By design, Windows 10 is more secure than its predecessors Windows 7 and Windows 8.1. That’s what the people from Microsoft say, anyway.
One excellent measuring tool regarding security is how well an OS can protect data. This article examines the subject matter in question from three perspectives:
Additional data security measures
Before you even proceed to encrypt your data, you should first make a secure copy of it and store it in a safe and trusted place. A clean installation restore point for your Windows 10 can spare you much time. If things go wrong, you can use the save point to restore your OS with a fresh install and start with a clean slate.
Malicious software and online threats can always creep in, but you should also consider the probability of hardware issues that could endanger your data. To make sure your data is safe, use a twofold backup strategy that combines external hard drive storage with an online backup service. Users of Windows 10, for example, can rely on the Windows’ File History feature to easily back up their data to an external drive.
Last but not least, by turning on encryption during a backup, one can double protect valuable data.
When BitLocker — a Windows 10 built-in tool for a full-volume encryption — is enabled, encryption standards called XTS-AES or AES-CBC encrypt every bit of data within an entire drive. The default encryption strength is 128-bit, but Windows 10 users can increase it to 256-bit. Military-grade encryption is a welcome feature — an indispensable safety net of sorts against data loss or theft.
Several prerequisites for enabling BitLocker are:
Having a device that comes with a Trusted Platform Module (TPM) chip — a hardware-based method of storing encryption keys. Otherwise, you may have to store the encryption keys on the hard drives, which is not recommended because hackers will likely be able to decrypt your data if they can get their hands on your hard disk
Business edition of Windows 10, since the Home editions requires a Microsoft account and does not allow management of the BitLocker device
Do not also forget to encrypt portable storage devices like USB flash drives or MicroSD cards with the password-based solution BitLocker To Go.
While BitDefender is best suited for encrypting entire drives, Windows 10 also offers a feature called Encrypted File System (EFS) that can encrypt one by one individual files and directories. However, the strength of the BitLocker’s full-disk encryption is just superior to what the EFS has to offer. Furthermore, to optimally defend data at scale, Windows Information Protection (WIP) tools have the capacity to complement the file-level encryption by allowing for integrated data separation and containerization.
Azure Information Protection and Azure Rights Management services are Windows 10 features that can secure the contents of stored files and messages based on the premise that administrators can, independently of the local encryption status, classify and restrict access to files created via applications such as Office.
Additional data security measures
Perhaps the most dangerous threats to sensitive data lurk in the unprotected wireless networks. For that reason, additional measures are never enough. Here are some ideas on how to mitigate this issue:
Sizeable organizations should import the 802.1x standard to improve security of wireless connections, as it relies on access controls instead of shared passwords
Windows domain-based networks could count on the DirectAccess feature in order to allow secure remote access
A virtual private network (VPN) is still the best option when you cannot avoid using an untrusted wireless network
As a rule of thumb, regularly delete apps you do not need because it decreases your potential attack surface, among other things. The smaller the attack surface is, the lower the chance is for initial compromise of your system that may lead attackers to your data.
Do you know that corporate attack surfaces expand as staff use more and more unauthorized apps and even personal devices (think of BYOD threats) while they are on a company’s premises? One survey states that 76% of employees regularly access personal stuff on work devices even without the IT department’s permission.
Fortunately, Windows 10 has the remedy to cure that prevalent shadow IT sprawl. Windows Defender Application Guard is a tool that makes visiting untrusted websites possible via an isolated virtual container, as it blocks the access to vital system resources. In addition, a feature named S mode can limit the installation of apps to those available on the Microsoft Store.
Controlled Folder Access is one more item from the “toolshed” of Windows 10 that protects data by disallowing unauthorized apps, including malicious executable files, scripts and DLLs, to access files. In essence, this application locks down folders, giving file access only to authorized apps. Like Secure Boot (whose purpose is to safeguard the UEFI/BIOS), Controlled Folder Access is just another excellent measure at your disposal to limit the potential damage caused by ransomware. This feature is available in all editions of Windows 10.
According to Microsoft, “[a]ttackers use data corruption techniques to target system security policy, escalate privileges, tamper with security attestation, modify “initialize once” data structures, among others.”
That might be the reason why the tech giant is developing a new feature that will improve Windows 10 system security. Kernel Data Protection (KDP) will prevent data corruption by enhancing security at particular kernel points as well as some Windows 10 drivers in read-only memory. Note that KDP is part of the virtualization-based security, as it functions through isolating, inside a virtual secure mode, a secure region of memory from the normal OS to create read-only sections of the kernel memory, the effect of which is that the data within can be accessed but not modified.
It seems that Windows 10 offers data protection that is comprehensive enough to meet all compliance requirements and maintain user productivity at the same time.
No matter how secure Windows 10 is claimed to be, however, it would be unrealistic to not expect some vulnerabilities to emerge throughout its field application; that is, unless you have the National Security Agency at your side to tip you off before things go south for real.
Nevertheless, if you apply what Windows 10 offers to their clients even only in terms of backing up data and data encryption, you should do just fine against almost every threat that comes after your precious data resources.