View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data Centre
October 24, 2012

Guest blog: Windows 8 – Making hardware-based security a reality for the enterprise

Joseph Souren, VP and GM EMEA for Wave Systems writes for CBR on why the launch of Windows 8 means that hardware roots of trust will be a more relevant and cost effective option for securing enterprise data.

By Cbr Rolling Blog

Windows 8

One of the major milestones in Windows 8 is Microsoft’s decision to ship all devices with a Trusted Platform Module (TPM) and optional Self Encrypting Drives (SED). Microsoft’s decision to focus on embedded hardware security comes in response to a rapidly changing cyber landscape, which is marked by the threat of sophisticated boot sector viruses, compliance with data protection laws, an increasingly mobile workforce and porous network perimeters.

The TPM provides a secure bolting mechanism which implements 3 factor application – providing a single point of access to enterprise VPNs, single sign-on and single sign-off. The TPM stores the signatures of critical start-up components of the machine, and the ones that are most important are used early in the boot process before antivirus even initiates.

At the RSA Conference in San Francisco in February Scott Charney, corporate vice-president of Trustworthy Computing at Microsoft, stated that one of the most significant game changers of Windows 8 was to allow remote attestation – meaning that trusted third parties are able to support and manage the TPM. This measure ensures more advanced malware detection, modern authentication for network access and encryption.

The active use of TPMs allows boot level security features to be implemented. TPMs can also enable the enterprise to check the platforms integrity that can be affected by malware in the pre-boot state or BIOS, ensuring the device has not been altered by malicious code. It does this through hardware protected measurements bound to the platform. Software security fails to do this, as demonstrated by the success of recent threats.

The recent wave of the TDL4 malware variant showed the continued inadequacy of antivirus in detecting Advanced Persistent Threats (APTs). In September, a click-fraud campaign in which users of Facebook and YouTube were directed to URLs that infected 250,000 users spread far and wide. Hackers used the rootkit to develop new variants of the threat that go undetected by anti-virus. The latest version, known as Sst.c, infects the Volume Boot Record. Without embedded hardware security to detect anomalies of behaviour in the boot process, it starts to cause havoc damaging the network, and reduces the window of detection for the enterprise to contain the threat.

Windows 8’s inclusion of the TPM means that hardware-based security becomes even more pervasive in broader platform types and a very real (and cost-effective) option for securing business continuity and data. It also represents a powerful endorsement of open industry standard for hardware embedded security. According to the Trusted Computing Group (TCG) – which published the Trusted Platform Module (TPM) specification – the technology offers a lower cost and more effective alternative to software-based information security systems.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Additionally to the TPM, the optional SEDs in Windows 8 provide enterprises with embedded hardware encryption. Gartner has stated that by 2015, all disk drives will ship pre-loaded with industry-standard SEDs. With an SED the encryption can never be turned off so an enterprise can always prove that the device was encrypted, which is vital to meet EU upcoming regulation standards for data protection. SEDs require no modification to the device’s operating system; they are ready-to-go, while the wider standards commanded by the Trusted Computing Group (TCG) are built-in and interoperable.

Windows 8 will modernise access control and data management, while simultaneously improving data security within the enterprise. The launch of the new OS also brings fresh capability for the management of virtual smart cards and DirectAccess, allowing enterprise users to establish their identity using the machine as a token-for-network logon, negating the need for tens of passwords which fail to live up to the current threats we face. It also simplifies the user experience and provides higher assurance, reducing help desk costs.

Crucially, too, enterprises are able to take advantage of the new hardware-based technology features on Windows 8 right now, without migrating immediately. With most businesses only just making the migration to Windows 7 (which also feature the TPM in the OS), they can still take advantage of these security aspects using a management console. Enterprises can implement today and be ready for Windows 8 whenever it fits their plans, so that when they eventually migrate to Windows 8, the management of their security is already in place to protect all devices in the organisation.

The hardware-based security that Windows 8 advocates is also more cost effective than vulnerable software-based security. An Aberdeen Group report in June 2012 found that companies employing a hardware-based root of trust show a cost advantage of more than $80 per endpoint per year. In Aberdeen’s study, this equates to a saving of $670,000 in costs avoided per every 10,000 endpoints when attacked. Businesses that employed a hardware root of trust also spent $21 less per year in total cost, an annual average advantage of $150,000 for every 10,000 endpoints.

The threats that go undetected in the pre-boot stage will only increase as hackers become increasingly savvy to the vulnerability of antivirus , but with Microsoft living up to its open standards heritage with Windows 8, enterprises have a very effective way to keep their information secure.

Joseph Souren, VP and GM EMEA for Wave Systems

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.