Windows 8: A Security Upgrade?Forrester's Chenxi Wang on What to Expect from Microsoft
Microsoft will soon release the latest version of its popular Windows operating system, and it will come with significant security upgrades. So, how should security leaders approach and test Windows 8? Slow and small, says Forrester analyst Chenxi Wang.
"Upgrading operating systems for a large number of endpoints is very challenging," says Wang, vice president and principal analyst on Forrester Research's security and risk team. "Starting small is good advice to follow."
The new Windows 8 operating system offers several security improvements, such as default antivirus and endpoint encryption, Wang points out. But operating systems, because of their complexity, have inherent vulnerabilities. It's the zero-day vulnerabilities discovered post-launch that will worry security professionals.
"One remotely-exploited vulnerability in the Windows operating system will lead to potential compromises of millions of computers," Wang says. "That really worries security professionals."
In starting small, organizations should select a department group of about 50 laptops or desktops, Wang says. "Test out the migration, test out management, test out how the built-in features work with the operating system and how they work with their existing networking environment," she says in an interview with Information Security Media Group's Tom Field [transcript below].
It's important to know how the system works with existing firewalls and Internet service providers before rolling out the operating system to a larger population within the organization, Wang explains.
"Second is to really understand how Windows 8 gives you some of the improved benefits that you may not have had the option to leverage earlier," she says, "such as improved memory protection and how you would enable those or the applications that you run on those computers."
In an interview about what security leaders can expect from Windows 8, Wang discusses:
- Upgraded security features;
- How to test Windows 8 for your environment;
- The impact of mobility on operating system decisions.
As vice president and principal analyst on Forrester Research's security and risk team, Wang tracks the mobile, cloud and application security markets. She is a frequent keynote speaker at research and industry conferences, including OWASP, RSA China and SANS. Before joining Forrester, she was associate professor at Carnegie Mellon University. She holds a Ph.D. in computer science.
TOM FIELD: If you could, why don't you tell us a little bit about your current focus at Forrester, please?
CHENXI WANG: I'm the principal analyst on the security team, and I cover a number of areas including mobile security, end-point security and application security.
Windows 8: Security Questions
FIELD: It's a busy time. Windows 8 is coming. Broadly, what do you see as the security questions that organizations need to be asking before adopting Windows 8?
WANG: Just like adopting any other new end-point platform, there are certainly a number of questions that you need to ask, including things such as what are the built-in security features or support for features that are not built-in but are also essential for your end-point security strategy? Windows 8, broadly speaking, we think has better built-in support and better built-in security features and more fundamental support for things that are not necessarily built-in by default. Overall, it's a good platform in terms of security improvement.
FIELD: Some have said that Windows 8 "takes security to a whole new level." Do you agree with that sentiment?
WANG: I think Windows 8 has visible improvement in security functions. I'm not sure I would go as far as [to say] taking security to a whole new level. I think that's maybe a little bit exaggerating. However, we do see the built-in features as a welcome change to the end-point security as well as to a broader security ecosystem if you were to adopt Windows 8 in your enterprise.
Major Security Upgrades
FIELD: What would you say are the major security upgrades?
WANG: First of all, antivirus comes by default, and this is something that we've been waiting for, for some time. AV, as the desktop or endpoint security functions, it's a really standard thing to do today, and I think it comes by default with the operating system. It would be the right thing to do instead of any aftermarket purchase where you have to manage the install and updates. They should all come together. I think that's a very welcomed change.
Other things such as other supports for endpoint encryption are also there. We are actually very excited about the improved endpoint encryption features because endpoint encryption remains a fairly challenging thing to do for organizations, although it's a fairly effective way of defending against data loss. We've been a market watcher. We've been waiting for an easy-to-deploy mechanism that comes with a common operating system for endpoints, and Windows 8 made that easier and possible.
FIELD: What vulnerabilities do you not see addressed adequately in Windows 8?
WANG: I don't [think of it as] existing vulnerabilities not being addressed, rather I think Windows 8 has across the board better security with better security functions, but there's always going to be security vulnerabilities within the operating system that we don't know about in the initial release. Most people who haven't written an operating system won't know it's extremely complex implementation effort, so it's impossible to release a version of the operating system without any vulnerability in it. It is just humanly impossible. The trick is how fast do things get discovered and how fast the patches are released, just like before. We would see new vulnerabilities with Windows 8, no questions about that. Hopefully some of the built-in security functions, like the improvement of the memory protection, will be able to defend some of the zero-day vulnerabilities, but not all.
Operating System Threats
FIELD: Taking a step back and talking about operating systems in general, what are the threats to the operating system that most concern you?
WANG: Operating systems, like any other piece of software, have vulnerabilities in them, and depending on what the vulnerabilities are, if it's remotely exploitable, meaning that if somebody could exploit this vulnerability and remotely execute pieces of code, then the danger of having that vulnerability in a commonly used operating system is that one exploit can allow you to take control of millions of computers. And that's the danger of the operating system monoculture which we still have. It's not like a few years ago. Windows is still the predominant operating system, though these days we see MAC and Linux. The monoculture isn't as predominant anymore. But still, one remotely-exploited vulnerability in the Windows operating system will lead to potential compromises of millions of computers. That really worries security professionals.
FIELD: That's a good point and I wanted to ask you about that because given the rise of mobility and organizations that are adopting mobile platforms, do you see organizations abandoning Windows for other platforms that they may perceive to be more secure?
WANG: That's a very good question. With mobile devices today, those that are not laptops, we do see IOS and Android being widely adopted, but the Windows 8 phone is a device that's on a lot of organizations' radar screen. We get a lot of inquiries on what an organization should consider in terms of strategies on the Windows 8 phone. Other people are in the sort of wait-and-see mode with respect to the Windows 8 mobile device, and I would not be surprised that a visible percentage of organizations will standardize on the Windows 8 phone just because they're used to dealing with the Windows environment and they already have the management infrastructure internally to operate in those familiar environments, so it will help them migrating to mobile computing.
But I don't see Windows 8 as the "be all and end all" operating system for mobile computing. We're looking at a split market, or a fragmented market, if you will, which means possibly three or four large operating system vendors in that mobile space: Apple, Google, Microsoft and Blackberry.
Starting Out: Advice to Security Leaders
FIELD: I'm sure this is a question you get everyday. Say I'm a security leader, I'm coming to you, and I'm mulling the Windows 8 upgrade for my organization. What advice do you give to a security leader?
WANG: Upgrading operating systems for a large number of endpoints is very challenging, so starting small is good advice to follow. I would start with a department group, maybe with about 50 laptops or desktops to test out the migration, test out management, test out how the built-in features work with the operating system and how they work with their existing networking environment, whether they work well with your firewalls and IPS and what not before you roll it out to a larger population of your company. That's one.
The second is to really understand how Windows 8 gives you some of the improved benefits that you may not have had the option to leverage earlier, such as improved memory protection capable of ease and how you would enable those or the applications that you run on those computers. Really experiment with those during this initial phase and then put together roll-out guidance for the remainder of your organization to work out the kinks and then you will know what to do, "one, two, three" steps, for the larger roll-out plan.