To meet the challenges of a modern threat landscape and its associated risk, the HoloLens 2 security architecture has been designed to provide advanced, innovative security and privacy protection. With HoloLens 2, businesses and customers have a cutting-edge operating system with a strong, built-in security framework. Organizations can utilize the HoloLens 2 without the worry that they are introducing a weak point into their infrastructure. Going forward, this blog will discuss the security architecture of the HoloLens 2 as well as the security practices Microsoft employed when creating the HoloLens 2.
HoloLens 2 Security Architecture
The HoloLens 2 security architecture was designed to be free from legacy security issues, while minimizing its’ attack surface. This new, innovative architecture offers secure storage locations and advanced security elements, with systems capable of shielding the device from potential threats and vulnerabilities.
Secure Sign-in Options
In today’s online world, a majority of security breaches are caused by user error. These breaches can be caused by anything from leaving your passcode written down on a piece of paper to phishing scams. Secure sign-in removes the potential for user error by requiring multiple factors of authentications including, biometric, Secure Key, and Single Sing-on.
Secure sign-in options include secure USB sign-on, Iris recognition sign-on, remote sign-in from an alternative device, and single sign-on with a web account manager.
State separation and isolation
This new architecture protects critical portions of the HoloLens 2 operating system from change – such as those required for the core operating system to boot into a trusted state. Isolation technology is used to confine untrusted apps in a sandbox area, ensuring that they cannot impact the system security. The entire operating system is segmented into secure sections, with each section shielded by a combination of different security technologies.
Security Benefits: This feature significantly improves platform integrity, malware resistance and user data protection. By separating the unalterable part of the operating system and making it read-only or integrity protected, state separation makes it extremely difficult for malware to persist across a cold reboot.
Remote wipe capabilities
In the case of a compromised device, whether it was lost, stolen, or broken, users have the capability to initiate a hard drive wipe remotely. This is done by remotely restoring the device to factory settings, deleting or overwriting files, or removing all programming on the device.
Additionally, a remote wipe can “brick” a device, meaning that you can purposefully break or disable the device, preventing any kind of unauthorized use.
Remote Wipe can be set up in a way that, upon startup, the device initiates a remote wipe to prevent the use of a stolen device.
Microsoft Security Practices implemented on HoloLens 2
Persistence Access Threat Protection
The goal of most cyberattacks is to maintain persistent access to a device. For cybercrime, maintaining this persistence enables a compromised Windows device to join a botnet, sell access to the device to other nefarious users, or to enable repeated data theft. In the world of targeted attacks, persistence is essential to a successful cyberattack – whether on a device or (more commonly), an entire network.
In fact, targeted attacks are considered “advanced persistent threats”, due to their strategic need to maintain access to a target device or network. For this reason, Windows Holographic for Business considers defending against persistence crucial and uses anti-persistence technology to make an ironclad customer security promise.
Windows Anti-Persistence Assurance
HoloLens 2 anti-persistence guarantees its users that even in the rare situation that a runtime compromise of the system were to occur – such as a remote exploit – it would be mitigated with all malicious code removed from the system by powering off the device. To further strengthen its anti-persistence security, HoloLens 2 has added powerful integrity protection, and put read-only protections in place.
The Trusted Platform Module (TPM) is a specialized chip on an endpoint device. HoloLens 2 uses a TPM 2.0, which provides hardware-enforced key isolation.
Hardware-backed Integrity and Runtime Attestation
Hardware-backed integrity and runtime attestation protects against threats that originate before the start of an operating system, during runtime, when the device uses hardware, and remote attestation services to ensure integrity is maintained at startup and throughout runtime duration.
UEFI Secure Boot
HoloLens 2 enforces Unified Extensible Firmware Interface (UEFI) Secure Boot always, and UEFI only boots Windows Holographic for Business. Secure Boot ensures that the entire boot chain is verified for integrity and that Windows always boots with the correct security policies applied to it.
Encryption and Data Protection
Bit Locker Device Encryption
BitLocker is a full-volume encryption feature for integrity protection of Read Only (RO) media and privacy protection of writable media. Since its launch, it has been an effective shield against unauthorized access to data during offline attacks.
HoloLens 2 enables Bitlocker Device Encryption (BDE) by default to protect data from any unauthorized physical access to the device. This functionality is always evolving and is consistently updated.
HoloLens 2 enables customers to integrate their devices with Azure services. Communications between HoloLens 2 devices and Azure use TLS (Transport Layer Security) protocol to protect data traveling between itself and cloud services which delivers strong authentication, message privacy, and integrity. All Azure services fully support TLS 1.2 and any services where customers are using only TLS 1.2 only accept TLS 1.2 traffic. Azure’s encryption standards for data in transit are detailed in Azure encryption overview. Visit the Azure documentation to learn more about best practices for Azure data security and encryption.
SphereGen is a unique solutions provider that specializes in cloud-based applications, Intelligent Automation, and Extended Reality (AR/VR/MR). We offer full-stack custom application development to help customers employ innovative technology to solve business problems.
Learn more about what we do in XR: https://www.spheregen.com/extended-reality