Migrating to Security

Curtis Franklin Jr., Executive Editor | 1/2/2013 | 10 comments

Curtis Franklin Jr.
Is learning an open-source activity? It might seem an odd question, but for IT professionals migrating systems in educational institutions, it's far from academic.

Since 1981, the MS-DOS/Windows ecosystem has been relatively open. Sure, Microsoft owns (and jealously guards) the core operating system, but it has always been pretty easy to write new software for MS-DOS and to build new systems around the hardware and software that make up the environment. It has become somewhat more challenging over the years (I remember when you could order an IBM PC with the BIOS listing and patch the BIOS yourself if you needed to do something truly special), but even the last decade has seen Windows occupying a point between the creative chaos of Linux and the tightly controlled realm of MacOS. With Windows 8, the spot that Windows occupies shifts considerably toward the "locked-down" end of the spectrum.

Enterprise IT managers are, in general, happy to see Windows 8 come with a much more restrictive view of the world. Applications for Windows 8 RT, for example, must come from the Windows 8 app store. No more random downloads of mobile applications for your users, for good or for ill. Even when you leave the mobile world for that of the desktop, you'll find that things are much less open than they once were.

Steven J. Vaughan-Nichols has looked at the issue of creating a system that dual-boots Windows 8 and Linux. He focuses on the heart of Windows 8 security -- Secure Boot -- and finds that it does precisely what it's supposed to do, making it impossible to load software that doesn't have all the appropriate certificates and approvals.

Now, it's easy enough to get around this by simply disabling Secure Boot entirely. Of course, doing this leaves your system insecure, and that really represents the basic issue that many IT departments are going to have with the idea of Windows and flexibility. For corporate IT departments, it's a relatively straightforward breakdown that will favor control. For education CIOs, it's considerably more complex.

The complexity of the issue in education arises partially around the grade level involved. It's very easy to say that systems for use by elementary and middle-school students should be highly restricted and kept in a locked-down state. When you get to high school, the question is somewhat more complicated (and highly dependent on the location of and subject matter taught on the system), and by the time you get to university, things get very, very complicated. For the latter group, computers in open-access labs can easily be kept locked down, but how do you deal with the systems that sit in faculty offices? How, to put a fine point on it, do you apply some sort of uniform rule over all the systems in your fleet?

One option, if you're in charge of an infrastructure that runs on Active Directory, is to disable Secure Boot and tie many of its features to permission levels set by AD roles for users and groups. It's something of a pain, but it combines flexibility and security in a system that makes sense. For those looking at Windows 8 RT (and RT Pro), though, the answer is going to be "it's locked" for some time to come. This is one of those situations that requires as much change to mindset as to infrastructure when it comes time to migrate. Now, it's time to prepare your user community for the change.

View Comments: Newest First | Oldest First | Threaded View
Henrisha   Migrating to Security   1/6/2013 11:34:20 AM
Re: Little less worry
Security is the bane of many IT folks' existence. Unfortunately, it's unavoidable: it's just one thing that has to be tackled and addressed, since the consequences of just 'leaving it alone' are so dire. I agree with the move to limit app downloads as well. Downloads, in general, are the cause of many compromised machines. Best to avoid them.
Zaius   Migrating to Security   1/5/2013 12:05:10 AM
Little less worry
Security issues are one of the biggest headaches of IT people. It is good that Microsoft is not only thinking abou the user interfaces, but also putting some emphasis on security. Limiting the app downloads to one store might be loathed by some, but it will ensure there is a checkpost before something can get in and it will mean less malicious stuff (and less worry for IT support).
CurtisFranklin   Migrating to Security   1/3/2013 5:26:53 PM
Re: half-measures
Sara, I think what we're getting down to is the question of whether enhanced security in Windows 8 is all about Secure Boot. While Secure Boot is certainly a key improvement (based, we must remember, on Intel functions), it's not the only thing Microsoft did to make Windows 8 a more secure operating system. I think that a company could still decide that Windows 8 is a solid step up (from a security POV) without using Secure Boot.
Sara Peters   Migrating to Security   1/3/2013 3:17:54 PM
Re: half-measures
@Curt  "for companies that are trying to make up their minds if can be an intriguing halfway step."  I can't argue with that. I guess they'd first have to decide if they even cared about Windows 8 or Secure Boot in the first place. There might not be much to be sacrificed.
CurtisFranklin   Migrating to Security   1/3/2013 3:13:20 PM
Re: uniformity
Sara, I think uniform policies depend almost entirely on the school. There are some that are going to try to have most of the fleet under some sort of consistent policy (with a limited number of research-related exceptions) while others have attitudes based on the wilder fringes of chaos theory. The real question is whether Windows 8 can help them out, whichever path they decide to take.
CurtisFranklin   Migrating to Security   1/3/2013 3:11:08 PM
Re: half-measures
Sara, to some extent you're right, but AD can be used to enforce some of the device-level security that companies need, including the enforcement of configuration policies. It can't, to be sure, protect against the boot-time issues that Secure Boot does, but for companies that are trying to make up their minds if can be an intriguing halfway step.
CurtisFranklin   Migrating to Security   1/3/2013 3:08:50 PM
Re: Added security...
Damien, you wrote, "...most IT folk are more concerned with function than security." I'm not sure I agree with that. I think most IT folks assume a certain base-line of functionality: Given that, the decider is security, especially in today's regulation- and litigation-heavy world.
Sara Peters   Migrating to Security   1/3/2013 2:31:27 PM
uniformity
Curt, is this even possible anymore?  :)  "How, to put a fine point on it, do you apply some sort of uniform rule over all the systems in your fleet?"  Is there any way to set uniform security policies on an IT environment that's as diverse as a university's? Is that even desirable anymore, do you think?
Sara Peters   Migrating to Security   1/3/2013 2:28:35 PM
half-measures
Curt, this idea has definite merit:  "One option, if you're in charge of an infrastructure that runs on Active Directory, is to disable Secure Boot and tie many of its features to permission levels set by AD roles for users and groups."  However, Active Directory's users/group access controls can't really make up for what Secure Boot does to put access controls on the applications themselves, not just the people who use them.
Damian Romano   Migrating to Security   1/3/2013 11:31:55 AM
Added security...
Added security can definitly make preparations more difficult when migrating. Like you say, while it can be disabled for specific purposes, it neverthless is more appropriate to have additional security than not. Though most IT folk are more concerned with function thatn security.


The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Curtis Franklin Jr.
Curtis Franklin Jr.   4/18/2014   10 comments
When a difficult problem rears its head, modern business has a reliable response: Start a contest.
Curtis Franklin Jr.   4/11/2014   18 comments
In 1960, Carroll Shelby was told he had two years to live. He spent the next 50 years making the most of that two-year sentence.
Curtis Franklin Jr.   4/8/2014   16 comments
Speed. It's what every user and every enterprise wants from IT. And it's what we're talking about this week on E2 Radio.
Curtis Franklin Jr.   3/28/2014   25 comments
It took Microsoft CEO Satya Nadella about two months to put his mark on the company. And his first mark could completely change enterprise IT.
Curtis Franklin Jr.   3/27/2014   2 comments
Interop 2014 takes place in Las Vegas March 31 through April 4, and Enterprise Efficiency will be there to bring all the excitement to our community members who can't make it to the annual ...
Latest Blogs
Larry Bonfante   4/9/2014   7 comments
When every capital expenditure is put under a microscope, it's harder than ever to continue to make the necessary investments in refreshing the technology our companies need to compete in ...
Brien Posey   3/4/2014   6 comments
Right now there seems to be a mild sense of anxiety among healthcare providers regarding the impending deadline to make the transition to ICD-10 coding. Not only are there operational ...
Michael Hugos   2/19/2014   21 comments
If you are a CIO who wants to ensure your place in the organization, a good place to start is with the CMO. That is because the CMO is most likely the C-suite executive under the most ...
Brian Moore   2/10/2014   56 comments
Ease of use matters when you are slaying dragons.
Brien Posey   1/7/2014   22 comments
If 2013 was the year of BYOD (bring-your-own-device), then 2014 could easily be the year of CYOD.
SPONSORED BY DELL AND MICROSOFT