Migrating to Security

Curtis Franklin Jr., Executive Editor | 1/2/2013 | 10 comments

Curtis Franklin Jr.
Is learning an open-source activity? It might seem an odd question, but for IT professionals migrating systems in educational institutions, it's far from academic.

Since 1981, the MS-DOS/Windows ecosystem has been relatively open. Sure, Microsoft owns (and jealously guards) the core operating system, but it has always been pretty easy to write new software for MS-DOS and to build new systems around the hardware and software that make up the environment. It has become somewhat more challenging over the years (I remember when you could order an IBM PC with the BIOS listing and patch the BIOS yourself if you needed to do something truly special), but even the last decade has seen Windows occupying a point between the creative chaos of Linux and the tightly controlled realm of MacOS. With Windows 8, the spot that Windows occupies shifts considerably toward the "locked-down" end of the spectrum.

Enterprise IT managers are, in general, happy to see Windows 8 come with a much more restrictive view of the world. Applications for Windows 8 RT, for example, must come from the Windows 8 app store. No more random downloads of mobile applications for your users, for good or for ill. Even when you leave the mobile world for that of the desktop, you'll find that things are much less open than they once were.

Steven J. Vaughan-Nichols has looked at the issue of creating a system that dual-boots Windows 8 and Linux. He focuses on the heart of Windows 8 security -- Secure Boot -- and finds that it does precisely what it's supposed to do, making it impossible to load software that doesn't have all the appropriate certificates and approvals.

Now, it's easy enough to get around this by simply disabling Secure Boot entirely. Of course, doing this leaves your system insecure, and that really represents the basic issue that many IT departments are going to have with the idea of Windows and flexibility. For corporate IT departments, it's a relatively straightforward breakdown that will favor control. For education CIOs, it's considerably more complex.

The complexity of the issue in education arises partially around the grade level involved. It's very easy to say that systems for use by elementary and middle-school students should be highly restricted and kept in a locked-down state. When you get to high school, the question is somewhat more complicated (and highly dependent on the location of and subject matter taught on the system), and by the time you get to university, things get very, very complicated. For the latter group, computers in open-access labs can easily be kept locked down, but how do you deal with the systems that sit in faculty offices? How, to put a fine point on it, do you apply some sort of uniform rule over all the systems in your fleet?

One option, if you're in charge of an infrastructure that runs on Active Directory, is to disable Secure Boot and tie many of its features to permission levels set by AD roles for users and groups. It's something of a pain, but it combines flexibility and security in a system that makes sense. For those looking at Windows 8 RT (and RT Pro), though, the answer is going to be "it's locked" for some time to come. This is one of those situations that requires as much change to mindset as to infrastructure when it comes time to migrate. Now, it's time to prepare your user community for the change.
View Comments: Newest First | Oldest First | Threaded View
Henrisha   Migrating to Security   1/6/2013 11:34:20 AM
Re: Little less worry
Security is the bane of many IT folks' existence. Unfortunately, it's unavoidable: it's just one thing that has to be tackled and addressed, since the consequences of just 'leaving it alone' are so dire. I agree with the move to limit app downloads as well. Downloads, in general, are the cause of many compromised machines. Best to avoid them.
Zaius   Migrating to Security   1/5/2013 12:05:10 AM
Little less worry
Security issues are one of the biggest headaches of IT people. It is good that Microsoft is not only thinking abou the user interfaces, but also putting some emphasis on security. Limiting the app downloads to one store might be loathed by some, but it will ensure there is a checkpost before something can get in and it will mean less malicious stuff (and less worry for IT support).
CurtisFranklin   Migrating to Security   1/3/2013 5:26:53 PM
Re: half-measures
Sara, I think what we're getting down to is the question of whether enhanced security in Windows 8 is all about Secure Boot. While Secure Boot is certainly a key improvement (based, we must remember, on Intel functions), it's not the only thing Microsoft did to make Windows 8 a more secure operating system. I think that a company could still decide that Windows 8 is a solid step up (from a security POV) without using Secure Boot.
Sara Peters   Migrating to Security   1/3/2013 3:17:54 PM
Re: half-measures
@Curt  "for companies that are trying to make up their minds if can be an intriguing halfway step."  I can't argue with that. I guess they'd first have to decide if they even cared about Windows 8 or Secure Boot in the first place. There might not be much to be sacrificed.
CurtisFranklin   Migrating to Security   1/3/2013 3:13:20 PM
Re: uniformity
Sara, I think uniform policies depend almost entirely on the school. There are some that are going to try to have most of the fleet under some sort of consistent policy (with a limited number of research-related exceptions) while others have attitudes based on the wilder fringes of chaos theory. The real question is whether Windows 8 can help them out, whichever path they decide to take.
CurtisFranklin   Migrating to Security   1/3/2013 3:11:08 PM
Re: half-measures
Sara, to some extent you're right, but AD can be used to enforce some of the device-level security that companies need, including the enforcement of configuration policies. It can't, to be sure, protect against the boot-time issues that Secure Boot does, but for companies that are trying to make up their minds if can be an intriguing halfway step.
CurtisFranklin   Migrating to Security   1/3/2013 3:08:50 PM
Re: Added security...
Damien, you wrote, "...most IT folk are more concerned with function than security." I'm not sure I agree with that. I think most IT folks assume a certain base-line of functionality: Given that, the decider is security, especially in today's regulation- and litigation-heavy world.
Sara Peters   Migrating to Security   1/3/2013 2:31:27 PM
uniformity
Curt, is this even possible anymore?  :)  "How, to put a fine point on it, do you apply some sort of uniform rule over all the systems in your fleet?"  Is there any way to set uniform security policies on an IT environment that's as diverse as a university's? Is that even desirable anymore, do you think?
Sara Peters   Migrating to Security   1/3/2013 2:28:35 PM
half-measures
Curt, this idea has definite merit:  "One option, if you're in charge of an infrastructure that runs on Active Directory, is to disable Secure Boot and tie many of its features to permission levels set by AD roles for users and groups."  However, Active Directory's users/group access controls can't really make up for what Secure Boot does to put access controls on the applications themselves, not just the people who use them.
Damian Romano   Migrating to Security   1/3/2013 11:31:55 AM
Added security...
Added security can definitly make preparations more difficult when migrating. Like you say, while it can be disabled for specific purposes, it neverthless is more appropriate to have additional security than not. Though most IT folk are more concerned with function thatn security.


The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
More Blogs from Curtis Franklin Jr.
Curtis Franklin Jr.   5/20/2013   0 comments
Two weeks on the road, two major conferences, lots of info -- and three key lessons for CIOs.
Curtis Franklin Jr.   5/15/2013   17 comments
Remember the old highway safety slogan, "Speed Kills"? In today's business environment, it's lack of speed that's fatal.
Curtis Franklin Jr.   5/14/2013   1 comment
Between webcasts, con calls, and Internet chats, you need a pretty good reason to actually get on a plane and go to a meeting. Last week's Interop gave me a lot of great reasons to be in ...
Curtis Franklin Jr.   5/10/2013   22 comments
It's rare to hear that security breaches are too cheap to matter. That's exactly what I heard yesterday in Las Vegas.
Curtis Franklin Jr.   5/8/2013   8 comments
Innovation is a matter of discipline and culture in the enterprise. CIOs can help build that culture of innovation -- but only if they understand what's involved and what's at stake.
Latest Blogs
Susan Nunziata   4/25/2013   46 comments
The move toward bring-your-own-device (BYOD) enterprise mobility at the Green Clinic, in Ruston, La., was a series of step changes, according to Jason Thomas, CIO and IT director.
David Fletcher   4/24/2013   18 comments
If you read the first half of this blog, you'd know that we had just moved many of Utah's State Government IT assets to the cloud.
Brien Posey   4/22/2013   35 comments
As organizations prepare to roll out Windows 8, one of the questions that is likely to come up is whether or not Office 2013 should be simultaneously rolled out as a part of the migration. ...
Michael Hugos   4/9/2013   36 comments
Here is an example of game mechanics applied to improve engagement and productivity in one of the most boring and yet important tasks in business: manual data entry of accounts payable ...
Brien Posey   4/9/2013   43 comments
Because there is so much work involved in an operating system migration, it is easy to assume that IT carries most of the burden, but don't overlook the fact that the end users are also ...
SPONSORED BY DELL AND MICROSOFT