With users collaborating on a wide range of tasks via audio and video services, social media tools and other methods, it’s essential to ensure that sensitive data remains protected from rising security threats, such as ransomware and phishing attacks. For a growing number of organizations, Windows 10 provides an effective solution to collaboration security concerns.
“There’s no question Microsoft has added important native security controls to Windows 10 that are centered around authenticating the user with multiple factors of authentication, and that also manage the integrity of a Windows 10 device,” says Doug Cahill, senior analyst for cybersecurity with the Enterprise Strategy Group, an IT industry research and advisory authority.
To meet the challenge of maintaining a safe and reliable collaborative environment, Windows 10 addresses security in five crucial ways:
1. Virtualization-Based Security Isolates and Secures Data
Windows 10’s underlying security architecture, virtualization-based security, uses software- and hardware-enforced mechanisms to create an isolated, hypervisor-restricted, specialized subsystem for storing, securing, transferring and operating other sensitive subsystems and data.
“In essence, a virtualized container isolates activities from the rest of the system,” says Charles King, principal analyst at Pund-IT, an independent IT industry consultancy firm.
The approach effectively limits the ability of cyberattackers to piggyback onto a system by directing a PC to download malware from a malicious site. “When users engage Windows Defender Application Guard for a browsing session, their online activities are encapsulated within that secure container, which disappears when the session is ended,” King says.
2. Windows Hello for Business Enhances Authentication
In Windows 10, Hello for Business replaces passwords, which can be stolen and reused, with strong two-factor authentication on both PCs and mobile devices. The authentication consists of a user credential that is tied to the device and uses a biometric or personal identification number (PIN). Windows Hello for Business lets users authenticate to an Active Directory or Azure AD account.
“Hello for Business is built on the Windows Hello framework and leverages the Trusted Platform Module [TPM] management model,” says Dux Raymond Sy, public sector CTO at AvePoint, a Microsoft Cloud migration solutions provider. “It relies on biometric authentication, which is certainly far more secure than just a PIN method.”
Michael Cherry, a Windows senior analyst at research firm Directions on Microsoft, adds that Hello Business provides convenience and flexibility for busy users. “For example, on one of my Surface laptops, I log in all the time using a fingerprint,” he says. For his other Surface laptop, Cherry relies on facial recognition. “I basically sit down in front of the computer, it recognizes me, and it logs me in,” he says.
3. Microsoft Passport Gives Users Encryption Options
An advanced single sign-on solution that utilizes public key cryptography, Microsoft Passport takes PIN or biometric information from Windows Hello and uses it to generate a set of public-private keys through TPM.
The private key remains secured by the TPM; it cannot be accessed directly, but can be used for authentication through the Microsoft Passport application programming interface (API). The public key is held by the user and can be used for authentication requests to validate a user (such as logging into a new application) or to verify the origin of a message.
“The choice of using biometric features or a PIN is left up to the user, but the device must be enrolled, since the primary login function is tied to Microsoft accounts, like Outlook or OneDrive,” King says.
4. Windows Defender Device Guard Block Unauthorized Apps
Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock down a user environment against unauthorized applications or code so that it can run only trusted applications defined by the organization in its security policies. If an app isn’t trusted, it can’t run. ““For a highly secured work environment, this is a very nice feature,” Sy says.
“Traditionally in security, the model has been, we let everything in, and then we run around and try to find what’s bad,” Cahill says. “It’s like having a party that’s invitation-based: and once everybody is there, you figure out who you don’t want at the party and you kick them out.”
Device Guard, on the other hand, knows exactly who is allowed to enter the device. “It’s invitation-only, and only authorized applications are allowed to run,” Cahill says.
Device Guard uses the same hypervisor technology that runs virtual machines in Microsoft Hyper-V to isolate core Windows services into a virtualization-based, protected container. “The benefits are similar to Application Guard, but Device Guard is designed to protect the PC’s core system from attack,” King says. “It should be noted that Device Guard is fairly complex technically and would probably need to be configured with the help of system administrators.”
5. Universal Windows Platform Streamlines App Security
Windows 10 delivers the Universal Windows Platform, a common app platform for every device that runs the operating system. By providing a guaranteed core API across devices, UWP allows the development of a single app package that can be installed on a wide range of devices.
“The Universal Windows Platform is designed to enable apps developed for Windows 10 to run on other Microsoft platforms without being rewritten for each,” King says. “UWP also enables Windows 10 authentication processes to be used on all devices.”
Most Secure Windows Platform Ever
Windows 10 is the most secure operating system Microsoft has ever released, King says. “It approaches security processes systemically and utilizes common processes and features across devices, from the data center to endpoints,” he explains. “These and other features make Windows 10 particularly valuable in collaborative environments.”