"After testing our software for compatibility, we migrated from old computers to new ones, and from Windows XP to Windows 7, at the rate of about 30 PCs per day," says Gwendal Rosiaux, EHESP's IT and Telecommunications Department Manager. "I am absolutely sure that this was quicker and cheaper than trying to migrate without automation."
Custom Support for Windows XP Worth Price of Compliance
Microsoft will in fact produce security patches for Windows XP after April 8, but these will only be available to companies willing to pay for custom support. There's no official price list for this service, but it's generally accepted that the cost is about $200 per machine for the first year, doubling every subsequent year.
The high cost of custom support has put many organizations off pursuing this option, but Silver recommends that organizations think again. "We've seen the maximum price shifting," he says. "We're hearing of caps in total support costs which are lower than those in the past, so it is definitely worth talking to Microsoft about this."
Companies in regulated industries that don't take this approach could risk compliance problems, as they will be running an operating system that has not been patched for known vulnerabilities. "Ultimately it's up to the auditors, but there would be a lot of uncertainty in saying that a system is secure if it hasn't been patched," he warns.
Chuck Brown, a Fiberlink director, agrees. "On the U.S. Federal side, machines won't be compliant (if they are running XP)," he says. "And I'm surprised on the financial services side with the worldwide regulations that exist that they could think that (machines running XP) wouldn't be out of compliance."
Third-party Windows XP Security Controls Have Potential
There are other ways to try to secure XP machines beyond getting custom support from Microsoft. One option is implementing sufficient security controls to prevent exploits reaching them. That's the approach used by Arkoon+Netasq, a French company that offers a service called ExtendedXP. This combines a security agent running on each XP endpoint with a service that monitors the overall XP threat environment and suggests any measures that need to be taken to mitigate them.
Another option is to use virtualization to isolate individual applications - an approach taken by California-based security software vendor Bromium. The company's vSentry product creates hardware-isolated micro-virtual machines for each end user task. If an attack occurs within a hardware-isolated micro-VM, it automatically remains isolated from CPU, memory, storage, device access and network access. When the user task is terminated, any malware is automatically destroyed, the company claims.
"Sixty percent of malware uses PDF files as a vector, so these types of isolation products can offer valuable protection," Forrester's Sherman says. "The problem is that only some apps are supported."
Sign up for CIO Asia eNewsletters.