Windows 8 Tablets: Secure enough for the Enterprise?
Tablets are all the rage these days in the consumer space, and the tablet form factor offers many advantages for business users, as well. However, many enterprises have resisted deploying them and are wary of the BYOD (Bring Your Own Device) trend that is bringing employee-owned tablets and smart phones into the workplace. Security is one of the primary concerns.
Microsoft has built Windows 8 to be a tablet-friendly operating system, much more so than any previous version of Windows. The company has also focused on including enterprise-level features in the new OS. Will Windows 8 tablets be able to break through the barriers and become the device of choice for on-the-go enterprise users? In this article, we'll look at both the obstacles and the reasons Windows 8 tablets just might be able to overcome them and take the enterprise by storm.
BYOD vs. Security
The BYOD trend is part of a larger phenomenon known as the consumerization of IT, something that I wrote about here way back in 2010. In the past, new technology innovations most often were introduced in the business environment, and then "trickled down" to home users. This was true of personal computers, local area networking, Internet access, flat screen monitors and so forth. In recent years, that pattern has reversed itself and technology that was originally designed for and first used at home by consumers has been creeping up into the business world. Prime examples are social networking services such as Facebook and Twitter. It also includes hardware devices such as multimedia-capable, entertainment-oriented smart phones such as iPhones and Droids (as opposed to the business-oriented models such as Blackberries and the old Windows Mobile) and the latest super slim multitouch tablets.
Earlier this year, my fellow Windowsecurity.com author Derek Melber wrote about BYOD from the perspectives of employees, management, helpdesk and IT, and how allowing employees to use their own laptops, tablets and phones to access the company network can become a security nightmare.
Both the risks and benefits have been discussed and debated in many venues, but it's clear at this point that BYOD is here to stay, at least for a while. In fact, according to a recent survey from Fortinet, more than half of younger workers consider bringing and using their own devices at work to be a "right" rather than a privilege. And according to statistics from the Mobility, Resources and Experts Webinar by Fiberlink, last year (2011), over 70 percent of employers were allowing employees to use personal devices at work or on the company network, and more than 50 percent of employees used tablets for both business and personal usage.
Tablets are a driving force in the BYOD trend, and BYOD has also been a catalyst for the deployment of company-owned tablets. Back in April, ZDNet predicted that tablet adoption by consumers would grow by 40 percent by 2016. A more recent report from Gartner found that 86 percent of enterprises are planning to purchase tablets in 2012 - but security is still a big concern.
Enter Windows 8
Windows-based tablets have been around for a decade. Slates and convertible laptops running Windows XP Tablet PC Edition were introduced in 2002, and Windows Vista and Windows 7 include tablet functionality in the "regular" (home, professional and ultimate) editions of the OS. Windows tablets have been adopted in some vertical markets, such as healthcare. However, in recent years there has been a trend in those markets toward the iPad, at least in part because it's lighter and thinner and more touch-friendly. Both easy portability and ease of use are important factors for healthcare workers and other business users who need to access digital information while on their feet and often while moving from one place to another.
Nonetheless, Windows tablets have always offered several advantages for business use, particularly for the IT departments that have to manage them:
- Ability to run the same application software as the organization's Windows desktop and laptop computers. This makes it easier for users (less learning curve) and easier for support personnel in troubleshooting problems.
- Pen support and handwriting recognition make it easier to perform certain tasks, since typing on a virtual keyboard is difficult to do while standing/walking, etc. For example, in the medical field
- Can be managed through the same remote management tools as other Windows computers on the network.
- Ability to join Windows domains for better security.
For most end-users, though, it wasn't enough to make thick, heavy Windows tablets an attractive alternative to the iPad, especially given the lousy battery life that most got. To compete for users, Windows tablets had to slim down and become more power efficient. To soothe the concerns of enterprise IT, it had to retain its security advantages or become even more secure.
In designing Windows 8, Microsoft focused on creating an operating system that would accomplish both of these objectives. They also realized that one size doesn't fit all and that there needed to be different options for the pure consumer model vs. the corporate model. Thus we'll have two types of tablets based on Windows 8: the ARM devices running Windows RT and the x86/x64 devices running Windows 8 Professional. The latter is best suited to security conscious enterprise customers, so that's what we'll be talking about in this article.
Getting down to business
In a surprise move in June, Microsoft unveiled the Surface, a Windows 8/RT tablet that the company will make itself and market through its online and bricks & mortar retail stores. It will come in both editions. A lighter and thinner ARM device will compete directly with the iPad and Android tablets such as the Samsung Galaxy Tab. A slightly thicker and heavier Intel-based version will offer a full 1920 x 1080 HD display, more built-in storage (plus microSDXC for expansion), USB 3.0 and mini DisplayPort.
While analysts and commentators are divided on whether the RT version will be able to make headway against the iPad with consumers, there is a lot of excitement in the business world around the new Windows 8 tablets. Whereas Windows 8 Professional is the logical choice for corporate users, it's likely that some organizations will want to save money by deploying the less expensive Windows RT tablets in cases where directly running Windows "legacy" applications and the higher-end hardware specs aren't required.
Windows RT tablets will be able to run the Metro Remote Desktop app to connect to a Remote Desktop host (such as a Windows 8 Pro desktop or laptop) and run legacy applications that way.
Let's look at the security features of each edition.
Windows RT security features
Windows RT tablets will have the same Secure Boot technology to protect against rootkit/bootkit type malware that the "full" editions of Windows 8 will have. This verifies that the operating system has been digitally signed before loading it. It will also have a feature called Trusted Boot, which runs anti-malware software prior to loading the operating system. It will also have Windows Defender anti-malware, SmartScreen technology for spam filtering,
Windows RT tablets will also have Trusted Platform Module (TPM) chips installed and thus will be able to take advantage of "virtual smart cards". This is a new feature in Windows 8 that does away with the need for a physical smart cards (which users lose or forget) and smart card reader hardware. The credential stored in the TPM emulates an RSA authentication token so that the password to access the corporate network works only with that specific machine.
The RT edition of Windows also supports device encryption to protect company information that's stored on the tablet, and instead of a regular password, which is subject to dictionary attacks or rainbow table hacks, Windows RT tablets (like all Windows 8 computers) can be configured to use picture passwords - whereby you have to touch specific areas of a photo in the right order to unlock the screen.
Internet Explorer 10, which comes in two different flavors - the Metro version that's on Windows RT and Pro, and the desktop version that's only on Pro - has security enhancements and runs each browser tab in isolation to protect other tabs if one encounters a malicious web site.
Of course, users can connect to the company network via a secure Virtual Private Network. Windows RT has a built-in VPN client and supports the popular types of VPNs: PPTP, L2TP, SSP and IPsec. Companies can build app portals, where users see displayed only those apps the company wants to allow them to install. In fact, because Windows RT users will basically get all their apps from Microsoft's Store (where the apps are vetted before they're made available) or their companies' portals, there is actually theoretically less chance of inadvertently installing malicious code through a downloaded program than with a Windows 8 Pro device. In addition, Metro apps run in an isolated space with limited access to the OS.
Windows 8 Pro security features
So what extra security benefits do you get with a tablet that runs Windows 8 Pro in addition to the usability advantages such as digital ink support and the ability to run legacy software? You get all of the above features that come with Windows RT (except the restriction to installing only vetted Microsoft Store apps), plus:
- BitLocker and BitLocker to Go: These features use the TPM to encrypt whole volumes, including (with BtG) removable USB drives.
- Encrypting File System (EFS): The Windows 8 Pro version of the tablet lets you use the same EFS file level encryption that you use on Windows desktops and laptops to protect individual files or folders.
- Group Policy: Group Policy can be configured on Windows 8 Pro tablets to enforce standardized security policies and ensure that the tablets are configured to the organization's desired specifications.
- Domain Join: For companies, this is big because it allows administrators to control Windows tablets through the centralized management model of the Windows Active Directory; you can provide granular control over who is able to access which resources.
Microsoft has continued its efforts to beef up security in each subsequent version of Windows, and experts are saying that if security were the only factor, upgrading to Windows 8 would be a no-brainer. Of course, when we're talking about a company upgrading hundreds or even thousands of existing desktop systems, there are other considerations - such as cost and end-user training. However, for companies that haven't yet deployed tablets but are planning to do so this year, as a substantial number of organizations have indicated, the security advantages of the new Windows tablets (both the RT and Windows 8 Pro editions) over popular alternatives are likely to weigh heavily in the decision-making process.