Windows 8.1: The New Security FeaturesWill Enhancements Lead to Widespread Adoption?
Microsoft is touting enterprise-friendly new security features built into its upcoming Windows 8.1 Enterprise operating system. But will these features be enticing enough to convince organizations that, so far, have been reluctant to upgrade from older versions of the OS?
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The security elements bundled into the upcoming Windows 8.1 Enterprise, expected to be released later in August, address four key areas: authentication, hardware security, data protection and malware detection.
Within these additions, Microsoft beefed up its focus on encryption, improved biometrics capabilities, integrated remote wipe functionality as part of mobile device management, and expanded its trusted hardware efforts to help ensure attackers haven't compromised the system.
Focus on Security
This newest release reflects Microsoft's continued focus on improving security in its operating system - and overall user security - with every iteration of Windows, says Neil MacDonald, a fellow at the consultancy Gartner. Just as Vista was more secure than XP, and Windows 7 was more secure than Vista, Windows 8.1 will be the most secure operating system from Microsoft to date, he says.
But while the enhancements are important, they may not be enough to move users off XP before support officially ends next year, or to convince organizations to standardize all their users on Windows 8, some analysts say.
"Rarely is security alone sufficient justification to make an OS migration, especially considering Windows 7 is a solid platform without the learning curve associated with the touch-enabled UI [user interface] of Windows 8.x," MacDonald says.
The new security and other business-specific enhancements make Windows 8.1 more appealing to enterprises than Windows 8.0, released in August 2012, says Wes Miller, an analyst with Direction on Microsoft, a research firm focused on Microsoft strategy and products. However, many businesses using Windows 7 will most likely stick with what they have, at least in the short-run, because many of them would need to make significant server infrastructure investments before shifting to the newer operating system, he adds.
Features Address New Threats
The security features first introduced in Windows 8 and improved in the new Windows 8.1 Enterprise are important in light of the ever-changing threat landscape, says Dustin Ingalls, Microsoft's group program manager for Windows security and identity.
Recognizing the growth of weaponized rootkits and sophisticated malware that blocks security software, Microsoft added features such as SecureBoot to Windows 8 to ensure malware could not tamper with the OS or installed security software, Ingalls says. Windows Defender, the anti-malware tool that comes with Windows 8, will be enhanced in 8.1 with behavioral analysis capabilities to improve malware detection. And Internet Explorer 11 has new features designed to detect and block malicious websites.
Windows 8.1 also addresses growing concerns about data protection, bring-your-own-device, and authentication, Ingalls contends.
"The Windows 8.1 update offers a full spectrum of new and improved security vulnerabilities - from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home," he explains.
Automated Encryption for Everyone
To help protect data, Windows 8.1 will automate encryption for all InstantGo-enabled devices. Considering that the vast majority of devices capable of running Windows 8 will support InstantGo, encryption will be "pervasive throughout the enterprise," Ingalls wrote in a recent Blog on Windows post.
Full encryption will also expand BitLocker's data protection capabilities, ensuring the physical drive won't be compromised when machines are lost or stolen, Ingalls says.
Unlike previous incarnations of Windows, 8 and 8.1 aren't specific to laptops and desktops; they are also available for mobile devices. This means full-blown BitLocker encryption will be available for SurfaceRT devices, Ingalls says. This will be useful for organizations with public-facing systems, such as ATMs, kiosks and other public terminals.
While encryption is always good security, it does make the job harder for some security professionals.
"As a security guy, I'm all for encryption, but it does make forensic work a bit more complex when it's enabled by default," says Paul Henry, a forensics analyst from Lumension, an endpoint management security company.
When law enforcement asks Apple to decrypt iOS devices while investigating a crime, the company frequently takes seven months to respond, Henry says. "Only time will tell," whether Microsoft will respond to decryption requests sent as part of a criminal investigation in a timely manner, he adds.
Focus on Trusted Hardware
Encryption is just one component of Microsoft's increased focus on trustworthy hardware. The company is pushing to have the trusted platform module chip turned on by default in all computers by 2015.
The TPM chip can be used to store passwords, digital certificates and encryption keys, making it more difficult for attackers or malware to intercept these credentials. While the chip has been included on computers shipped since 2006, it hasn't been enabled by default, so most users aren't even aware of it.
With Windows 8.1 and later versions, Microsoft is focusing more on the TPM to deliver better authentication as well as to ensure the integrity of the hardware, says Steven Sprague, CEO of Wave Systems, a trusted computing vendor.
Microsoft introduced SecureBoot in Windows 8. The security feature verifies that malware, such as rootkits, isn't being loaded before the operating system or security software. With TPM, Windows 8.1 can check the BIOS to ensure that SecureBoot hasn't been compromised and take advantage of more authentication options, Sprague says. For example, organizations can adopt "virtual smart cards" where the device essentially becomes the token, and offer device-level authentication for VPN connections, Sprague says. Windows 8.1 also includes wireless security enhancements, he notes.
"By activating and managing the TPM, you can isolate the user authentication and prevent users from passing on access control to others, whether intentionally or by accident," Sprague says.
Microsoft also introduced better biometrics support in 8.1 to go beyond just signing into the computer. Fingerprint swipes can be used whenever there is a prompt to authorize Windows, such as for user access control or for accessing network shares or even the App Store, Ingalls says. The company is also making an API available so that third-party vendors can come up with a multi-factor authentication scheme using biometrics to authorize personal devices to access corporate resources.
"Everyone wants to get off passwords, but usability is an issue," Ingalls acknowledges.
Step Into Mobile Device Management
Microsoft also built remote wipe into Windows 8.1. Remote Business Data Removal can differentiate between personal content and enterprise files; it wipes only the data that came from corporate resources, Ingalls explains. Remote wipe can be managed using third-party mobile device management platforms.
The remote, segmented wipe capability is significant, Henry says, noting the number of pending lawsuits brought by employees against their employers for mistakenly deleting personal data from their devices. "This capability could do a lot to save money and employee heartache," he says.
Timing of Migration?
Windows 7 customers will migrate to 8.1 and beyond once there is a reason for making the switch, such as deploying tablets or other touch-enabled devices, says Direction on Microsoft's Miller. Businesses still running XP have made the decision to forego the security benefits of a newer operating system because XP still is sufficient for their organization, or they lack the financial resources to upgrade. The migration will happen once XP is no longer enough, or the organization needs the new features.
"Where we do see businesses migrating off, at the present time most still seem focused on 7," Miller says.