For long-time Microsoft watchers, we are hearing more talk around the possibility of Windows-as-a-Service becoming a reality in the not too distant future. Recent developments related to support and upgrades from the company seem to indicate that Microsoft would prefer users be on a more consistent platform with relatively little differences in software in use. This platform would also be subject to smaller but more frequent feature updates – something that has already been promised to members of Microsoft’s Windows Insider Program.
The idea of Windows-as-a-Service is also being discussed amongst the IT community. It’s not quite the same as other “as-a-service” concepts used by cloud vendors, but there are broad similarities: the service provider rolls out an update to all their users, which they can easily do as the service lives on their servers. In this case, while Windows doesn’t live on a server, it is still the subject of constant updates from Microsoft.
This approach would offer clear business logic but it is a significant change in how Microsoft has done things until now. It also raises several security and operational changes and challenges of which IT administrators need to be aware.
Security: closing the vulnerability gap
Enterprises can currently control how and when patches are installed onto their machines, with the controls available to Windows 10 more powerful than earlier versions. In terms of security, the concept of Windows-as-a-Service is a clear win. Having automatic downloads and installation updates shrinks the vulnerability gap; the time between when a patch is made available and users are able to download and install a fix.
Consider how Google Chrome silently checks for, downloads, and then installs new versions in the background. This helps ensure that any vulnerabilities in that browser are quickly patched before they become a widespread problem. If moving people on to Windows-as-a-Service is Microsoft’s long term goal, such a situation would be more secure than the current variety of browser versions with varying states of (in)security.
It will be important to keep in mind that, if Windows-as-a-Service does happen, there will be some risks in the short term. Many enterprises are slow to upgrade their software, and inevitably some organisations will be caught out and fall victim to exploits targeting now-unpatched browsers. In the long run, however, the overall security picture will improve as fewer systems run these vulnerable browsers.
Organisational resistance to change
The high speed of change that this future path imposes on Windows may come into conflict with the slower, more measured pace that organisations often prefer.
Many Australian organisations tend to follow the “if it ain’t broke, don’t fix it” rule when it comes to technology. While this approach may have worked in the past, today’s higher-paced environment means that businesses will have to get used to change.
If we take a look back at how businesses across Australia and New Zealand have responded to the uptake of new Windows versions over the years, most would fall into the laggard category. That’s not to say that our IT departments aren’t innovators, they’re just a little more adverse when it comes to change based on previous experiences, with criticism of 2006 Windows Vista as a prime example.
Simply put, many organisations have a slow culture when it comes to technological change. The move to Windows-as-a-Service will push organisations towards adopting a faster culture.
Based on a 2015 study that was conducted across 300+ organisations in Australia and New Zealand by Tech Research Asia, 75% expressed interest to move to Windows 10 within 12 months whilst others were contemplating a mid-term move and some downright refusing it.
Such a transition will not be easy or painless but it is already taking place with somewhat surprising speed: surveys of IT professionals around the world have indicated that Windows 10 is being adopted faster than initially anticipated.
Planning for the future
Windows-as-a-Service presents a very different way of doing things. Ordinary consumers won’t feel much change, if at all; they’ll get their updates automatically and not particularly mind. Enterprises more used to controlling their experiences will have a bigger challenge trying to find the right balance of change and control that works for them.
Getting there will not be an easy task for everyone. It will be important for organisations to plan for the transition by ensuring they have security in place capable of providing protection to various users that cannot be upgraded immediately to Windows 10. This will allow IT administrators to upgrade their users at planned-for intervals, providing the transition additional (and perhaps much-needed) breathing room to carry out the transition in a way that is less disruptive to business.
Once a relatively quick and automated patch cycle is accepted, we will see a significant improvement for security. Exploits found in the wild frequently target old vulnerabilities that have yet to be patched, so more automatic patching in the promise of Windows-as-a-Service will result in a better, more secure future.
Sasha Pavlovic is the director of cloud and data centre security for Trend Micro Asia Pacific www.TrendMicro.com.au