Windows-as-a-Service – Good For Security, But IT Challenges Loom

Historically, Microsoft has been quite generous with providing support for their products even if newer versions have been released. For example, Windows XP (released in 2001) received updates until April 2014. However, that was then: recent news from Redmond indicates that this policy is gradually changing.

Consider some of the recent developments related to support and upgrades from Microsoft:

A very aggressive upgrade campaign for Windows 10 has been carried out. For example, Windows 10 was offered as a free upgrade to licensed Windows 7 and 8/8.1 users.
Support for older versions of Internet Explorer was terminated and users urged to upgrade to the latest (and last) version, Internet Explorer 11.
Newer-generation processors from Intel, AMD, and Qualcomm will require Windows 10 to receive support from Microsoft; in addition moving forward new processor families will require the latest version of Windows as well.

In isolation each development could be explained away. However, taken together the direction should be apparent: Microsoft would prefer that users be on a more consistent “platform” with relatively little differences in software in use. This platform would also be subject to smaller but more frequent feature updates – something that has already been promised to members of Microsoft’s Windows Insider Program.

For long-time Microsoft watchers this isn’t actually news. As far back as the Windows 10 consumer preview, the idea of Windows-as-a-Service was being discussed. It’s not quite the same as other “as a service” concepts used by other cloud vendors, but there are broad similarities: the service provider rolls out an update to all their users, which they can easily do as the service lives on their servers. The users never really have a chance to not use whatever updates have been given to them by their service provider. In this case, while the “service” (Windows) doesn’t live on a server, it is still the subject of constant updates from the service provider (Microsoft).

The business logic of these decisions is clear: by aligning itself more closely with its competitors, Microsoft will be better positioned to compete effectively. However, this is a significant change in how Microsoft has done things. What are the security and operational issues that IT administrators need to be aware of? Is this a good thing for the PC ecosystem?

Security: Closing the Vulnerability Gap

In terms of security, this is a clear win. Making downloading and installing updates essentially automatic shrinks the “vulnerability gap”: this is the time between a patc h is made available and users are able to download and install a fix. (Enterprises can still control how and when patches are installed onto their machines; if anything the controls available to Windows 10 are more powerful than earlier versions.)

Consider how Google Chrome silently checks for, downloads, and installs new versions in the background. This helps ensure that any vulnerabilities in that browser are quickly patched before they become a widespread problem. In the long run, this is Microsoft’s goal: to move people onto Windows-as-a-Service. Happily, such a situation would be more secure than the current variety of browser versions with varying states of (in)security.

There will be some risks in the short term, however. Many enterprises are slow to upgrade their software, and inevitably some organizations will be caught out and fall victim to exploits targeting now-unpatched browsers. However, in the long run, the overall security picture will improve as fewer systems run these vulnerable browsers.

Operational challenges: fast versus slow

The high speed of change that this future path imposes on Windows may come into conflict with the slower, more measured pace that enterprises generally prefer. Most enterprises follow a “if it ain’t broke, don’t fix it” rule when it comes to updating their own internal tools and sites. Many of these tools and sites are built on rickety foundations of obsolete, deprecated, and undocumented code – sometimes built by developers who left the organization long ago.

This is understandable on the part of businesses, who may view such tools as unrelated to the “core” functions that make money. While this may have worked before, in today’s higher-paced environment changes in both the business side as well as the technological side means that businesses will have to get used to change – there’s no good alternative to doing so.

Simply put, in many organizations there is a “slow” culture when it comes to technological change. The move to Windows-as-a-service will push organizations towards a “fast” culture. It will not be the only reason, but it will be a key reason for many organizations. Such a transition will not be easy or painless. However, it’s taking place with somewhat surprising speed: surveys of IT professionals have indicated that Windows 10 is being adopted faster than initially anticipated.

A better future – but not easily reached

Windows-as-a-Service represents a very different way from how things have been done up to the present. Ordinary consumers won’t feel much change, if at all: they’ll get their updates automatically and not particularly mind. Enterprises more used to controlling their experiences will have a bigger challenge, trying to find the right balance of change and control that works for them.

However, once a relatively quick and automated patch cycle is accepted it will be a significant improvement for security. Exploits found in the wild frequently target old vulnerabilities that have yet to be patched; more automatic patching will result in a better, more secure future. Getting there, however, will not be an easy task for everyone.

Trend Micro is able to make the transition easier for organizations. Our Deep Security and Vulnerability Protection products are capable of providing protection to various users that cannot be upgraded immediately to Windows 10. This allows IT administrators to upgrade their users at planned-for intervals, providing the transition additional (and perhaps much-needed) breathing room to carry out the transition in a way that is less disruptive to business.