In this research note on deploying Windows 7 security features for clients, I explore in detail the security capabilities baked into Windows 7 – AppLocker, BitLocker, BitLocker To Go, the Windows Firewall, USB Port Control and so on.
One question I get from clients is whether or not to use the built-in capabilities of Windows or to use third party solutions for these capabilities.
Is security weakened by using what is built into the OS?
There’s some hype here and some reality. The hype would be that Microsoft’s own technologies couldn’t be used to protect Microsoft’s own OS. The reality is
1) Typically what is baked into the OS is not as capable as solutions from third party security vendors
2) As with any security solution that runs on the platform it protects, a user with administrative credentials could potentially disable the security control. This is an issue with any platform where users have unimpeded administrative access and affects all EPP agents, not just Microsoft’s.
2) Typically, what is baked into the OS requires a separate management console which isn’t integrated into what the organization may use for the formulation of other security policy. This creates two problems.
First, there is the potential for loss of separation of duties if the operational staff supporting Windows are the ones now setting security policy. Separating the formation of security policy from the operational management of the enforcement points prevents conflicts of interest and reduces the chance for an insider attack. This is frequently an area that auditors will focus on.
Second, the introduction of another console for security professionals to set security policy increases the chance for misconfiguration and mistakes.
The real benefit in having Microsoft include security capabilities into its platform has been in keeping the pricing for security capabilities rational for everyone. I’ve seen pricing for Endpoint Protection Platforms (firewall, antivirus, antispyware and some HIPS capabilities) drop by more than 1/2 in the past three years. Microsoft is at least a factor in this drop.
How does this pertain to virtualization security?
As I have talked about in my research on virtualization and security and in this recent research note for clients on VMware’s recent vShield line of offerings, we’ll see a similar evolution in virtualized data centers. Yes, more capable solutions will be available from third party security vendors. And, while separation of duties can be maintained by using role-based access control to vShield Manager, I’d rather see a consistent way to management policy across physical and virtual environments – which is an area that VMware won’t go (just like Microsoft doesn’t make security products for the Mac).
So what will be the impact? I expect that just like some third party EPP vendors manage the Microsoft firewall and some third party encryption products manage BitLocker, some third party security vendors will manage VMware’s offerings, helping to deliver a consistent policy management interface. Just like Microsoft’s security offerings have been a factor in pricing, I expect that VMware’s offerings will help to keep pricing rational for virtualized security for all of us. Finally, VMware’s offerings will likely accelerate physical appliance-based security vendors into more rapidly addressing the needs for security in virtualized data centers and evolving these to support the need for security in private cloud architectures (which I talk about in detail for clients in this research note).
Category: Endpoint Protection Platform Virtualization Virtualization Security Windows 7 Tags: Endpoint Protection Platform, Microsoft Security, Next-generation Security Infrastructure, Virtualization Security, VMware, vSphere