Not logged in » Login
Apr 15 2016

Fujitsu and Microsoft: Partners for Device Security

/data/www/ctec-live/application/public/media/images/blogimages/37361_FUJITSU_Desktop_ESPRIMO_Q956_-_flexible_bay_with_SmartCard___palm_vein_sensor_scr.jpg

Like every version of Microsoft's prominent desktop OS, Windows 10 comes with a number of security enhancements designed to protect data, systems, networks and users from attack schemes. Typically, these mechanisms work pretty well, – but they still leave room for improvement for security-aware users working in sensitive fields or with sensitive data. In such use cases, Fujitsu's Workplace Protect solution offers the required extra layer of defense.

Microsoft has taken numerous measures to improve the security level of its products. Over the past ten years the company not only established a coding framework that helps developers write software that's much more complicated to exploit, but also integrated more and more protection mechanisms into the general OS in an effort to prevent end users from turning their systems into virus catapults. Not all of these measures were very popular, but on a whole, they proved to be so effective that today even security experts have a hard time finding major vulnerabilities in finished editions of Microsoft Windows. In short, the software nowadays is 'secure enough' out of the box for many usage scenarios – but that doesn't mean Microsoft or its partners in the hardware industry have can rest on their laurels. Security mechanisms must be in continuous development.

Windows 10 Security
In October 2015, Microsoft released a comprehensive overview of the "most important" security improvements included with Windows 10 via the TechNet channel. Most of them fall into one of three categoriesidentity and access control features, information protection (e.g. encryption), and malware resistance. Identity and access control features serve as a fundamental layer for all other enhancements and thus the basis for this article.

According to Microsoft, three steps or "components" are mandatory for preventing security breaches: identification, authentication, and authorization. IT departments will usually only grant access to users who can prove their identity and have necessary access rights to read files and documents, upload information or alter content. Such rigid admission controls are easy to implement in theory, but in practice, it's not quite as simple, especially in corporate environments where flexibility is needed to reflect varying access/authorization levels. To achieve this, the Windows 10 developers rebuilt the authentication process with a special focus on biometrics, in order to replace today's rather awkward login methods with mechanisms that are both smoother and more secure in the medium and long term. Their efforts resulted in two new technologies – Windows Hello, which is the visible sign-in system, and Microsoft Passport, which provides the underlying infrastructure required to make this system work.

  • Windows Hello offers considerably higher protection levels, due to hardware improvements and a refined architecture. Biometric data used for authentication is stored in encrypted form on the local device only. As a result, it's pointless for attackers to search for a centralized password database.
  • From an administrator's perspective, Windows Hello and Microsoft Passport are the base for multiple layers of security.
  • From a user's perspective, Windows Hello and Microsoft Passport provide an almost natural way of signing into devices and networks that practically becomes invisible after the initial setup. Once authenticated, they automatically get access to the data and applications they need to work with. What's more, these features relieve them from classical password plights, such as making up and memorizing weak passwords or passphrases.

Windows Hello and Microsoft Passport perform well in any office environment. But today's companies also process large sets of valuable and confidential data outside of those environments – for example, customer databases, price lists, tax records, or patents – that must be protected at all cost. In all of these cases, it is useful to have an extra line of defense that makes devices, networks and thereby data security much harder to compromise. This is where FUJITSU Workplace Protect and FUJITSU Workplace Manager offer an additional layer of security.

FUJITSU Workplace Protect and Workplace Manager
Workplace Protect was designed to help users protect their 'personal' Windows working environment, whereas Workplace Manager allows administrators to centrally manage the security settings of several hundred clients.

The key objective of Workplace Protect is to block unauthorized users from Windows devices, thus preventing misuse of confidential data. To achieve this, Workplace Protect utilizes the so called palm vein technology (PalmSecure™) besides other security mechanisms.

Using near-infrared light to scan an individual's palm vein pattern is the most secure method of biometric authentication. It is extremely hard, if not impossible, to steal or forge. Palm veins produce a complex pattern that exists inside the body. To be read, veins must actively have blood flowing through them. The high concentration of veins in the palm improves the accuracy of matches. A person's palm vein pattern is unique and remains the same throughout their entire lifetime. It is different in the left and right hands. Even twins have different patterns. Palm vein recognition is also very user-friendly. The palm is rarely covered, and authentication is fast and contactless. This is more hygienic and less invasive, creating high user acceptance. Palm vein patterns are permanent, complex, hidden and ever-present biometrics. As a result, the technology's 'false positive' rate – i.e. the chance that it will accept an unauthorized person – is around 0.00001%. This makes palm vein recognition the most effective form of authentication available today.

Image

Fig. 1: Contactless reader used in PalmSecure ID Match

Workplace Protect optionally features Pre-boot Authentication (PBA), a mechanism to confirm a user's ID and specific access rights prior to running any login routines, effectively adding another protection layer. Third-party PBA solutions are typically implemented between the BIOS and OS level, but on selected Fujitsu Client Computing Devices, this is implemented at the BIOS level. Users can choose between the following PBA-based authentication methods offering different protection levels (from high to low): PalmSecure™, classic SmartCard/PIN combinations (SystemLock), and fingerprint readers. Additionally, user authentication may be implemented at the OS level using the same methods as described above; this functionality can be further enhanced by using RFID cards or Face Recognition. Fingerprint and PalmSecure™ templates can be stored on SmartCards, thus enabling two-factor authentication for OS login. These authentication methods ensure that only authorized users can access confidential information. What's more, ID verification at BIOS level may also serve as a single sign-on process for company networks and Windows domains.

To further improve security, Workplace Protect can also store login details, e.g. for web pages, in encrypted files protected with biometrics, SmartCards or passwords on the hard disk (Password Safe) and set up Encrypted Containers, i.e. virtual drives for storing classified information; both encryption processes use 256-bit AES encryption for maximum safety. Other key features include the ability to shut down the device as soon as a SmartCard is removed or the user leaves the desk. Workplace Protect also supports Windows roaming profiles for mobile workers by storing their individual biometric data on a SmartCard.

Workplace Manager enables administrators to centrally and remotely control the security settings of all devices within small and midsize Windows domains spanning up to 1,500 users. Its intuitive GUI, comprehensive automation options, and functions allow importing device and user IDs from Active Directory and storing relevant settings in a MS SQL database. It offers all the required capabilities to facilitate a smooth, fast and centralized implementation of company-wide or site-specific security policies. This includes configuration and management of PBA, acceptable authentication methods, and password deployment, among others.

Conclusion
End-user devices like desktops and notebooks are still relevant targets for a variety of security breaches. That's why Therefore Microsoft and Fujitsu constantly improve device security. With Windows Hello and Microsoft Passport, users enter the sphere of biometric authentication. Workplace Protect and Workplace Manager add the 'extra layer' of security that is needed to build secure authentication processes for organizations of all sizes.

Bernd Germandi

Thomas Bayer

 

About the Author:

Bernd Germandi

Senior Product Marketing Manager, Fujitsu

About the second Author:

Thomas Bayer

Senior Product Manager – Security and Manageability, Fujitsu

SHARE

Comments on this article

Thank you!
June 28, 2016, 10:39 GHahn
Thank you for a very helpful article. I learned a lot from it about the inner working of WP Protect and WP Manager, and have therefore recommended it to my clients. There's only one small problem left - many would like to learn more about MS Passport and Windows Hello, in order to find out whether the built-in security mechanisms are enough or if they need to go with Fujitsu's package. Could you perhaps add a couple more details or probably recommend additional sources? Thank you very much in advance!
Page 1/1    1  

Please Login to leave a comment.

X

Please login

Please log in with your Fujitsu Partner Account.

Login


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now