Today marks the beginning of a significant year-long event in the worldwide computer industry - a year from today, Microsoft will end support for the Windows XP Operating System. Mainstream support had already ended in 2009 and this new milestone marks the end of security updates on the platform. Are you ready? According to a recent survey, many of you aren't.
By some counts, Windows XP still holds on to approximately 40% of operating system market share. With 2 out of every 5 computers worldwide still running Windows XP and the very real expiration date of security updates upon us, the enterprise/corporate component of that 40% is staring down the barrel of a very real challenge. Why is XP so hard to kill? What's Holding Back Corporate Upgrades?
In conversations with BeyondTrust customers and partners, I've heard a few interesting reasons why an organization still might be working through their upgrade strategy. They include;
The advent of tablets
One organization I spoke with is giving end users a choice: a) a desktop and a company-provided and supported tablet, or b) a laptop. Regardless of what an end user chooses, the company is trying to foster a mobile workforce. This has stalled, but not killed, upgrade cycles at many organizations who are offering this approach.
Less Intensive Computing Requirements
As a former Intel employee, I shudder to think that 3 year old laptops still have the processing power to perform as needed in today's corporate setting, but they do. With the widespread use of web apps, like salesforce.com, Workday, even Microsoft Office.com, the need for heavy computing power has moved to the cloud (er, internet). Combined with the continued free-fall of memory pricing, hardware refreshes (which is often attached to the OS upgrade cycle) are being delayed (but again, not killed altogether) in favor of a memory upgrade.
Security or Productivity? Why Not Both?
By far, the most frequent subject in my conversations around the complacency of PC upgrade cycles is security, and the resulting effect on end user productivity. With the continued proliferation of internal and external attacks targeting corporate desktops and their Administrator privileges, the concept of Least Privilege on the corporate desktop is something many organizations have embraced, yet there continues to be widespread use of Administrator privileges on the desktop, especially on Windows XP. This is a major reason why some organizations haven't upgraded - they're unsure of how best to operate in a world of least privilege, and how it will affect their end users.
Least privilege has benefits beyond the reduction of attack surface - properly implemented, it can also contribute to a reduction in help desk and support costs. Trading Admin accounts for User accounts isn't always the answer for far flung, mobile organizations. Every call to the help desk to install a printer (comically, this is the one example I hear most often) costs money. The ability to dole out privileges in a fine grained manner - for users, tasks and applications - has as much budget benefit as it does security benefit. Beyond the simple printer example, proper least privilege deployments can aid in more complex activities, such as elevating processes or services, as opposed to end-users, for business-critical applications. This contributes to better overall security, and ensures end users can remain productive.
Simply put - this removes a significant barrier to migrating off of Windows XP.
As we countdown to the Windows XP retirement party, we have to acknowledge Microsoft's most successful operating system to date, but we also have to acknowledge the call to action facing many corporate IT departments today - it's time to upgrade. The clock is ticking.
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.