that some customers want to provide everyday knowledge workers with less restrictive devices, e.g., users can download the apps they need and use the internet how they want without then compromising company data, which remains in the secure VM. See Rachel’s article for a refresher on Hysolate.)

On the technical side, they’ve added quite a few things into the Hysolate product. For Microsoft Azure admins, Hysolate has developed a baked-in higher privileged VM to access Azure in a locked down manner, while a second VM allows for less restrictive use. For networking, they’ve added what they call “virtual Wi-Fi” and host-based VPN. Tal explained that for virtual Wi-Fi, when a laptop goes to connect to Wi-Fi, behind the scenes they verify the network to ensure it can be trusted. Until it’s considered a trusted connection, the higher privileged VM cannot access the internet (if the organization even allows internet access anyway). The host-based VPN is focused around requiring a VPN for the higher privileged VM if it needs to connect to the internet. For the host-based VPN, Hysolate can run VPN authentication in the hypervisor VM so that the user cannot tamper with the VPN and credentials aren’t exposed. 

When might we see Hysolate running on macOS? It’ll be a while yet, as Tal said it’s likely a year away as most of their customer base run exclusively on Windows.  

LastPass: an SMB-focused password manager with SSO

I looked at 1Password’s password management product in January, so I met with the other big-named consumer password manager, LastPass, to see what they offer businesses.

LastPass does password vaulting, but for their business offering they can also act as an identity provider and provide passwordless authentication. They offer single sign-on with about 1,200 apps, but customers can develop custom integrations to their own apps using modern federation protocols (SAML, etc.) and even use LastPass’s universal proxy to integrate with LDAP. They can connect with Okta and Azure AD, although they told me most of their customers are SMBs looking for their first IdP.

LastPass recently launched a passwordless login product that leverages the user’s mobile device as the main method of authentication. It currently just uses the mobile device’s biometrics, but I think that’s a good thing. The user inputs their username in the app and they get a push notification to authenticate via biometrics. Yaser Masoudnia, senior director of product management for IAM, told me that they can collect “hidden” features on a device for stronger authentication (i.e., a one-time password (OTP) using location and time of the device) if a company wishes without introducing added friction for the user. If neither the mobile device nor computer can access internet, there’s an offline mode, where the user opens the LastPass app, uses biometric authentication to verify against the app, which then provides an OTP for the user to input into the app they want to log in to.

Day one (for me) of RSA down, two more to go!