October 5 is the day of the long-expected Windows 11 official release. Let’s see what data protection news it brings around. It provides a lot! Security has become a cornerstone of Microsoft’s newest creation. Moreover, it dictates Windows 11 hardware requirements that are unsatisfied by millions of pretty much modern machines around the world. Here you can read about nature, reasons, and principles for such drastic changes.
Hardware requirements and what lies behind them
A lot has been said already about Windows 11 for many unbearable requirements. How To Fix Guide previously posted an article on that. Attentive gaze into the requirements list won’t miss one nuance about it. The new standard is not about performance as much as it is about security and data protection.
The notorious Trust Platform Module 2.0, that half of the aspiring Windows devotees lack, is built for secure cryptographic operations. That means it does not let decrypted data leave the physically protected environment, which is the cryptoprocessor itself. TPM serves to generate keys, store them, and authenticate devices.
Red flags raised back in 2018 can explain Windows 11 security level.Then side-channel hardware vulnerabilities such as Meltdown and Spectre were discovered1. Whether or not anyone exploits those flaws in the wild, the risks for the modern world are too high. That’s how they probably thought in Microsoft.
Windows 11 Security Portfolio
A user must turn on these features to install Windows 11: hardware-based isolation, secure boot, hypervisor-protected code integrity.
Hardware-based isolation is the abovementioned deployment of a secure cryptoprocessor.
Secure boot is a UEFI feature. Previously, it could be toggled on/off arbitrarily by the user. But it also becomes a requirement for Windows 11 security. It keeps the critical system software protected from any unauthorized access by digital signature check. Secure boot eliminates threats that an operating system or drivers attempting to load can introduce.
As before, Microsoft stakes a lot on virtualization-based security as a reliable safety measure against some side-channel hardware vulnerabilities. Hypervisor-protected code integrity (also known as Memory Integrity) is a measure working out Meltdown-like flaws that proved to be unexploitable if the targeted system runs on a virtual machine. You will recall that Windows 10 failed to combine security with convenience in this matter. The 2018 Memory Integrity feature had its shortcomings, and hopefully, Microsoft has updated it well since then.
The Windows 11 anti-malware software is still Windows Defender. Features like Windows Hello (non-password biometrics-based authentication feature) and BitLocker (drive encryption tool) go alongside it.
Microsoft claims a 60% betterment in terms of malware protection if all the measures are on. However, it is unclear whence that percentage comes.
Zero Trust principle
Despite the audacious promotion of high-end hardware, what seems to be more exciting in all this Windows 11 security epic, is the philosophy behind it. Microsoft acts just as planned, fulfilling its 2021 to-do list2. The point is that the proverbial TPM 2.0 is a step towards so-called zero-trust architecture, which Microsoft has set as a goal. The concept was theorized back in 20103 by John Kindervag as an alternative to the so-called castle-and-moat policy. The latter means that those, whom guards let within the castle walls, are beyond any suspicion. And that, according to Kindervag, has to be changed.
They call Zero trust architecture perimeter-less since there is no “perimeter” here to be more hardened against violators than any other part of the network down to individual devices.
Staying offline is impossible nowadays and avoiding malware gets harder and harder. Therefore, critical data on servers and computers should become inherently isolated, not by arbitrary hedging from what users or network administrators believe to be a threat.
The most vulnerable link of any modern network is the user’s device itself. Therefore, new systems should secure all user-machine interactions. Microsoft tries to step away from passwords and switch to biometrics-based authentication.
According to the zero-trust concept, no device trusts any other machine or human, demanding authentication on every possible checkpoint, granting access to the least amount of data required to perform the task. Switching to zero trust by updates and upgrades is challenging. It pays better to do it in design. And that is to what Microsoft aims.
Zero trust is a mindset. Just like the pandemic has forced everyone to wear masks and disinfect hands, the swarming ocean of malware and malevolent hackers pushes everyone towards the zero trust mentality.
With all these points considered, the policy behind stringent tech requirements becomes clear. It aims to nest the new OS only in the machines that can fully support the latest security features.
The requirements are themselves a piece of counter-hacker human engineering. The Verge senior editor Tom Warren made a good point on that, saying: “what Microsoft is trying to achieve here will benefit the Windows ecosystem in years to come4.”
What could be added, besides the hope expressed that the effect of these novelties will spread even beyond?
User Review( votes)
- If you are brave enough you might want to delve into this topic through the article by James Sanders for TechRepublic.
- “5 identity priorities for 2021—strengthening security for the hybrid work era and beyond”, by Joy Chik of Microsoft. Jan 28, 2021.
- “No More Chewy Centers: Introducing The Zero Trust Model of Information Security” by John Kindervag for Security and Risk Professionals.
- “Why Windows 11 is forcing everyone to use TPM chips”, by Tom Warren for The Verge. Jun 25, 2021.