With 17,000 + other security-minded professionals, I am at RSA in San Francisco this week. For those unfamiliar with the RSA Conference is the conference leader in information security this year. Attracting people to safety best and brightest of the world. In addition, it is a great place to keep what happened in the market for computer security. I do not see RSA only what is happening in the industry, but also talk about some cool safety features new to Windows 7.
We are really excited about Windows 7 new security features. The next operating system based on the proven security technologies in Windows Vista and provides a platform for radical Secure Computing. We not only have a larger amount of Security Development Lifecycle (SDL), in the process of planning, development and testing, but we have also worked to ensure that the security features more discoverable and easier to use manageable. These improvements provide enhanced Windows 7 security offerings to ensure the security necessary to control the access of mobile workers with the necessary information to provide to be productive wherever and whenever they need it.
There are many new stuff in Windows 7, but let me highlight some of those things that go into helping the mobile worker…
Multiple Active Firewall Policies
In Windows Vista, firewall policy is based on the “type” of network connection established—
Windows 7 will go through this pain support rules firewall more active. This allows you to get on my PC and the firewall profile information field are independent of other networks, which may be active on your PC. Now, professionals can simplify the connectivity and security for maintaining a single set of rules for remote clients and customers that are physically connected to the corporate network and know that the rules must be applied.
When I travel, or to extend one days work from home, I tend to do too much for access to the intranet. As you can imagine, we use SharePoint a lot and many of our divisions, all applications are web-enabled. The result: I have to use our corporate VPN too. Unfortunately, it is always a break for me to stop what I’m doing and focus my VPN connection.
Windows 7 works in conjunction with Windows Server 2008 R2 to outside of the office work easier and less frustrating with Direct Access. Direct Access works automatically via a bidirectional connection between client computers on the corporate network. Consequently, as I have a remote user seamless, secure access to corporate network whenever I am connected to the Internet, without manually initiate a traditional VPN. That makes me more productive and enables me to my work and not the remote-access technology focus. Now, whenever and wherever I travel, I can not just my company email, but also open intranet sites, shared drives, using on-line business applications and have full access to the resources of the company that I for my work without my manually create VPN tunnels.
From the point of view of safety Direct Access is built on a foundation of proven, standards-based technologies such as built IPv6 and IPSec. IPsec is used to authenticate the computer and user. This allows IT professionals the ability to manage the computer, even before signing. IT can optionally also requires me to authenticate using smart cards. IPsec is also used to provide encryption for communication over the Internet, with encryption algorithms such as AES.
DirectAccess also has a cool benefit for IT Pros as well, since it provides an always on, secure mechanism to remotely manage and update the PCs of their mobile workforce. Whenever my laptop has Internet connectivity it is directly connected to the Microsoft corporate network. This gives IT more opportunity to distribute software updates and policies to me and other mobile workers and helps keep our machines free of malware and other unwanted software.
DirectAccess is great for the mobile worker, but what about the remote worker who works out in a branch office location? I’ve worked in many a branch office and the one thing they all seem to have in common is limited network bandwidth. Accessing large files in a branch office is always a slow, frustrating affair for me. I, like most users, prefer a snappy network and quick downloads. All the waiting that I have to do– or you have to do — is just lost productivity that, at the end of the day, can hurt the company’s bottom line.
Windows 7 incorporates BranchCache, another technology that works in conjunction with Windows Server 2008 R2, which helps make network responsiveness of applications and data housed within your data center feel snappy. This gives users in remote, branch offices the experience of working as if they were on the local area network (LAN) of the server they are accessing.
BranchCache also helps reduce the utilization of the wide area network (WAN). When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.
The key thing for me is that it makes access to static data quick and it is all done without decreasing the security of that data. Access controls are enforced on cached files in the same way they are on original files.
BitLocker To Go
While here at RSA, it is inevitable that I will need to share data with one of my trusted partners or customers. My primary method of transferring data is to use one of the half dozen or so USB sticks I carry around in my backpack. Over time, these USB sticks end up with all sorts of different data and documents on them. As a security guy, I worry about what would happen if I lost one of these USB sticks. What if I have some confidential or customer data on one of them?
Windows 7 helps address the continued threat of data leakage with introduction of BitLocker To Go: an extension to BitLocker in Windows Vista that allows me to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card.
BitLocker To Go was designed to facilitate the secure sharing of data on removable storage devices and was designed to work on any standard removable storage device. No special, proprietary hardware is required. So now, whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, you can feel secure that your data is safe. Both traditional BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused.
One last thing worth mentioning — I can use BitLocker To Go to share data with a Windows user who is running Windows Vista or Windows XP through the BitLocker To Go Reader. This application is installed by default on removable storage volumes and allows read-only access on older versions of Windows while still allowing you to help protect your USB sticks.
While I feel good about protecting my data with BitLocker in case it is lost or stolen, data can still be lost due to malware or other unwanted software. When I talk to customers about keeping malware off of their systems, we always end up talking about desktop lockdown and the first topic of desktop lockdown is always removing administrative access from a majority of users. This is a great first step for any organization to take; however, workers today bring software from home, download applications from the Internet (intentional and unintentional), and access new programs through email. Many of these applications don’t need system- wide, administrative access to install or run. The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that only approved, licensed software is installed and utilized.
Windows 7 has a new application control solution in AppLocker. AppLocker gives control back to IT administrators and helps them eliminate unknown and unwanted software in their environment. AppLocker can be configured through Group Policy and can help manage those applications that run on corporate PCs, helping keep your organization’s data safe and your enterprise PCs manageable. AppLocker works by intercepting kernel calls that try to create new processes or load libraries and making sure that the code in question has been allowed to execute.
AppLocker just might be my favorite security feature in Windows 7, for it not only provides security protections but as an ex-IT Pro I really appreciate the operational and compliance benefits as well. Things like:
- Keeping unlicensed, vulnerable software from running in the desktop environment, including stopping workers from running applications that needlessly use consumer network bandwidth or otherwise impact the enterprise computing environment.
- Easing enterprise software deployments and maintenance through effective desktop configuration management.
- AppLocker allows users to install and run approved applications and software updates based upon their business needs.
- Helping ensure a company’s desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others.
More to Come
This is just a small part of what’s in Windows 7 from a security perspective, and just the tip of the iceberg for the features I’ve described. Stay tuned for more information on what’s going on at RSA and more information on the cool new security technologies in Windows.