This Week, "Operating System as a Service, part 2"

In part one, we learned about how Windows evolved to be a very connected operating system. The various items collected by Microsoft through their various services is explained in detail. While Microsoft's privacy agreements may be factual when looking at any single service, like a Windows 10 registration, or an Xbox Live account, or an Outlook.com online mail account, when taken in combination, Microsoft has access to a great deal of information, far beyond an anonymous user or machine ID. While this will evolve as information becomes available, we will attempt to define how to protect information when using Windows 10, how to define policies and audit compliance.

 

sourced from: http://windows.microsoft.com

Bill Gates presenting at the Windows 95 launch, August 24, 1995, http://microsoft.com

 

About SafeView

The SafeView Research Report is intended to give you a snapshot of technology risk management issues. SafeView is a reliable source for automated risk, threat and vulnerability data, and advisory services to help you mitigate and remediate issues.

 

sourced from: http://quotes.lifehack.org

Dalai Lama

Lack of transparency

The scope and detail of information harvested from a Windows 10 user is not clearly disclosed by Microsoft. While individuals may have privacy concern for personal reasons, businesses that deal in financial, medical, legal and consumer sales are governed by state and federal regulatory requirements and obligations to stockholders. Failure to comply may be met with civil and punitive penalties.

From the previous post, we see that Microsoft is collecting a great deal of information, in combination, that could be defined as PII (personally identifiable information). If Microsoft cannot clearly disclose the depth and breadth of data collection, users representing a business or professional services entity must take a pessimistic view when implementing Windows 10 within these business environment

Now what?

From Wikipedia . . .

Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising

The malware is delivered through seemingly useful, desirable software, that being a "free" Windows 10 upgrade. (Recent "critical" upgrades to Windows 7 and 8.x grant Microsoft similar surveillance capabilities to those platforms.) Based on what we have learned, it may be reasonable to treat Microsoft Windows 7, 8.x and 10 as malware. While this is new for a core operating system, this may not be the last one to be classified as such.

 

Data Theft

Data theft, including for industrial espionage

User passwords or payment card information

User personally identifiable information

Trade secrets

Spying, surveillance or stalking

Keystroke logging

Watching the user's screen

Viewing the user's webcam

Controlling the computer system remotely

The following will get into the immediate, tactical and strategic steps that can be taken to perform business and enterprise operations that involve secure, privileged, classified and sensitive personal information.

Immediate

What kind of information is accessed by your Windows 7, 8.x and 10 computers? Is the information private? Does the information belong to someone else - clients, business, patients? Would the information on the computer allow someone to personally identify the user or another party whose information is being accessed with permission?

Are you in a business where your information is confidential?

Are you in the medical field, potentially a HIPAA covered entity?

Are you a law firm, or are there legal operations being handled?

Define an information classification policy. Identify what the criticality of the information is, the secrecy, the privacy, the regulatory governance around each bit of information managed, and any commitments specific to the information handled on behalf of the business or a third party.

Classify what information is permitted to be accessed by each computer system within the environment.

Determine the version of Windows installed. Go to Control Panel, then "system".

Windows 10 Control Panel

Within the "system", check the Windows edition on top.

system details

Control Panel > System > Windows 10 Enterprise 2015 LTSB

For Windows 10, you can see the settings here.

Windows as a service

  • Home and Pro offer the least user control. There is little ability to remove content installed on the computer.
  • Enterprise offers Group Policy Manager (gpedit.msc), which allows a user to restrict use of the store and Edge browser. It also allows more granular control of the user interface and what applications can run.
  • LTSB extends enterprise by allowing selective installation of upgrades.

License the version of Windows appropriate for your use. If you use Windows 10 at home to access the internet, play games and read email, any version is likely ideal. If you use Windows 10 for business, understand the level of control afforded at each level, and license the appropriate version for your use.

 

Summary

The first step to solving a problem is accepting the fact that you have a problem. Windows 10 has achieved milestones previously unheard of. More than 200,000,000 users and a relatively painless upgrade in the shadow of numerous horrible experiences bode very well for Microsoft. The challenge is that this new Operating System as a Service may pose some information management risks for business. In this segment, we started discussing the immediate things to do right away - be aware of the information that each computer has access to, and make sure that you understand the Windows version installed on each computer, and what that affords you when it comes to managing information, access, and applications. In the next segment, we will continue on tactical steps and move to strategic management of Windows within a business environment.