A compendium of favorite excuses

If you read the VirtaMove blogs over the last couple of years, you’ll quickly realize that I’ve been harping on the need to upgrade Windows servers for a while. It’s now clear; both recent Malware attacks, WannaCry and Petya, take advantage of SMB 1 exploits that are fixed in Windows Server 2008 R2. However, the exploits were not detected by anti-virus software. Because VirtaMove has completed thousands of Windows Server 2000 and 2003 modernizations for hundreds of clients, these lingering, out of date OS exploits kind of drive me crazy. I won’t cover the technical details of the EternalBlue exploit here, given that WikiLeaks seems to have leaked code samples to almost every Russian hacker.

It’s difficult to understand the complacency and inertia of corporate IT departments when it comes to Windows Server modernization projects. Over the years, VirtaMove has heard just about every excuse from IT for choosing to continue to do nothing over modernizing.

Favourite excuse #1

Rather than pay a modest amount to modernize a server, IT will often claim as follows:

Modernization will do nothing for end users.

Despite the fact that moving production applications to a new OS addresses known security exposures, improves performance, and enables application migration to either much improved data center servers or even the cloud. Also despite the fact that more than once customers have told us that investing in our technology has saved them more than 1 million dollars in proposed application redevelopment costs.

Excuse #2

We’ve also heard this:

We will modernize by re-installing our applications by hand because it will be easier this way.

Only later does the IT team realize that hand migration is highly disruptive to end-users. It involves installing new versions of all software components on the new server infrastructure; developing data and application migration plans for each component; developing a test plan to verify the migration; and remediating/reworking any failed components. Four labour and time intensive steps – so much for “easier”! Implementing these steps by hand often takes weeks or more of planning, execution, and verification. Once the true scope of the hand work is fully understood, IT can once again decide to Do Nothing.

Excuse #3

Here’s another one we often hear:

We will use the Vendor’s upgrade path.

However, ISVs upgrade only their application, which is frequently but a portion of the application stack used in most production servers. ISV upgrades can also be expensive and disruptive. Once again, Doing Nothing becomes easy to justify.

Excuse #4

Modernization may appear impossible to IT shops because:

Initial install media and scripts for an application are missing, and/or the original application owner and developers have left the organization.

Even in these cases, however,  most legacy applications can be up-leveled to a new OS version if a sophisticated application monitoring and migration tool is used.

A hidden excuse?

In other cases, reluctance to use automation for modernization seems to come down to:

Job protection and maintaining a dependency on IT contractors.

If automation can complete migrations in hours, where it takes months for IT consultants and contractors, how do these consultants justify their costly services? It appears that automation is an asset for every department in a business – except the IT department.

It’s time to modernize

I’ve outlined in earlier blogs what we believe needs to be done and what tangible steps can be taken to achieve modernization. My main point here is an urgent call to action, because doing nothing is no longer an option.

It’s obvious that the failure to modernize has left many IT shops vulnerable. Cyber-attacks are not going to stop or slow down. Malware and phishing are getting more sophisticated. Business and Government will be disrupted. A growing number of businesses that choose to stick with an old Windows Server architecture will feel the disruption daily.

Getting budget for IT modernization projects is often difficult and time consuming. Understanding the scope of the problem is also important. However, the last thing most IT shops need is another report telling them that they have a problem. Shops need to get to work and modernize their servers. More talk really isn’t cheap and it is proving to be risky. CIOs must get serious about budgeting and undertaking modernization, not only to address the End of Service for Window Server 2003, but on an ongoing basis. They can be assured that new malware will be developed to take advantage of undiscovered exploits on newer, better protected OS architectures as well.

The time for procrastination is over. We all need to invest in and protect our software infrastructures, not once like Y2K, but continuously. It’s not acceptable that major military, government, and business infrastructure rely on easily compromised computer infrastructure running old versions of Microsoft Windows. Recently, Microsoft announced a July 2017 patch to address 94 known vulnerabilities on old Windows versions.

The latest malware attacks have proven that doing nothing is not a viable plan. Excuses are not credible. IT system modernization must become a priority for business. Ignoring the security risks of outdated server infrastructure and operating systems amounts to negligence in today’s IT world.