informa
/
Risk
Commentary

Ignoring Vista Entirely Is Shortsighted

Maine's skipping Vista, and I'm skipping like a broken record. The government of the state of Maine has joined the burgeoning group of organizations planning to sidestep Windows Vista and go straight from Windows XP to Windows 7. I continue to say that completely ignoring Vista is a shortsighted decision that may cause both usability and security troubles not too far down the l
Maine's skipping Vista, and I'm skipping like a broken record. The government of the state of Maine has joined the burgeoning group of organizations planning to sidestep Windows Vista and go straight from Windows XP to Windows 7. I continue to say that completely ignoring Vista is a shortsighted decision that may cause both usability and security troubles not too far down the line.We at CSI (Computer Security Institute) have given a great deal of thought to the questionable fate of Windows Vista. We devoted the entire July issue of our CSI members-only publication to the topic: "Even Security Pros are Rejecting Vista: What happens next? And what's our wishlist for the next Windows OS?"

Vista is arguably the most secure operating system currently available. (Some might say that title should go to OpenBSD, which might be true, but I don't believe OpenBSD is a feasible option when choosing an enterprise-wide client operating system.) Vista was developed using the Secure Development Lifecycle and researchers are finding fewer vulnerabilities in Vista than in Mac OS X, Red Hat Linux, Ubuntu Linux, or the nearly seven-year-old XP (which one would think would have nothing left to hide by now). Some research shows that Vista machines were infected by fewer pieces of malware than XP. Plus, Vista embraces many next-gen security technologies and techniques, including trusted computing, Identity 2.0, and the "least privilege" principle for users and applications.

Nonetheless, when we polled CSI members -- almost all of whom are security professionals -- not a single respondent planned to migrate their XP-running machines to Vista, not in six, or even 12 months. (So much for security as a selling point, huh?) Eighty-one percent of respondents planned to stay on XP "for as long as is humanly possible," and the remainder planned to wait until the next Windows operating system is released. The next Windows OS is currently code-named "Windows 7" and is tentatively scheduled for a January 2010 release (by which time XP will be more than nine years old). Although more than half thought that a non-Windows OS had a chance at becoming the next enterprise-standard operating system, none said they were planning such a move at their own organization.

One reason cited by respondents to explain their decision not to migrate from being a "XP house" to a "Vista house" was that Vista requires more processing power and is thus too slow and groggy. When we asked what they'd like to see in Windows 7, respondents' top two requests were that it be "slimmer/less bloated" and "faster," respectively. [This is the direction that Mac is going with "Snow Leopard," the next version of OS X.]

Another reason for avoiding the migration was that there simply aren't enough third-party apps and drivers that have received their "certified for Windows Vista" merit badges. Microsoft gets lots of abuse for that one, but quite frankly, the big delay happened because third-party developers had to stop doing things that they never should have been doing in the first place -- like accessing the kernel for functions that really shouldn't need kernel access at all.

The most common reason respondents gave, however, was that the XP-to-Vista learning curve and associated training expenditures were simply too steep (particularly when it came to getting acquainted with the new Aero GUI). Their sentiment was reiterated quite succinctly by a post made by someone who signed (to no avail) InfoWorld's "Save Windows XP" petition back in June. The signee said "Vista is too different to be useful."

But here's the rub, my friends: All we've heard from Microsoft about Windows 7 suggests that the user experience will bear a close resemblance to that of Vista. It will most definitely look a whole lot more like Vista than it will look like XP. Third-party developers will still have to rearchitect their applications and drivers to work with Windows 7 (unless they've already made those changes in order to work nicely with Vista, in which case they'll be a-OK for 7). The bigger changes will be happening in the OS's innards to make it easier to make updates and changes to its components. As Microsoft told me, "While these changes will increase engineering agility, they will not impact the user experience or reduce application compatibility."

So if you think that the XP-to-7 learning curve will be a gentler slope than to hike to Vista, you'll be mistaken. Since Windows 7 will doubtless bear a closer resemblance to Vista than it will to XP, it's conceivable to expect that those with at least a passing familiarity with Vista will have an easier time scaling the Windows 7 learning curve than those without a scrap of Vista experience.

Windows 7 will not be released until winter of 2010, and if you don't want to be an early adopter, your XP will be more than a decade old before you make the move. Plus, your XP goes into "extended support" phase in April 2009, which means that you've then got to pay for any XP tech support -- security patches, thankfully, will still be offered through 2014. Meanwhile, attackers keep finding easy ways to compromise your XP machines, using techniques that just won't work on Vista.

So what I'm saying is, if you don't completely go Vista, then some kind of Vista pilot program or user training on the Aero GUI will be worth your time in the long run.

If you'd like to duke it out with me, the XP devotees, the Linux fan boys, and the Vista lovers, you'll have a golden opportunity to do so at our Fate of the Secure OS Summit next month as part of our CSI 2008: Security Reconsidered conference in D.C. In the meantime, I've reopened the survey we asked CSI members to fill out a few months ago. It's now open to the general public, so go ahead and take the survey here.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5