Microsoft Looks to Enable Practical Zero-Trust Security With Windows 11

Organizations aiming to boost their security with zero-trust initiatives got some help from Microsoft this week, when the computing giant announced that a number of zero-trust features are now available in its Windows 11 operating system.

The zero-trust approach to security aims to secure worker access to sensitive systems, networks and data by using additional context, analytics and security controls. The goal is to give “the right people the right access at the right time,” Microsoft stated in the Windows 11 Security Book, a 74-page report on Windows 11’s security architecture.

The model checks a user’s identity and location, as well as their device’s security status, and only allows access to the appropriate resources according to the Windows 11 Security Book. In addition, zero-trust capabilities include continuous visibility and analytics to capture threats and improve defenses.

The latest version of the operating system and software platform adds a number of features, from support for the Pluton security processor and Trusted Platform Modules (TPMs) to comprehensive features around Trusted Boot, cryptography and code signing certificates, said David Weston, vice president. president of enterprise and OS security at Microsoft.

“Organizations worldwide are adopting a zero-trust security model based on the premise that no person or entity anywhere can have access until security and integrity are proven,” he says. “We know our customers need modern security solutions with tightly integrated hardware and software that protect against entire classes of attacks.”

Zero-Trust Buzz gets a boost

The zero-trust concept has been kicking around for years, with technologists and government agencies first discussing it for security with the dawning realization that the network perimeter was rapidly disappearing. Then the surge in domestic demand caused by the coronavirus pandemic injected more urgency into the movement. Now, three-quarters of security decision makers (75%) believe that the rise of hybrid work creates vulnerabilities in their organization, leaving them more open to attack.

“When employees are given the freedom to choose their workplace, device, tools and/or software, it becomes a challenge to establish trust based on static attributes,” said Ben Herzberg, Chief Scientist at Satori. “As competitive pressures push companies to democratize data and release new customer value faster, employees will gain more flexibility, and zero trust will be the best approach to enable that flexibility while ensuring security.”

That said, implementing zero trust is a complex endeavor, as evidenced by the list of aspects Microsoft has now built in:

Microsoft's Windows 11 security architecture
Microsoft’s Windows 11 security architecture. Source: Microsoft’s Windows 11 Security Book.

The new Windows 11 features include Smart App Control, which uses machine learning, AI modeling and Microsoft’s vast telemetry network of 43 trillion daily signals to determine whether an application is safe. Other functions also determine whether driver code and virtual machine code have signs of maliciousness. Additional improvements include credential checking in Windows Defender, password-free support with Windows Hello for Business, and protection against websites that collect credentials, the company said.

Complexity has hampered zero-trust deployment, but adding these features directly to Windows 11 makes it more likely that companies can easily implement zero-trust capabilities, Microsoft’s Weston said.

“Building in rather than screwing in makes implementing and managing zero-trust capabilities much simpler and efficient,” he says. “Besides having these [features] directly integrated into the operating system enables Windows to deliver key metrics in hardware, increasing the confidence and validity of metrics.”

He adds, “The moment zero-trust capabilities are embedded in enterprise infrastructure, it becomes accessible to many enterprises that would otherwise struggle to access this technology. … An integrated zero-trust client environment will make the transition to employees much more flexible and internal change management simpler.”

Microsoft throwing its considerable weight behind zero trust should actually move the needle on adoption and overall security: Microsoft sees 2.5 billion endpoint queries and 80 million password attacks on a daily basis, the company said in a blog post published this week.

Zero trust is still hard

Even with the Windows 11 updates, businesses should expect zero trust implementation to be a process. Building a zero-trust framework requires deep technical integrations, and the organizations that do it best are the ones most likely to succeed in their implementation, says Satoris Herzberg.

To start, companies should identify a group of users, devices, applications and workflows that could benefit from zero trust; create a zero-trust architecture to protect these components; and then choose and implement the right technologies, he says.

A phased rollout works because zero trust is more of a journey than a destination, says Jason Floyd, chief technology officer at Ascent Solutions.

“Zero trust was never about solving a technology problem – it’s a strategic tool that controls how to use the technology that’s already in place,” he says. “Building additional zero-trust features into Windows encourages companies to adopt a healthy security mindset, but not for the one-size-fits-all approach that some executives might expect.”

Overall, Windows 11 adds “chip-to-cloud security,” establishing trusted processes that start with firmware and extend to workloads running in the cloud, Microsoft’s publication said. This support helps zero-trust architectures by minimizing the work required to prove a user’s identity and verify system health, says Microsoft’s Weston.

“This inverts the previous paradigm of system security, where a user or device was assumed healthy until proven otherwise,” he says. “Microsoft’s view is that the zero-trust philosophy and architecture addresses many of the current and future security challenges for customers, and therefore Microsoft and most of our customers believe this will be the dominant approach to security.”


Leave a Reply

Your email address will not be published.