Windows 10 is scheduled for release at the end of 2015. It will be Microsoft's first operating system that works...
on all types of devices, including Windows PCs and mobile devices.
Running a single OS throughout an organization can introduce immediate security benefits by greatly simplifying device management while reducing the overall attack surface.
In other good news, Windows 10 will also introduce new features to strengthen authentication and data protection. This will appeal to enterprises looking to eliminate the use of passwords and protect corporate data in the era of BYOD.
Windows 10 multifactor authentication
One heavily touted feature in Windows 10 is its built-in multifactor authentication. The authentication scheme is based on the open standards from the FIDO Alliance and will remove the need for extra security hardware peripherals such as smartcards and tokens. Once enrolled, a device becomes one of two factors that are required for authentication. This reduces the viability of phishing attacks as an attacker would need not only the user's PIN or biometric information, but also physical access to their device. This also protects users when breaches occur in password databases -- another common tactic hackers use to gain unauthorized access.
With Windows 10, a device's credential can either be a key pair generated by Windows, or a certificate provisioned to the device from an in-house PKI infrastructure. Active Directory, Azure Active Directory and Microsoft Accounts will all support this new form of authentication. Once a user has been authenticated, his or her access token will be stored within a secure container running on top of Hyper-V technology. This safeguard prevents tokens from being extracted from devices through techniques such as pass the hash or pass the ticket, which enable an attacker to impersonate a user without actually obtaining their credentials.
Windows 10 data loss prevention
Increased protection of corporate data is another important feature of Windows 10. BitLocker has been providing full disk encryption since it first appeared in Windows Vista, but extending that protection once data leaves a device -- data loss prevention (DLP) -- has become vital with the increased use of mobile devices in the workplace. Azure Rights Management services and Information Rights Management in Microsoft Office already provide protection when data leaves a device, but they require the user to opt-in to activate the protection. With Windows 10, organizations can not only define which apps have access to corporate data, but also prevent data from being copied or accessed without the correct security profile, regardless of whether it is in transit or located on another device. Windows will provide this protection by using containers and corporate and personal data separation at the application and file level, automatically encrypting information as it arrives on the device. The fact that there's no need for users to switch modes or use special apps in order to protect corporate data overcomes the big problem of user indifference to security.
Application access controls
Managing BYOD environments also means secure access to network resources is an important priority for many enterprises. Windows 10 enables administrators to specify which apps are and aren't allowed to access the organization's VPN. Access can also be restricted based on ports and IP addresses. Additionally, administrators can configure devices so only trustworthy apps can be installed on them, including apps self-signed by the enterprise, from approved software vendors, or apps from the Windows Store. The aim is to make it easier to lock down mission-critical or sensitive devices to protect them against malware infections while giving more flexibility to other groups of users.
These three key new features can reduce the need for certain third-party products such as DLP and two-factor authentication, but enterprises will still have plenty of flexibility in the security controls they use. Windows 10 can hook into most mobile device management products and VPN infrastructures. Windows Server 10 will even include Windows Defender, although most enterprises will still want to run a dedicated antivirus and antimalware product at the network gateway and on critical devices.
By making security easier for administrators to implement and simpler for employees to use, Windows 10 should prove popular with enterprises and attract business adoption from those still running Windows 7.
Unified deployment and management and a universal app platform and security model will immediately free up time for system administrators and deliver better overall security. For any large enterprise, it makes sense to allow some IT staff to join the Windows Insider Program in order to have the opportunity to check out the new security features in Windows 10 and assess their suitability and usability prior to its public release. Enterprises should ensure analysts experiment with test devices, though, as Microsoft collects a lot of information from the devices running the preview version.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).
Join the discussion on Windows 10.
Check out the latest on Windows 10's effect on Windows phone adoption and desktop virtualization licensing rights in Windows 10.
Windows opportunity: Partners to sell more devices around Win 10
A look at the Windows 10 user experience