Double down on Security with Windows 10 and Surface

By: Richard Warren – Surface Technical GBB, Microsoft Surface – Guest Blogger

It’s perhaps not surprising that we are seeing more and more customers choosing Surface devices.

At a time in which many of us are either working from home or working on the move, it makes sense to invest in transportable, transformable devices that can be used for a wide variety of tasks.

What we don’t often talk about when discussing Surface, however, are its advanced security features, designed to protect devices and data from invisible cyber threats, no matter where or how the user might be working. And now, while criminals are taking advantage of global uncertainty, security couldn’t be more important

Surface devices, when combined with Windows 10, provide a great example of what a truly secure PC should look like.

In fact, we think this combination sets a new, higher standard for the industry. So, what does modern PC security really look like? Well, it begins in the hardware itself.

Secure From Chip to Cloud

All devices with Windows 10 installed are protected by market-leading security, but Surface doubles down on these capabilities. From the moment the device is first switched on, Surface is protected by a suite of advanced features, embedded within the hardware itself.

Ensuring a Clean Start-up

Surface devices follow a chain of trust throughout the boot process, validating each hardware and software component as they start up. We call this Secure Boot.

This chain is rooted against OEM certificates that are burned into the device during manufacture. Before they are loaded, each component has its integrity checked against digital certificates held in the Trusted Platform Module (TPM 2.0), meaning that only code that is signed, measured and correctly implemented can be executed on a Surface device.

Now, Secure Boot is a Windows 10 feature, so can be used on devices from other manufacturers. But thanks to the physical TMP and our own Unified Extensible Firmware Interface (UEFI), Surface boots with tighter security than most other devices.

The Microsoft UEFI, which replaces the basic BIOS on Surface computers, enables a large part of the security architecture for Surface devices, including Secure Boot and hardware management. It provides a bridge between a computers’ firmware and its operating system, making it crucial to Surface security.

At Microsoft, we design, create and build our own UEFI for Surface devices, allowing us to implement better security and also react very quickly to changing circumstances. This also has the added benefit of providing a single point of contact for all firmware drivers and updates, further protecting users from nefarious software while also unlocking faster set-up.

Most IT professionals will be familiar with BitLocker, used to encrypt drives and protect data from theft, loss and attempts at access. But did you know that BitLocker provides the most protection when used with the Surface’s TPM 2.0? This hardware component works with BitLocker software to protect the device from tampering while the system is offline.

The solid foundations of the UEFI, Secure Boot and BitLocker all work seamlessly together to protect users and data, even while the device is not in use. Surface security thus provides an added layer of assurance for businesses that may regularly upgrade and decommission devices.

Say Hello to secure …

We know that, today, authentication shouldn’t just come down to a memorised password. As the saying goes, a truly secure system will require “something you know, something you own and something you are” to authenticate.

Surface and Windows 10 makes it easy to provide “something you are”. With Windows Hello, users can log in securely using facial recognition.

Surface devices are built with the only cameras specifically designed for Windows Hello. And because the in-built TMP cannot be unlocked until this biometric authentication has taken place, devices and data can remain protected even if physically stolen from the user.

But on top of all of that, we have also implemented security features across a range of software, apps and cloud services.

Windows Defender Advanced Threat Protection, for example, provides evergreen and constantly-updated malware protection for enterprise, as well as digital forensics to help identify the root cause of a security issue. Because these agents run in a separate memory space, there is less risk of the Defender itself becoming compromised.

This separate, hardware-based memory space is something like an “OS within your OS”, serving to protect critical components, even if the main system is threatened.

… And say goodbye, the right way

Security doesn’t end when a device reaches the end of its life. Whether it is re-allocated or removed from a business, IT professionals need to ensure that devices are decommissioned securely. You don’t want to leave important information on a forgotten device that anyone could pick up, after all.

With Microsoft InTune, it is possible to remotely wipe a device or force it to reset no matter whose hands it might be in. This ensures that Surface devices can be securely re-allocated and protected should they go missing.

Protect what’s important

It should go without saying that information security is more important than ever. With data and devices now the lifeblood of so many businesses and industries, we can’t let our guards down.

That’s why we built our latest Surface devices with layers of intricate, powerful security. What you’ve just read only represents a small part of the finely-tuned protection that comes standard with Surface and Windows 10.

So, take a moment to consider your own hardware and software security mix. Is it robust enough to protect your business and your customers from existing and emerging threats? Are you able to prevent data from falling into the wrong hands, even if devices are stolen?

If you feel as if you could be vulnerable, it could be time to consider an upgrade. Make sure you’re secure from chip to cloud with Microsoft.