Original URL: https://www.theregister.com/2007/02/01/vista_waiting_game/

Why Vista will take a back seat for a few years

The new waiting game

By Kelly Martin, SecurityFocus

Posted in Channel, 1st February 2007 10:25 GMT

Comment Vista is a step forward in security, but many businesses will be stuck with Windows XP for years to come, due to the cost of upgrading, the value of existing assets, and compatibility issues that trump security features.

As I write this, Microsoft is launching the consumer version of Vista in New York, apparently with dancers in tights scaling the side of an office building to form a human billboard. It sounds like the highlight of the launch, which reads in many news reports as a real yawner. It's too bad in a way, because Vista's security architecture makes it a much better product. But there aren't too many consumers lined up to buy Vista.

It's unfortunate that some of the useful features like full disk encryption (BitLocker), license transferability, and support inside virtual machines aren't enabled in the consumer (OEM) version of Vista, but that's a renewed discussion for another time.

I think Vista is a great advancement in safety and security for consumers, but most of those folks don't know what the real differences are. Consumers will just end up with Vista (or perhaps OS X, or even the long shot, Linux) the next time they buy a computer. They'll still need anti-virus, anti-spyware, and all the rest. Consumers who do understand what Vista offers aren't exactly lining up either, because they also know about the heavy hardware requirements, the lack of drivers, no gaming need for DirectX 10 (yet), which is exclusive to Vista, and some of the questionable product activation decisions made by Microsoft.

For businesses it's another story. They do know and care about Vista's security improvements. It really is better. It's a big step forward from Windows XP security, I agree. And if one believes Microsoft's marketing rhetoric, most businesses will be deploying Vista in the next three to six months, right? Not so fast...

Why is it that Windows XP will remain the corporate standard for years to come?

The cost of upgrading from XP (or, why everyone loves Vista)

Computers are assets in a business environment where the cost to maintain them far exceeds the purchase price of the hardware and software. Businesses want to keep costs and expenditures down, but more importantly they want to get the best value from their assets. Computers are only important to a company because of the applications that they run - and compatibility is key here. Unless an enterprise application that's critical to the business' operation requires Windows Vista, what is the business reason to upgrade?

I'm scratching my head on that one. Most businesses will stick with Windows XP for the next few years. Security by itself is not a business reason to upgrade; security and Windows don't exist in a vacuum. And yet, just about every vendor on the planet will now be telling you and your business about the need to upgrade to Windows Vista. Let's take a look a just a few of the reasons why.

Consultants love Vista because it means big consulting dollars to evaluate, plan, test, migrate and implement new desktops and server platforms in business environments. Vista is different enough, in fact, they may even need to raise their rates.

Resellers love Vista because the hardware requirements are very steep, meaning heavy new hardware purchases and new software licenses all around. Hardware manufacturers love Vista and are happy to advertise this fact because it just doesn't run well on old hardware (old = one year old). It doesn't run well at all on any laptop today that isn't high-end, say, anything less than dual 2.0 Ghz processors in a Core 2 Duo with a bare minimum gigabyte of RAM. Ouch. Video card manufacturers really love Vista because, for the first time ever, the majority of the population who don't play games (business users) will still need a high-end video card just to get all the OS features enabled in their word processor and web browser.

IT and security admins love Vista because they will need new training and new certifications to put on their resume. Security vendors love Vista because all customers will still need anti-virus, anti-spam, anti-spyware, anti-phishing, anti-adware, anti-fungal, anti-everything software. Help Desk folks love Vista because it provides long-term job security. And end users love Vista because it means they get some new training and a fancy new computer, albeit one that's faster yet somehow runs slower than the one they had before.

Content producers love Vista. Computer scientist Peter Guttman has a fascinating DRM discussion about how Vista purposely degrades "premium content" and affects what you can do with that content. It also affects system performance, stability, support, and hardware and software costs.

Apple shareholders love Vista because it will drive more folks to the Mac OS X environment than ever before.

Spyware and adware companies love Vista because the Internet Explorer 7 browser still supports ActiveX, an ill-conceived language dating back to the Netscape days. But I'm getting ahead of myself; oops, IE7 and its new ActiveX controls run just fine on Windows XP as well. Criminals are putting their botnet software and keyloggers in many of those "Vista Activation Crack" torrents on the Internet. Even virus writers love Vista, because it gives them fun new challenges to adapt and overcome Vista's security model in potentially trivial ways, like social engineering.

A great many companies and individuals, legitimate or otherwise, are set to make quite a bit of money off the early adopters of Vista. And it's all just to replace existing office technologies such as Windows XP that often perform adequately and do the job today. Of course, today's corporate installs may or may not be secure...

For businesses, Vista is about waiting and planning and testing and...

It's been a long time coming. Several years overdue and 50 million lines of code later, Vista is here. Now businesses will wait for...Vista Service Pack 1?

Back in December we interviewed various anti-virus companies and some of the most prominent security people in the industry, and we asked for their collective thoughts on Vista security. The article premise was for consumers, and the conclusions were clear: Vista goes a step beyond the security of Windows XP. It's better security for the average consumer.

Despite all the forthcoming advertising and sales pitches about early Vista installations, most businesses would be foolish to upgrade to Vista in the coming year. Businesses want stable, reliable environments. They want to see service packs that address problems even before they encounter them. They want secure environments as well, but to senior executives and other decision makers, this is still a function of Security Risk Management that can be mitigated in various different ways. For example, many of the good security features in Vista, from full disk encryption to the personal firewall to rights management and some of the more basic least privilege components have been available through standard IT processes or from third party vendors for a long time.

Businesses already have the option to buy third party tools to lock down Windows XP rather tight. Whether or not they make use of them is another matter altogether - again, it's a question of value and cost. It might be more cost effective to finally apply some new security endpoint technologies onto an existing platform like Windows XP and wait until the migration to a new platform like Vista is less expensive and unavoidable.

Many IT folks in large companies tend to be very conservative when it comes to software upgrades. I've seen this too many times to shake my head. Often, it's a single enterprise application that forces the upgrade to a new platform like Vista. The perspective tends to be, let's hold off until our applications and users absolutely require Vista. Until then, let's wait and see.

Installing Vista on a company executive's laptop today might even be a career limiting move. I'm imagining a play on the old slogan, "no one ever got fired for buying an IBM". A poor rollout of any new platform, without proper planning and just to impress an executive, can be disastrous. First there's the excessive hardware requirements that require only the fastest new hardware - whereas putting today's Windows XP corporate image on that same fast hardware will actually run faster, and might be better bang for the buck.

Then there are driver issues, even on common Tier-1 machines. But most importantly, there are all types of corporate application compatibility issues that need to be examined with Vista - including all those poorly coded web applications out there that were, like it or not, created to work only with Internet Explorer 6. These will all get resolved in time, sure. But the list goes on.

Vista is inevitable for most businesses. But many will delay the rollout for as long as possible, trying to get as much value out of their existing investment as they can. Extended support for Windows XP is available for everyone until at least 2014. It's not about having the newest technology, it's about getting value out of a business asset while managing security risks along the way.

Meanwhile, it's time to start evaluating and testing Vista with your applications. It's also time to investigate alternatives that may or may not offer better value, from desktops that use virtual machines, thin clients, and alternative operating systems, to open-source Office software that may work for at least a portion of your workforce.

Business goals always trump technology. That's the main reason Vista security will take the back seat for a few years, despite the step forward in technology. This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus