Windows 11, currently in ‘insider’ beta use and slated for release in October, will present IT staff with a host of new security tasks. Touted by Microsoft for its increased security features, the reality is a number of steps may need to be taken by IT administrators to get Windows 11 fully up and running within their organizations. A key hurdle is Microsoft’s statement that upgrading from Windows 10 to Windows 11 will require an eighth generation or newer Intel processor, or an AMD Zen 2 series or newer. This announcement comes in the middle of a global chip shortage – further illuminating the fact that hardware-dependent end user computing (EUC) is really an obsolete approach, both financially and logistically.
Another Windows 11 headache is the security requirement that a Windows 11 upgraded PC has a Trusted Platform Module (TPM) 2.0 chip. While newer PCs already have the chip, if you’re an IT administrator managing PCs at varying ages, you face another hurdle. If an employee has a PC without the chip and wants the newest version of Windows, the module will have to be installed. Add to this remote workers using their own PCs and the idea of standardizing on this chip becomes even more complex.
Cease Windows Hardware Dependency
Improving security is an evergreen IT goal and Microsoft’s Windows 11 certainly is another step toward securing the desktop. However, Windows can run securely off of the endpoint – in the cloud – thereby freeing IT from the stress of having to update hundreds or thousands of physical endpoint devices to Windows 11, to source these mandated security processors, and at the same time, to preserve the EUC user experience at a maximum productivity level. It is not as if any employee wants PC downtime while these updates occur, even if many of us have grown accustomed to use the update interruption as an opportunity to grab a coffee or snack, run an errand, or catch up on personal chores. Windows 10 updates have already proven how disruptive this can be for end-users throughout an enterprise.
Running Windows remotely in the cloud means that no applications or data need be downloaded to the endpoint. And no more VPN connections from laptops or BYOD devices back to the office. Whether someone is in the office or at home, the desktop remains protected and managed in the cloud. Moving Windows to the cloud also enables IT to handle all the bug fixes, application compatibility issues, and security patches and updates without impacting endpoint device performance. An end-user should be able to boot up their profile at their workspace and get to their work tasks seamlessly, all the time.
This approach also frees up IT from hardware dependency at a time when chips and PCs are facing severe supply chain shortages and delays. When a major shift like Windows 11 occurs, being tethered to hardware supplies is an inherent risk to EUC functioning at the required level to support profitability and ROI, not to mention to simply keep end-users happy and productive.
Linux OS Finds More Support
Eliminating hardware dependency and improving security at the endpoint has a powerful weapon in the Linux operating system. The tech community recently recognized Linux’s 30th anniversary, and happily, Linux is finding more deployment as even former holdouts like Microsoft are now advocating Linux for accessing Windows in the cloud, rather than using Windows natively on the endpoint. Microsoft is also partnering with companies to use Linux OS for delivering Azure Virtual Desktop (AVD). Linux is gaining traction because it is very difficult to manipulate and inherently resistant to viruses and other malware.
IGEL OS, which uses a Linux kernel, can run on any compatible x86-64 device and can securely provide access to cloud-delivered applications, so IT can upgrade the EUC environment without having to buy new hardware that may likely include the related chip sets now in short supply.
The Mantra of ‘Trust’
Windows 11 is also amping up the security conversation around Zero Trust, saying that Windows 11 uses virtualization to produce a Zero Trust operating system, thereby observing changes in the OS and reporting them.
According to Microsoft, “Windows 11 is also secure by design, with new built-in security technologies that will add protection from the chip to the cloud, while enabling productivity and new experiences. Windows 11 provides a Zero Trust-ready operating system to protect data and access across devices. We have worked closely with our OEM and silicon partners to raise security baselines to meet the needs of the evolving threat landscape and the new hybrid work world.”
At the endpoint, end-to-end system integrity best practices also need to be applied to provide the most trusted, secure workspace. These include checking the cryptographic signature of each discrete step in the endpoint boot and workspace execution process; using access software from Citrix Workspace or VMware Horizon to check the certificate of a connected server and implementing signed OS partitions that extend the “chain of trust” from the device processor level to workspace execution.
Getting Ahead of Security Updates
The question IT professionals need to ask themselves is: ‘do you want to manage Windows changes or do you want Windows to manage you?’ Windows 11 is currently working the bugs out with early testers and, no doubt, will offer valuable increased security. That will be an admirable achievement. However, those security improvements can occur with Windows residing in the cloud (where one might submit it belongs to dramatically ease management), supported by Linux at the endpoint, and offering a complete trust architecture at every step.
Additionally, the chip shortage will likely not be fully solved for several years. It is a cautionary tale against continuing the dependency on hardware. It will be extremely difficult to satisfy EUC users wanting the latest in Windows, given these supply chain constraints. Changing the perspective to EUC and further use of the cloud can help to satisfy user demand not just now but in the future.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.