If there’s one thing that’s certain in the world of IT it is that change and innovation are inevitable and commonly occur at a rapid pace. Although innovation has many great benefits and makes working in IT fun and exciting, it also typically has information security professionals pulling their hair out as they try to keep pace. To defend each new product, security professionals must first learn the product themselves and then determine how best to protect it from today’s advanced threats. This then typically drives policy and procedure updates, new software purchases, end user and security staff training, and the development of new configuration standards. And as those that work in the field know, this takes a tremendous amount of time and energy.
For most of us, we will get our first glimpse of the next version of Windows, code-named Threshold on September 30. Windows executives will talk about where Microsoft is investing and show off some of the features of the new operating system. The company also has early code it will make available, according to sources, but the test code is intended mainly for developers and businesses to begin their preparations. Two expected features of the new operating system will be the ability to write universal applications that work on Windows, Xbox, and Windows Phone and a more traditional Windows interface to address critiques of the Windows 8 interface.
Why is this such a big deal? For one, globally Windows represents 90% of all operating systems. It continues to be the operating system that powers most of our businesses. In addition, unlike other products and software, the operating system is used practically every minute of the day by all the employees within your company. Any misconfiguration or issue with the operating system can bring a company to it’s knees. And for those of you who went through the pain of upgrading from Windows XP to 7, it’s neither an easy or cheap process. Most important for our discussion, the Windows operating system has historically received and continues to take the brunt end of most cyber attacks. With the ability to write universal applications, a vulnerability on one Windows platform (Xbox) may impact the entire Microsoft ecosystem, including phones and desktops.
Where does Qualys fit into the picture? At Qualys, one of our core philosophies is to make your job as a security professional easier. To do that, we are actively engaged in reviewing new technologies, like the new Windows operating system, and developing security solutions for them before they get released on the market and are deployed within your companies’ networks. We evaluate the products to determine if vulnerabilities exist and also to update the Qualys platform. For example, we need to ensure that when running a map or scan of your network Qualys properly identifies and reports on the presence of the new operating system, including versioning information. In addition, we work with the large standards setting bodies to ensure that the Qualys policy and compliance module continues to provide you and your auditors with accurate results. As an example, we will update the Qualys solution with a HIPAA configuration policy that applies to the new version of Windows so that you can continue auditing your systems without delay. Finally, we work collaboratively with organizations like the Center for Internet Security and others to develop best practices for securing new products like Threshold. These security best practices are then used to update the commercial Qualys platform (e.g., a new secure configuration policy for Threshold) and incorporated into our free tools like Browsercheck. At Qualys we provide many free and easy to use tools as we believe in helping all users make the Internet a safe place to work and play.
I will continue to share updates on the new Windows operating system as they become available, including the updates made to the Qualys solutions.