Windows as a Service: A security disaster waiting to happen?

null

In recent times, cyber security disasters have been no stranger to big corporate businesses and public organisations, 2017 was rife with them. WannaCry brought many organisations across Europe to a standstill, including the UK’s National Health Service, causing huge uproar and external scrutiny. Shortly thereafter, the Equifax data breach occurred, a security breach that exposed the personal data of 143 million people, was the result of no more than a vulnerability in a web-application. At the heart of these attacks were exploits simply caused by outdated software.

Thinking about the devastating simplicity of these cyberattacks, there are five key things that we can take away:

1. The attacks caused major  financial damage to the businesses affected and their customers.

2. The aftermath of the disasters ruined reputations and brought negative worldwide attention down on those involved.

3. These attacks, while destructive, were not in any way sophisticated, the attackers targeted weaknesses that already existed.

4. Security attacks can happen to anyone.

5. They could have been avoided by keeping on top of network updates and patches.

Given that the biggest cyber-attacks are all happening because of failures to patch software and applications in a timely manner, the upcoming switch to ‘Windows as a Service; represents a serious cause for concern.

In January 2020, Microsoft will discontinue updates and support for Windows 7, leaving many businesses with only the option to upgrade to Windows 10 or fall behind on their updates. As we’ve seen recently however, when left to their own devices, few businesses manage to keep on top of their updates and to migrate to a new operating system (OS) in a timely fashion. The process of migrating a global organisation to a new OS can be slow and difficult for both IT departments and employees, yet the failure to keep up with the latest updates leaves businesses vulnerable to a whole host of potential cyberattacks. Which is why the question is being asked, is Windows as a Service is a security disaster waiting to happen?

It’s a valid question given that thousands of businesses are still yet to make the move over to Windows 10 – despite the migration process for Windows 10 being much more straight forward than that of the move from Windows XP to Window 7, which IT staff previously had to endure. Given that the process of adopting Windows 10 appears to offer few opportunities for app corruption and compatibility issues, why are IT departments taking so long to make the move?

One of the reasons for this reluctance is the change in update infrastructures, with Windows 10 now adopting an ‘As a Service’ model. The issue with this model is that it involves significantly more management on the part of IT departments, causing a major headache for CIOs who are worried that they won’t have the time to check and approve new Windows updates before they are rolled out.

There is also a worry from the largest enterprises that IT managers may not be able to roll out such regular updates to a global network of workers. The issue of what’s policy and what’s reality also comes into effect here. While there are a lot of large organisations that know they frequently should be patching and have Service Level Agreements (SLA) in play that state they need to make these updates in a timely manner – the harsh reality is many don’t have the time or resources to meet these policy requirements. 

There are those companies who are willing to rip out and replace their existing network infrastructure to accommodate the deadline created by Microsoft, however most businesses simply cannot afford to overhaul their hardware in this way. For those that do, the sheer time-consuming nature of the migration may still hold organisations back from making the switch.

While these concerns can all be justified by attempting to avoid the switch, IT managers are doing their businesses more harm than good. With the deadline for Windows 7 looming, those businesses that have been reluctant to make the switch will soon be left without vital security updates.

So, in answer to the questions asked above, is Windows as a Service a security disaster waiting to happen? For the unprepared, absolutely. But it’s easy from the outside to say IT teams need to be proactive rather than reactive. However in order to change their remit from simply managing application deployments and security threats, to guiding their department for full preparation of the as a service environment – there needs to be support and a solution. But are there any realistic solutions that don’t involve IT departments either risking their systems or rebuilding their infrastructure from the ground up?

One solution can be found in ECDNs (enterprise content delivery networks). Essentially these software only networks allow businesses to share large files at high speeds, even if they are still relying on legacy network infrastructures. By distributing an update to multiple machines and then allowing those machines to share the updates amongst themselves, SD ECDNs decrease the bandwidth load on an organisation’s network. The greater the number of peers across a complex distributed enterprise, the more efficient content delivery becomes compared to legacy hardware-based WAN optimisation solutions. This removes worries from CIOs regarding workload and capability and offering an all-round a win-win situation for large organisations aiming to avoid the mistakes that their counterparts made in previous years.

From previously using an ECDN to distribute and stream high quality video content on mass over legacy networks, Kollective has now evolved its existing network to distribute Windows 10 updates, allowing companies to keep thousands of computers up to date without putting strain on their own networks. In short, keeping companies up to date and less susceptible to a security disaster.

The death of Windows 7 and the move to Windows as a Service is now an inevitable shift for most large enterprises. While it’s clear that the frequent updates required by Windows will open organisations up to potential security threats, a carefully managed software distribution operation will help overcome such concerns before they even occur. This will free up IT teams to focus on innovation, new technologies and improving the wider employee experience.

Stephen Dunkley, SCCM Engineer, Kollective
Image Credit: Flickr / Dongyi Liu