Nov 04 2014

Making Security Job One for Surface Pro 3 Users

Several easy-to-manage features keep this multipurpose tablet running safe and sound.

Although the Surface Pro 3 is designed to be easy to use, that doesn't mean that security has been compromised. In fact, users will find that the new tablet has quite a few features designed to keep it — and its data — secure. Some of these features are disabled by default, but activating them takes only a few seconds.

The Surface Pro 3 boots off of a Unified Extensible Firmware Interface (UEFI), which replaced the aging BIOS and works in conjunction with a Trusted Platform Module chip. The TPM creates a hash value for every component in the system and allows the device to boot up only if all of the components match, ensuring that nothing has been modified or changed since the last power-up.

The Surface Pro 3 also is designed to work with Microsoft BitLocker, which coordinates its activities with the TPM chip. BitLocker uses the TPM to lock down unique encryption keys. The entire hard drive and all its contents remain encrypted until the TPM verifies that the tablet hasn't been tampered with. This prevents someone from stealing data by removing the hard drive, which would remain encrypted and locked.

An additional, optional security feature displays an onscreen keyboard as part of the Surface Pro 3's boot-up process. This can be used in conjunction with a PIN-based security program that will keep the device in a locked state until the proper number or password is typed, adding a second layer of authentication beyond the standard user name and password setup.

A couple of easy-to-activate options in the UEFI settings can enhance security even further. Disabling the ability to boot from the USB port is one of the most important ones. Although a full USB 3.0 port is a great feature, it adds vulnerability; a hacker could potentially bypass some security by booting from a portable drive. Disabling this feature allows full use of the USB port for everything but booting, but both the USB port and microSD reader can be completely disabled if preferred.

Finally, the Surface Pro 3 comes with native Absolute Computrace support; if the Computrace app is removed, it will reinstall itself. IT staff still must activate and purchase accounts for the software, which tracks lost or (more likely) stolen devices using location-based services. But the Surface Pro 3 is ready to go if needed.


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.