October 22, 2014 8:00 am

Windows 10: Security and Identity Protection for the Modern World

There’s been so much excitement and energy around the Windows 10 Technical Preview – including incredible momentum around the Windows Insider Program, where we recently hit 1 million total registrants, and over 200,000 pieces of user-initiated feedback. Thank you for signing-up for the program and providing us with your feedback! We want Windows 10 to be a reflection of what you need for your business, and I couldn’t be more thrilled to see that happening. In my last blog post, I mentioned that I’d follow-up in a few key areas. Today, I’d like to focus on security in Windows 10 which has been central to many of the customer conversations I’ve had since we announced the availability of the Technical Preview. With good reason, security and information protection is top of mind for many businesses.

In today’s world, the market for cyber-attacks on businesses is wide-reaching and attacks are increasingly high-profile and successful in execution. We’re seeing network breaches resulting from techniques as simple as username and password theft. In a couple of recent cases, hackers infiltrated Fortune 500 companies using stolen usernames and passwords which gave them access to point of sale systems and the credit card data being processed with them. The attacks resulted in the theft of millions of credit card numbers which quickly ended up in the black market. Recently, the New York Times reported that 1.2 billion usernames and passwords were stolen by a single cybercrime organization. Which is scary considering there are only about 1.8 billion people online worldwide. These tenacious crime organizations and some nation states aren’t the only threat that you’re facing. Even well-intended employees represent a substantial risk that requires mitigation. A report this year from security firm Stroz Friedberg stated that 87 percent of senior managers admit to regularly uploading work files to a personal email or cloud account, meanwhile 58 percent of users admit to having accidentally sent sensitive information to the wrong person.

With Windows 10 we’re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection, and threat resistance. With this release we will have nearly everything in place to move the world away from the use of single factor authentication options, like passwords. We are delivering robust data loss prevention right into the platform itself, and when it comes to online threats, such as malware, we’ll have a range of options to help enterprises protect against common causes of malware infection on PC’s.

Identity Protection and Access Control

To start, I want to talk about a solution that provides a very modern approach to identity and user credentials, something that represents the next generation of identity protection. I touched on it a little in my blog post on September 30TH. With this solution, Windows 10 protects user credentials when breaches occur in the data center. It protects users from theft when devices are compromised and it renders phishing attacks for identities almost completely ineffective. It’s a solution that offers benefits for both businesses and consumers, and one that provides all of the convenience of a password along with security that is truly enterprise-grade. It represents the destination in our journey to eliminate the use of single factor identity options like passwords. We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals.

Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user’s physical device – in addition to the means to use the user’s credential – which would require access to the users PIN or biometric information. Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC’s, networks, and web services as long as their mobile phone is nearby. In this case, the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.

If we drill a bit deeper into this component of Windows 10 and look under the hood, IT and security teams would find that things look quite familiar. The credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself or it can be a certificate provisioned to the device from existing PKI infrastructures. Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn’t practical. Active Directory, Azure Active Directory, and Microsoft Accounts will support our new user credentials solution right out of box, so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords. This technology is intentionally being designed so that it can be adopted broadly across other platforms, the web, and other infrastructures.

Protecting user identities is just one part of our identity protection approach. The next part is to protect the user access tokens that are generated once your users have been authenticated. Today, these access tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket, etc. Once an attacker has these tokens they can access resources by effectively impersonating the user’s identity without needing the user’s actual credentials. The technique is frequently coupled with advanced persistent threats (APT) and thus it’s a technique that we eagerly want to eliminate from the attacker’s playbook. With Windows 10 we aim to eliminate this type of attack with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised.

Information Protection

With Windows 10 we are making some great progress on the identity front and I think you’ll find that we are equally focused on information protection. Let us first look at some data that will help explain where we are making our investments. BitLocker has become an industry leading technology that protects data while it resides on a device; however, once it leaves, it’s no longer protected. To protect data when it leaves the device, we provide Azure Rights Management services and Information Rights Management (IRM) in Microsoft Office, which typically requires the user to opt-in to activate the protection. This leaves companies with a bit of a gap, such that, if your users aren’t proactive, it’s relatively easy for them to accidentally leak corporate data. In Windows 10, we address this problem with a data loss prevention (DLP) solution that separates corporate and personal data and helps protect it using containment. We are building this capability into the platform itself and integrating it within the existing user experience to enable protection without the disruption frequently seen in other solutions. There will be no need for your users to switch modes, or apps in order to protect corporate data, which means that users can help keep data safe without changing their behavior. Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations. And when users create new original content, this data protection solution helps users define which documents are corporate versus personal. If desired, companies can even designate all new content created on the device as corporate by policy. Additional policies can also enable organizations to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks.

Windows 10 provides an advanced data protection solution for the desktop, but what about mobile? This solution will provide the same experience on Windows Phone as we see on the Windows desktop and we’ll provide interoperability such that protected documents can be accessed across multiple platforms. Lastly on data protection in Windows 10 organizations can define which apps have access to corporate data via policy. We took this capability a little further and extended these polices to address VPN requirements that many of you have shared with us.

Just like you, when I’m on the road or working from home, I need to connect to critical data and apps in order to stay productive. When supporting remote users, IT professionals look for ways to limit the risks associated with VPN connectivity, particularly with BYOD devices. Windows 10 helps, by giving a spectrum of VPN control options, from constant connectivity, to specifying which particular apps may have access via VPN. App-allow and app-deny lists will enable IT professionals to define which apps are authorized to access the VPN and can be managed through MDM solutions for both desktop and universal apps. For administrators requiring more granular control, they can further restrict access by specific ports or IP addresses. These enhancements allow enterprise IT professionals to balance the need for access, with the need for security and control.

Threat Resistance

Windows 10 also provides organizations with the ability to lock down devices, enabling additional threat and malware resistance. Because malware is often inadvertently installed onto devices by users, Windows 10 addresses this threat by only allowing trusted apps, meaning apps that are signed using a Microsoft provided signing service, to be run on specially configured devices. Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM. The lockdown process OEMs will use is similar to what we do with Windows Phone devices. Organizations will have the flexibility to choose what apps are trustworthy – just apps that are signed by themselves, specially signed apps from ISVs, apps from the Windows Store, or all of the above. Unlike Windows Phone these apps can also include desktop (Win32) apps – meaning that anything that can run on the Windows desktop can also run on these devices. Ultimately, this lockdown capability in Windows 10 provides businesses with an effective tool in the fight against modern threats, and with it comes with the flexibility to make it work within most environments.

There’s so much more that I’m excited to talk about on the security front. And I’m looking forward to posting more about different security features and enhancements as they enter the product builds. Continue to tune-in for more from me on ways that we’re working to make Windows 10 great for business. And in the meantime, if you haven’t already, check out the Windows 10 Technical Preview and let us know what you think.

Updated November 8, 2014 1:10 am