In a previous blog I discussed Microsoft's approach to security via Device Guard, Windows Hello and Passport. While these implementations are outstanding solutions, Microsoft still has more to offer the business market. Let's talk security!
It's easy to focus on data encryption and hardware security, but what about malware? Organizations have the ability to lock down PCs and other Windows 10 devices. Windows 10 will only allow trusted apps to access and implement change on a user's PC. Trusted applications refers to apps that are signed using a Microsoft provided signing service (apps in the Windows store all meet this standard). Businesses also have the freedom to choose what apps are safe whether it be apps signed by themselves, apps from the Windows Store or other applications that meet these standards. This feature is the same in Windows Phone but, unlike WP8, this solution also works on Win32 aka desktop applications.
Since we're on the topic of malware, it's inevitable to discuss Windows Defender. Formerly called Microsoft Security Essentials, Windows Defender is shipped with all Windows 10 devices. Windows Defender will turn itself off automatically in the event a user installs another anti-malware solution. Microsoft is leaving it to us to decide what anti-malware solution we want. Businesses have the option to secure their infrastructure with whatever anti-malware solution they desire. These solutions are complimented by Device Guard on the hardware level. Device Guard will handle zero-day threats and malware that gains administrative rights while your anti-malware solution will handle things like Java exploits.
Microsoft Azure Active Directory (Azure AD) excites me the most. Azure AD allows users to set-up their organizational devices without their IT team's support. The process is quick and painless. Upon powering on the new device, users confirm the device belongs to their organization and then enters their Azure AD account and password. Based on an organization's security, a second authentication factor can be implemented. The login form will change depending upon whether an organization is cloud-based or on premise. This process works on iOS and Android devices as well. Registering your device with Azure AD also implements Microsoft Intune.
Intune helps maintain your devices' compliance. Microsoft Intune will evaluate your device and determine if it is compliant. If not, an alert is fired off to Azure AD. This allows your IT administrator to configure your device for proper compliance. Intune also has a portal in which you can report a lost or stolen device, allowing an IT manager to wipe it remotely. Azure ID and Intune work together seamlessly in the cloud as well. Should your organization require devices to be compliant with SaaS applications secured by Azure AD. Intune provides the compliance information to Azure AD which then enforces that compliance on an organization's devices.
Last but certainly not least, those of us with personal devices can also register with Azure AD. Many employees do at least some of their work on a personal device and I am no different. The process of making your personal device compliant is as simple as with an organizational one. Once the Azure AD account has been added, you can continue to log into your personal device via your personal Microsoft account. Live tiles and other such features are still guided by that personal account. Registering that Azure AD account will provide much of the same functionality as on an organizational one.
Here at Beringer, we are dedicated to exploring the most recent and efficient solutions for our clients. I am pleased to say that Microsoft's newest innovations in security are a great leap forward for our industry. Please feel free to reach out to Beringer with any questions on the information covered. Until next time!