Problem solve Get help with specific problems with your technologies, process and projects.

Under the Surface: How Windows tablet security meets BYOD challenges

Expert Michael Cobb says the forthcoming Windows tablet security features on Microsoft's Surface could help meet enterprise BYOD challenges.

Following Microsoft's recent announcement of the Surface tablet, I could almost hear the collective sigh of relief from security teams struggling with BYOD challenges. Compared to other BYOD devices that are already on enterprise networks, the Surface tablet should be far easier for administrators to secure and maintain control over.

Out of the box, Surface is much more secure than its tablet competitors and a better option for enterprises concerned with BYOD challenges.

At long last, Surface brings IT administrators a device they understand, from its operating system to the pros and cons of its security setup. Surface will eventually come with a full slate of Windows 8 security features, meaning enterprises can leverage their existing knowledge of Windows-based security systems with the resources they already have in place to enforce data and acceptable usage policies. That could make life a lot easier for enterprise information security teams -- that is, if consumers are willing to use it.

In this tip, we'll take a brief look at the Surface tablet and why, from an information security perspective, it compares favorably against other tablet platforms.

Surface tablet features

Some may say Microsoft's entry in the increasingly competitive tablet market isn't as cool as an iPad, but the fashion-conscious business user is certainly going to be impressed with the Surface. It comes with a pressure-sensitive cover that doubles as a fully functioning keyboard and trackpad, a built-in kick stand, and USB and HDMI ports. The Surface will be available in two versions. The Surface model will run the Windows RT operating system. This is a version of Windows 8 designed for devices with an ARM CPU, which the Surface, like the iPad and many other smartphones and tablets, uses. The Surface Pro model will run the Windows 8 Pro operating system and use a traditional Intel CPU.

Having a single business OS for both tablets and PCs is an advantage not to be overlooked. To users, Windows RT will look and feel just like Windows 8, but administrators need to be aware of some key differences. Surface comes installed with Office for Windows RT, which makes it far easier for users to work with files than on other tablets; being able to make some last-minute changes to a PowerPoint presentation during a taxi ride is quite useful. Although Office for Windows RT includes the vast majority of Office functionality found in standard versions, some features are missing. A Microsoft blog post explains the differences; the lack of support for macros, tools that rely on ActiveX controls and the ability for PowerPoint to run older media formats are the only ones likely to cause any real problems.

Due for an October release, a Surface running the not-yet-released Windows RT operating system will only run apps adapted for Microsoft's tile-based user interface, now officially called Windows Store apps. The reason for this is the stringent requirements around security, battery life and performance. Users won't be able to install code from any other source, apart from their own company store, and apps have to be specifically compiled to run on Windows RT, so legacy apps will need to be updated.

The Surface Pro tablet, due in early 2013, will run the full version of Windows 8 Pro, which enterprise BYOD policy makers may find more attractive than the RT version. In Windows 8, Applocker can control which apps a user can run and which files those apps can access. Remote-wipe functionality, an important feature for any BYOD device, and a new touch-based security logon feature are also included.

Among the most important new features in the Enterprise version of Windows 8, Windows To Go allows administrators to create a full, managed corporate Windows 8 image, including a user's business apps, data and settings, on a USB device. End users can then plug that USB stick into their Surface tablets to run a corporate Windows 8 desktop. Administrative controls ensure users cannot ignore security warnings by, for instance, opening suspicious files. Pro and Enterprise versions of Windows 8 also offer full-disk and removable drive encryption provided by Bitlocker and Bitlocker To Go.

Surface tablet challenges

While all of these features add up to create an appealing option for enterprises, employees may well prefer the cheaper Surface running Windows RT as a BYOD option. The restrictions the RT OS and the ARM chip impose mean these devices should be treated like any other BOYD device in an acceptable usage policy, particularly as Group Policy and domain membership is not supported. Windows RT devices do include Virtual Desktop Access (VDA) rights, though, providing access to a full VDI image running in the datacenter.

But before the Surface and Surface Pro can help enterprises with the challenges of BYOD security, it must first win over consumers who have already grown attached to current BYOD options, which means contending with the iPad's superb battery life and the numerous third-party apps available in Apple's ecosystem. However, the iPad is first and foremost a device for consuming content, which is why its design seeks to minimize the need for keyboard, local storage and apps for creating content. Considering that it was designed for creating and consuming content, the Surface should possess a big advantage on this front. When also considering the huge army of .NET developers who will be able to create real business-related applications, the number of productivity apps available for the Surface should quickly rival, and even surpass, those available for iPads, making it an altogether more practical device for the workplace. Still, it remains to be seen whether the general public will embrace it like it has the iPad.


Combined with security features of Windows 8, the Surface Pro should be more than just a competitor for the iPad; it's a viable alternative to an ultrabook or laptop. With the BYOD trend showing no signs of slowing, enterprises will have to decide whether to support the Surface soon. Out of the box, Surface is much more secure than its tablet competitors and a better option for enterprises concerned with BYOD challenges. Given the generally poor state of mobile security at present, it certainly isn't going to pose more of a risk to security than other mobile devices already connecting to a network. I can see it becoming a firm favorite with enterprises that need to bring BYOD security under control.

From the Editors: Android BYOD best practices

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book
IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

This was last published in October 2012

Dig Deeper on BYOD and mobile device security best practices