When no-cost support options for all editions of Windows Server 2003 and 2003 R2 come to an end on July 14, 2015, organizations that have failed to take remedial action will be vulnerable to security breaches when new flaws in their operating systems (OSs) are discovered and fixes are no longer readily available. These challenges will be compounded by the lack of vendor-provided support. Companies still running these products must analyze the impact of this event on their businesses carefully and make decisions about what actions to take.
The many approaches for mitigating these risks range from taking no action to migrating all existing systems that will be affected. Tools that assist with the migration process are available, and they even target cloud-based hosting, which is a key IT initiative in many organizations.
This research report will help IT decision-makers evaluate the risks and costs associated with each approach, and it will single out some items that are often overlooked.
- Risks have associated costs.
- We review several options for mitigation in this report. None of them is intended to stand alone. Each organization will need to choose options that, when combined, will produce the optimal solution.
- For applications that reside in data centers certified to comply with quality standards, such SSAE 16 or ISO 27001, non-migration options must be excluded from consideration.
- Internally, labor resources are frequently considered zero-cost because they do not have direct budget impact. But the allocation of these resources has associated opportunity costs from delaying other projects, which will produce a ripple effect in the business.
- When an application’s failure has an impact on revenue, it can quickly become a liability.
- Organizations must make a full accounting of all costs associated with the existing state of their systems, the migration costs, and the expected end states.
- Any skillset that becomes rarified incurs a cost increase. As tech environments shift toward the newer versions, proficiency with older versions fades away, so personnel who deal with them are highly specialized, and they demand commensurate compensation.
- Determining the importance of each application and tying it to the bottom line is a relatively easy exercise for those in the revenue path, but estimating a worst-case outage has many variables, and it’s unique to each business and application.
- Organizations evaluating their mitigation options must understand that without a custom support agreement — and these are expensive — no patches will be available for critical security vulnerabilities discovered after public support has ended.
- External factors, such as regulatory compliance requirements, may exclude mitigation options that avoid or defer OS migration. Financial services and health care are two industries that have specific constraints in this area.
Thumbnail image courtesy of flickr user ketmonkey
- Mitigation options
- Business-decision criteria
- Risk factors
- Key takeaways
- Appendix: Overview of Windows Server 2003’s end-of-support
- About Andrew Brust
- About Gigaom Research