Industry insights

Cybersecurity and Windows 11: What you need to know

March 13, 2022 by Drew Robb

The Windows 11 operating system (OS) has been with us since October of 2021, and it appears to be popular. Microsoft reports that its adoption rate is twice that of Windows 10. Its release couldn’t have happened at a better time. The PC market was predicted to be on the way out a few years ago. Yet worldwide PC shipment surged to 340 million in 2021, 27% higher than in 2019 according to Canalys. 

An incredible 1.4 billion devices are active each month on the Windows platform. That represents a lot of potential business for Windows 11. Vendors such as Acer, AMD, ASUS, Dell, HP, Intel, Lenovo, Qualcomm and Razer have been quick to offer the new OS in their latest models. The likelihood is, therefore, that during the next PC or laptop refresh, Windows 11 will be rolled out in many organizations. 

Windows 11 baked-in security 

While there are many improvements included within Windows 11, it is the security upgrades that are receiving much of the attention. Microsoft has responded to the dramatic rise of phishing, ransomware, supply chain and IoT vulnerabilities by baking in a raft of security safeguards that protect from the chip to the cloud. 

“Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption and our strongest protection against malware,” said David Weston, Director of Enterprise and OS Security, Microsoft Azure Edge and Platform.

One innovation is the secured-core PCs that underpin Windows. They make it possible to implement security best practices at the firmware layer or at the device core. This adds an extra layer of defense that combines hardware, firmware and driver capabilities to protect the OS. Its elements include Trusted Platform Module (TPM) chips that can store cryptographic keys and conduct authentication and system integrity measurements. They also can take advantage of secure boot features to prevent any tampering during a system boot and kernel Direct Memory Access (DMA) protection to block a further avenue of cyberattack via other connected devices. Such features help combat phishing incursions. Certified Windows 11 systems now come with a TPM chip.

“Its purpose is to help protect encryption keys, user credentials and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data,” said Weston.

Say goodbye to passwords

This is all part of an architectural redesign that aims to eliminate passwords. Windows Hello for Business is available in Windows 11 systems and should signal the end of Post-It Notes affixed to PC screens or the use of passwords that are easy to crack. This feature also helps IT to manage authentication across the enterprise and add better cloud security as a means of protecting corporate data and identities. It replaces passwords with two-factor authentication that is tied to a device via a biometric or PIN.

On the biometric side, Windows 11 PCs provide integrated biometric authentication processes that use facial recognition or fingerprint matching. Infrared cameras and software are used to raise the accuracy of biometric readings and prevent spoofing. Biometrics data is only stored on the local device to prevent it from being compromised at an enterprise level. External devices or servers never receive any biometric information. 

As was the case with Windows 10, Microsoft Defender is included in Windows 11. It provides antivirus software that uses machine learning, big data analysis, access to threat resistance research and other features to prevent viruses and malware from infecting systems. But it goes beyond that to encompass vulnerability management, attack surface reduction, endpoint detection and response, and automatic investigation and remediation.  

New Pluton chips advance Windows security

The latest security advance to impact Windows 11 is the Microsoft Pluton security processor. It has been tested extensively in Xbox and Azure environments as a better way to store encryption keys and sensitive data within Pluton hardware integrated into the CPU, making it extremely difficult to access even if the device has been stolen. 

The first PCs with this chip have just been released, courtesy of a partnership between Lenovo, AMD and Microsoft. They harness AMD Ryzen 6000 Series processors and enable the Pluton security processor’s firmware to be updated, if necessary, through the standard Windows Update service. 

“Even if the attacker has complete physical possession of the PC, the AMD Security Processor and Pluton are designed to co-exist on AMD client silicon to ensure constant communication, which helps to eliminate an attack vector that physical attackers could exploit,” said Weston. 

Securing a reputation 

Microsoft hasn’t always had a good reputation for security. Its early systems were frequently attacked via viruses and malware. But the company has worked hard to change that. Windows 11 and its baked-in security features are a testament to that. 

“Over the past decade and after several major updates of Windows by Microsoft, there have been serious improvements and enhancements associated with security,” said Greg Schulz, an analyst with StorageIO Group. “With Windows 11 desktop and associated servers, the security and hardening of systems have gone to a new level of cyber-resiliency. This is certainly not your father’s Microsoft Windows.” 

Sources

Posted: March 13, 2022
Author
Drew Robb
View Profile

Drew Robb is a writer from the Tampa Bay Area specializing in IT and engineering.

Leave a Reply

Your email address will not be published.