One of the fundamental principles of security is that you do not run outdated, out of support software, especially if you handle other people’s sensitive data.
That’s been obvious for a long time, yet this week’s news that the New Zealand government continues to operate tens of thousands of Windows XP systems shows that the reality of the principle can be hard to follow.
After support for XP ended in April, several NZ government ministries and healthboards hadn’t upgraded, to the point that a staggering 40,000 or more systems were still running the obsolete operating system.
This despite multiple warnings over the past six years from Microsoft that XP would be officially unsupported and getting security patches and bug fixes would cost organisations plenty after April this year.
In fairness, the Kiwis are not alone in having difficulties in dumping XP and moving to something newer, safer and officially supported on their computers.
The Brits, Irish, and Dutch governments too are late in their migration programmes and have had to pay Microsoft millions in extended support.
In the United States, the federal government has rushed to upgrade its PC fleet, but there are still countless numbers of XP systems on state networks and in agencies. In fact, nobody knows quite how many.
Australia could well be in a similar situation, with its multiple state governments, territory administrations and federal and local agencies.
This is before we consider China, where some sources estimate that around half the computers in the country - a vast amount - and almost two-fifths of government systems still run on XP.
Why is it so hard then to shift away from XP? There’s the cost and effort of upgrading thousands of systems that are used to provide public services - and such an upgrade simply can’t go wrong because people and businesses depend on the nation’s IT services remaining functional, no matter what.
There are however tools that help with mass deployment of operating systems and these work well as long as they encounter a standard platform for imaging. Except judging by what the minister of internal affairs and the boss of the New Zealand government chief information officer, Peter Dunne told iTnews, there is no standard platform.
It makes fiscal sense for a cash-squeezed government department to slash its budget by taking advantage of disparate commodity hardware that’s cheap, instead of using a pricier standard platform, up until it’s time for that Big Upgrade of thousands of boxes and the compatibility problems start rolling in.
Overcoming these problems aren’t insurmountable. It requires an up to date inventory of assets and a few skilled IT admins who have already torn most of their hair out over similar issues in the past.
Even then the best-laid upgrade schemes of mice-clicking men can go awry. Often, lurking behind the scenes, there lies the dreaded bespoke enterprise application. This is often written with scant regard for open standards and may only run on XP or a particular version of Internet Explorer.
Getting the budget for the necessary upgrade of XP isn’t that hard - there’s been enough coverage on the issue and adjunct security scares for even the tightest bean counter to understand it has to be done.
But the back end system? That’s a different kettle of fish altogether.
Older technology can be very expensive and difficult to migrate away from assuming you can find someone who still knows how to work with both the kit of yesteryear and today’s systems.
Admins proposing an upgrade of both clients and back end systems at the same time will have a tough time arguing their cases as it not only increases the cost but also the risk of disruption to business processes.
In other words, it’s not just a matter of trying out a new version of Windows and getting new licenses for it and rolling it out.
Spare some thought for the admins asked to do the almost impossible and being caught between a rock and a hard place, because nobody really figured out that the desktop PC approach wouldn't scale well for large enterprises.
And yes, in this scenario, security loses out, as six years’ worth of prevarication around the upgrade from Windows XP shows.
Maybe it's time to rebalance the scales, and take some possible breakage and disruption rather than having a large chunk of the nation's IT out there, with a big bull's eye on its back?