This is the third part of a series of three blogposts (parts 1 and 2 available here and here, respectively) related to the many Windows Server 2003 (WS2003) systems that may not be migrated to a new OS platform by the July 14, 2015 “end of extended support” deadline by Microsoft.
ASSESSING THE BUSINESS RISK
Clearly, with days to go, you’ve assessed the business impacts of not migrating your Windows Servers 2003 and the business-critical applications running on them to a newer OS or cloud environment. The market is awash with cloud providers (Microsoft Azure, Amazon AWS and others) luring prospects with the promise of an easy migration path using the cloud. Meanwhile, system integrators are rubbing their wallets in anticipation of a projected billion-dollar opportunity to help organizations upgrade their infrastructures.
Did you know there are 8 million WS2003 Licenses still active with "end of extended support" looming?Image
Migrating servers to a new OS – even moving to cloud-based environments – is not a trivial effort. If that migration is still needed by July 2015 and will be a future course of action, hopefully, mitigation planning and approval has been completed for the interim. However, it would also be wise to make sure the risk assessment of running this OS after end of extended support and any mitigation plans have been clearly communicated and approved by executive leadership. Nearly 50 percent of executive leaders surveyed did not know this deadline loomed as of January 2015.
- Business-critical but older applications could be compromised, with results including breach, unauthorized transactions, theft of customer or internal data or intellectual property, and further attacks that could be spring-boarded throughout your environment.
- When defects surface in the WS2003 OS, there may be permanent loss of functionality in key WS2003 applications you’re relying upon to conduct business.
- Compliance requirements usually have a requirement that “in-scope” assets run a supported operating environment. Your organization may not be able to pass essential compliance audits for conducting your day-to-day business.
- C-suite executives and other business leaders may not be fully aware of the risk associated with using WS2003 after the end of extended support. These executives may be naively counting on the IT teams to keep things operational, and assuming the risks are manageable. These assumptions could leave IT leadership at risk if risks are not clearly delineated in a way non-technical execs can understand should problems arise later.
RECOMMENDATIONS TO IT LEADERSHIP ON DOCUMENTING WS2003 MITIGATION DECISIONS
1. Documented Decisions and Approved Risk Assessment IT Leadership should create and publish a document that outlines the rationale behind the organizational decision to continue to run WS2003 beyond the end of extended support date without a custom extended support contract from Microsoft. It is in the IT teams’ best interests to create this document at least in outline or draft form, as a record of the risk assessment, decisions, recommendations and mitigations. Meet with each of the stakeholders, including C-suite executives, and review the findings, business impact and costs before finalizing and publishing the document. 2. Assessing the Costs Be sure to include costs relevant to business-critical applications, older applications and migration limitations – including funding, hardware upgrades, legacy, custom, and third party software upgrades needed, as well as any costs unique to your organization. We suggest keeping this document numbers-focused. 3. Cost of “Doing Nothing” If in your circumstance, additional funding is required to mitigate the risks, assure those figures, as well as the “cost of doing nothing” has been entirely factored and documented to your best ability. Again, review by finance, legal and even marketing teams’ of the final document can help to assure you’ve thought of everything, and can garner internal support for whatever the final mitigation plans may be. 4. Get Finance and Legal Input Consider consulting other functional groups in your organization, such as your finance team, who may be an invaluable resource in constructing a cost assessment that your executive team will understand. You should include additional costs and resources to maintain WS2003 devices, and assure you have provided an early copy for review and comment to the corporate legal team. 5. Business Impact in Dollars This document should include potential business impacts in financial terms (dollars) should a serious breach connected with WS2003 devices occurs. Executives may not have considered assets becoming unavailable for conducting business, the IT team’s ability to restore services, public disclosure, even brief periods of being “out-of-compliance” in heavily regulated industries where fines may be levied, etc.
In some organizations, there may be ongoing disagreement regarding the priority, timing and decisions relevant to migrating a WS2003 system and its applications. Internal groups may resist the business costs of likely downtime required as part of upgrade activities. There may be internal charges or other implications, such as partner or supply chain relationships, and other impacts to consider. IT teams and leadership may be held accountable by business leaders who were not adequately informed of the current and future business impacts of continuing to conduct your business using WS2003 systems. Documenting and socializing the business decisions, and mitigation plans can provide IT some assurance of executive awareness and alignment. For reference on creating a document such as this, Gartner has freely available guidance in the online document, “Make Migration from Windows Server 2003 a Priority Before Support Ends in July 2015,” by Carl Claunch, available from Microsoft’s website here. Title image courtesy of ShutterStock