Slide 1

Slide 2

Slide 3

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors and even suppliers getting targeted Software solutionsHardware rooted trust the only way Secure the perimeterAssume breach. Protect at all levels Hoping I dont get hacked You will be hacked. Did I successfully mitigate? FamiliarModern Company owned and tightly managed devicesBring your own device, varied management

Slide 4

Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101

Slide 5

http://www.uefi.org/specs/

Slide 6

Firmware boot loaders OEM UEFI applications Windows boot manager Power On Windows OS boot Windows update OS boot Boot to flashing mode SoC Vendor OEM MSFT

Slide 7

Slide 8

Slide 9

Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101

Slide 10

Least Privilege Chamber (LPC) Trusted Computing Base (TCB) Dynamic Permissions (LPC) Fixed Permissions Chamber Central repository of rules 3-tuple {Principal, Right, Resource} Chamber boundary is security boundary Chambers defined using policy rules Expressed in application manifest Disclosed in Windows Store Defines apps security boundary on device