More Vista Security Details Emerge, But Will Enterprises Bite?

The next-generation Microsoft operating system packs needed security features, but the adoption forecast for Windows-weary enterprises is cloudy.

When will we see mass Windows Vista adoption, and will it solve lingering Windows security problems?

The news that Microsoft will again delay shipping its next-generation Windows Vista operating system (OS) means the OS, with its bevy of security, networking, user-interface, and other promised enhancements, still won’t hit the market for several months. Of course, a release date (late 2006 for businesses, early 2007 for consumers) is one thing; implementing a new OS is another.

When might enterprises finish actually migrating to Vista? The simple answer, according to current reports, is that by the first half of 2008, most enterprises still won’t have standardized on Vista, and will forestall migration until Vista’s benefits are clearly articulated and validated.

In fact, according to a global survey of 4,080 business and IT professionals’ year-one intentions for Vista conducted by FreeForm Dynamics and interpreted in conjunction with analyst firm Macehiter Ward-Dutton (MWD), only 12 percent of companies anticipate adopting Vista within a year of its widespread debut. Those results are consistent across all geographic regions, except for a greater professed interest by Scandinavian companies in “probably” adopting Vista in its first year.

“The IT professional community regards the prospect of upgrading to Windows Vista as being more of a chore than an opportunity,” notes FreeForm Dynamics and MWD in their survey report. “The assumption by most is that adoption is inevitable, but there is no need to rush. In fact, the logic commonly heard is that the longer you wait, the lower the risk and pain will be.”

Whatever IT managers might say, senior managers often dictate OS migration timetables. Yet according to the survey, migration attitudes are consistent regardless of respondents’ seniority. One explanation, perhaps, is everyone already has a Vista upgrade timetable in place, even if it isn’t imminent. A more likely explanation, however, is “the need for Vista is currently not well recognized at either the business or technology level,” the report's authors opine.

Still, that may just reflect Vista’s lack of exposure, since “Vista-related media coverage and discussion to date has largely taken place within IT industry circles,” notes the report. Can a PR blitz to coax business users toward Vista be far away?

Resisting Vista

While the survey didn’t specifically ask respondents about their perceived barriers to Vista adoption, analysis of 2,600 responses highlights the roadblocks respondents perceive: questionable cost or benefit (for half of respondents), software and hardware compatibility questions (45 percent), and security and stability worries (35 percent).

Many respondents note they’re still using Windows 2000, or just finished a Windows XP rollout, and don’t plan to upgrade again anytime soon. Others worry about the lag between Vista rollout and needed applications—built in-house or otherwise—becoming compatible.

To avoid any innate Vista security problems, many respondents say they’ll delay Vista adoption pending at least the first major fix, the Service Pack 1 update. As one survey respondent wrote, “As with any newly released operating system, and especially with Microsoft, I’d prefer to have the bleeding-edge punters be the meat-shield for the security holes and malware that is sure to follow the Vista launch.”

Such caution is widespread and no doubt based on companies’ actual Windows 2000 and Windows XP upgrade experiences, notes the report. “Early movers often suffered an unforgettable degree of pain and frustration.”

Weighing Features versus Upgrade Challenges

What exactly does Vista promise? In Forrester’s recent “Windows Vista Enterprise: What’s In It For You?” research report, analysts Simon Yates and David Friedlander profile the extent of current knowledge about Vista’s features through the fourth build of Vista released to Microsoft’s Community Technology Preview (CTP) program. As they note, “Earlier CTP releases gave users a first look only at the interface features of Windows Vista, such as Avalon, but now the enterprise CTP build comes with all of the bells and whistles that will matter for a complete evaluation.”

On the security front, Vista features include a hardened OS, which should forestall many current types of attacks. “In Windows XP, many users routinely access their systems as administrators—either for convenience or because some applications require elevated privileges to run,” note the analysts. “In Windows Vista, User Account Control allows users to run in standard user mode most of the time without preventing them from doing basic tasks like changing power management settings or connecting to wireless networks. When temporary elevated privileges are needed, explicit consent is requested and authenticated by password.”

Another interesting Vista security feature, they note, is more secure handling of passwords and cryptographic keys. “With the arrival of Trusted Platform Module chips, Windows Vista BitLocker drive encryption can now store encryption keys and passwords on a dedicated TPM chip instead of software files that can be hacked or copied.”

According to MWD, other useful Vista features include improved security management; the ability to create single application and image builds that work across different types of hardware, languages, and user types; and legacy application support via virtualization.

Particularly for larger organizations, however, fully realizing Vista’s security and management benefits will require a wholesale—and completed—Vista migration. Otherwise, organizations must still maintain multiple images for different PC models and versions of Windows. That’s why small and medium-size organizations will likely see quicker Vista adoption, simply because PC vendors will push the OS into organizations with every new PC purchase.

By contrast, expect careful deliberation in the enterprise realm, especially by companies currently standardized on Windows XP. As Forrester’s Yates and Friedlander note, “Firms that are already heavily invested in the current generation of Microsoft infrastructure will find it easiest to migrate but may also realize fewer benefits.”

That’s why, as the FreeForm Dyamics and MWD report notes, “Windows Vista is currently regarded as just another Windows release within IT professional circles,” and not a security, stability, or any other type of silver bullet. Accordingly, Vista adoption likely won’t be any more rapid than Windows 2000 or Windows XP adoption.

Vista: Show Me the Security

The only caveat to that adoption forecast is if Microsoft preemptively and effectively makes the case for Vista being more than just another Windows release. To do that, say FreeForm Dynamics and MWD, Microsoft must do three things: defuse many enterprise concerns by obtaining third-party verification of Vista’s security and stability; engender a fast port of applications by the vendor community; and produce accurate (and trusted) benchmarks of the hardware needed to run Vista.

If such results are produced (and cast Vista in a good light), the report notes companies might adopt the OS more rapidly. “Based on past experiences, however, Microsoft and Vista are likely to be regarded as guilty until proven innocent on such matters.”

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles