Whether remote, in the field or in the office, workers are no longer physically connected to your network or data center. Instead, today’s employees work in a digital workspace that features:
- Company-issued and often virtualized laptops, desktop and workstations.
- Personal devices in bring-your-own-device (BYOD) programs.
- Mobile devices, such as smartphones and tablets.
- A fragmented app ecosystem with desktop, remote, mobile, SaaS and Universal apps..
As this digital workspace moves with users, so do your company’s data and apps.
In the mobile-cloud world, the traditional network security, perimeter protection and firewall are simply not viable defenses against every potential security threat. New and unpredictable forms of malicious software continue to evolve alongside new work technology.
The list of passwords employees need to know is growing, too. As a result, users are reusing passwords across services and often forgetting, misplacing and putting work passwords on sticky notes. Even secure passwords are vulnerable and can be stolen in one of many ways: pass-the-hash attacks, keystroke logging, malware, brute-force techniques, etc.
Fortunately, Windows 10 security features are purpose-built for these modern challenges. In this multi-part blog, we’ll take a deeper look at three key areas where Windows 10 and VMware AirWatch advance security: identity and conditional access, device posture and data loss prevention.
Part 1. Identity and Conditional Access
Over the years, secure password requirements have evolved from a simple string of characters to complex combinations of letters, case sensitivity, numbers, wildcard characters, length, etc.—all with the hope of “strengthening” identity and authentication. However, there lies a fundamental problem with this approach: The password is the only authentication factor. Authorization to use apps, data and services is established for anyone who has knowledge of the password, which is easy to steal.
Enterprises have tried many different approaches to address this issue. Adding a layer of authentication was the obvious first choice. So IT added hardware security modules or smart cards storing the digital keys, hardware- or software-based authentication tokens, a remote access server (RAS), fingerprint readers and other approaches to authorize a user to access corporate apps and data.
However, for every additional layer of complexity there is a trade-off in terms of end-user convenience, and this gives your users more reason to bypass your IT-required security measures. Moreover, you have to deal with the added costs and complexity of standardizing (hardware, software, drivers), enabling (conditionally across devices, user groups, compliance) and maintaining (infrastructure, training, scaling) these approaches across all their users.
With Windows 10, both IT and users can resolve these issues and wave goodbye to forgotten passwords and pass-the-hash attacks. In Windows 10, Microsoft introduces strong multifactor authentication (PIN and biometrics) capabilities. Meanwhile, virtualization-based credential isolation safeguards corporate identity on the next level.
Let’s take a deeper look into these capabilities.
A Secure Identifier to Unlock Your Device
Microsoft has introduced Windows Hello, which provides a simple PIN-based and more advanced gesture-based biometric (fingerprint, face detection) authentication into a user’s device. The capability is built directly into the new Windows 10 operating system (OS) and is based on standard identity frameworks. (Note: AirWatch enables you to set Passport for Work policies, including use of Hello biometric gestures and PIN strength and complexity requirements. Read more below.)
There are no additional costs of hardware or software components or server-side infrastructure, besides the biometric sensors (fingerprint readers, infrared cameras) that may already be part of the user’s device. Also, given the use of biometric gestures instead of complex passwords, there is no scope for misplaced or forgotten passwords.
Windows Hello simply establishes user identity on a particular device. The Hello identifier is thus unique to a specific user and device combination, securely stored on the enabled device itself, and is not shared or reused across a user’s other devices. Establishing identity with Hello only releases the user’s Microsoft Passport key, which is needed for authenticating into the desired app or service.
Smarter Authentication than Smart Cards
Microsoft Passport is a multifactor authentication (MFA) feature that IT can use to replace passwords on various apps, data and services with cryptographic key pairs. Combined with Hello, Passport provides a better alternative to traditional two-factor authentication methods, such as smart cards and physical or virtual tokens. These can potentially be stolen and reused across any device to gain unauthorized access to company resources.
With Passport enabled, access to a company resource will require both a device and the unique Hello identifier that protects the authentication key. The authenticator itself is a public-private key pair. The private key never leaves the device and is stored in a logical container protected by the Trusted Platform Module (TPM). The TPM protects the key from attacks and has the ability to lock the account when brute-force techniques are used. When TPM is not available, the private key is encrypted and stored in the OS software.
The cloud identity provider holds the public key and verifies if the request to access company resources is coming from an authorized user and/or device. This ensures conditional access to resources based on either user groups or device types. Also, the Passport approach is more secure, since the verification is based on cryptographic key pairs that the user is not aware of and is not relayed or transmitted anytime during the authentication process.
Mitigating Pass-the-Hash Attacks
Pre-Windows 10 versions of the OS managed credential information in the Local Security Authority (LSA), which ran in the same environment it is designed to protect. This meant that by injecting a malicious code into the process memory that gives an attacker admin or debug privileges, the credentials managed by the LSA can be easily compromised. Such credential thefts on one machine are enough to pave way for much larger pass-the-hash style attacks.
Windows 10 introduces Credential Guard [a virtualization-based security (VBS)] for credential isolation. Isolating in a virtual environment that is stripped of any unnecessary drivers and code ensures the credential hashes and tickets are protected from the rest of the OS and from theft. Admins can leverage AirWatch Product Provisioning to enable and provision Credential Guard protection on users’ devices.
VMware AirWatch Solution
AirWatch integrates with these Windows 10 security features and your directory services (Active Directory or Azure AD) to help you establish well defined authentication policies that mitigate credentials from being exploited and put an end to pass-the-hash attacks.
AirWatch enables you to set Passport for Work policies, including use of Hello biometric gestures and PIN strength and complexity requirements.
With AirWatch, you can provision certificates for use with Passport for Work that identify the enrolling user and device, which allows for a more secure and simplified MFA use case when compared to smart cards. For example:
- Using AirWatch, now you can deploy a certificate to your device and bind the private key to the TPM container in hardware. This becomes the “what you have” element of your MFA.
- When the user tries to authenticate to corporate Wi-Fi, VPN or email, the OS enforces MFA by requiring the user to enter the Hello PIN to release the certificate on the container.
AirWatch, featuring VMware Identity Manager, provides conditional access control framework to ensure access to enterprise resources is restricted to authorized users and devices. Besides validating user groups and device identity, the AirWatch compliance engine also continuously monitors device compliance. This enables you to control access to apps and data based on device type, app type, device management, location and network (domain) membership, among several other criteria.
Devices not in compliance have their access automatically revoked to corporate VPN, Wi-Fi, email, content repositories as well as on-premises and cloud apps like Office 365. This adaptive access control ensures the best user experience for your Windows users, while maximizing security for untrusted and unmanaged devices regardless of the network and domain membership. Admins can also define step-up actions for automatic remediation. For example, if a device is found to be noncompliant with a company’s BitLocker encryption policies, AirWatch can identify it, notify the user and IT, revoke access and even deploy encryption policies as needed.
In this part, we looked at some of the new Windows 10 security features and focused on establishing user trust with identity protection and conditional access. Next, we will take a deeper look at device and data security features of the OS and how AirWatch helps you manage these polices. Keep up with AirWatch on Twitter to be the first to read our newest blogs.
Because you liked this blog: