Despite doubts over enterprise adoption of Microsoft's latest operating system, IT professionals must pay attention to Windows 8's features, such as its support for touch and its tile-based interface. One key question on the mind of desktop administrators is "What about Windows 8 security?"
As more IT shops consider a Windows 8 upgrade, IT managers still need to think twice before shoving the OS into their enterprises. Industry experts recommend that potential Windows 8 adopters first carefully balance expected productivity gains against operational overhead.
For many enterprises, concerns about regulatory compliance outweigh the potential productivity gains. Nowhere is that more true than for organizations bound by laws designed to protect data from fraudulent activity. Those businesses must look at Windows 8 security features.
Third-party component risks
Ian Murphy, an analyst at Creative Intellect Consulting Ltd., urged caution when moving to Windows 8. "The removal of some core components, such as a DVD player, is likely to encourage users to want third-party software on their computers," he said. "Many users will opt for free tools, which have been shown in the past to be major security issues."
More on Windows 8 security
Windows 8 must be part of any desktop vulnerability review
AppLocker and app sideloading provide IT controls for Windows 8
Microsoft tightens security in Windows 8, but IT is still wary
FAQ: Basic facts about Windows 8 and its features
Some financial organizations are also worried about potential vulnerabilities to malware and must implement controls to prevent the use of non-approved apps, said Andrew Schrage, co-owner of Money Crashers Personal Finance.
"In a test recently conducted by Bitdefender, researchers were able to infect a computer running Windows 8 with almost two-thirds of the more rampant forms of malware," Schrage said. "Even after they activated Windows Defender, they were still able to infect the test computer with more than 60 forms of malware."
There are other, less obvious Windows 8 security issues, said Dr. Nand Narain, CEO of S.V. Professional Center in New York. "Our practice uses a variety of third-party applications to support our ob-gyn, pediatrics, dental and cosmetic services -- my biggest concern with Windows 8 is how it will work with each of those specialized applications and preserve HIPAA compliance, as well as protect confidential information," he said, referring to the Health Insurance Portability and Accountability Act.
"I can see the productivity benefits offered by Windows 8, such as allowing staffers to use tablets and touchscreens to input patient data, but those benefits are for naught if they create security concerns," Narain added. "On the other hand, Windows 8's improved encryption and enhanced mobile device support, along with its ease of management, may ultimately improve security and solve some compliance issues."
Windows 8 security improvements
Schrage and Murphy agreed that Windows 8 security features have improved. "Windows 8 has something called Picture Password, a feature that recognizes a series of touch gestures as part of a password, rather than a traditional, typed-in password," Schrage said.
AppLocker was available with previous Windows versions, but the application management tool has been expanded and upgraded in Windows 8 to include a larger list of apps that can be allowed or disallowed for download. "With built-in and revamped BitLocker making it easier to encrypt and protect data, security has also improved substantially," said Murphy.
In addition, DirectAccess has been overhauled, enabling access to servers without the need for virtual private networks. "This has often been a problem for mobile users trying to get connectivity out of hotel rooms," Murphy said. When the next version of InTune ships, Microsoft will be able to manage every version of Windows 8, making policy enforcement easier and enabling enterprises to pursue bring your own device (BYOD) options, he said.
Windows 8 may offer improved performance, but admins should also think about privacy, said Nadim Kobeissi, a computer security researcher and inventor of a secure open source chat platform called Cryptocat. "I've been very impressed by how fast, well-designed, functional and capable this latest iteration of Windows is. However, my tinkering around from a security/privacy perspective has left me concerned," he said.
"Windows 8 has a feature called Windows SmartScreen, which screens every single application you try to install from the Internet in order to inform you whether it's safe to proceed with installing it or not," Kobeissi said. It might sound good in theory, he added, but "the big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here, and therefore becomes vulnerable to being served judicial subpoenas."
What's more, Kobeissi said, "it may be possible to intercept SmartScreen's communications to Microsoft and thus learn about every single application downloaded and installed by a target."
App testing and Windows 8 security
Narain noted that organizations should make sure application vendors approve Windows 8 to work with their products before conducting an OS migration. "I won't move to Windows 8 unless I have assurances that it will work securely with my line-of-business applications," he said.
The burden of proof is on IT pros to demonstrate that Windows 8 security features or flaws won't affect enterprise security, privacy and compliance.
This was first published in May 2013