About Deploying Vista:This is the second installment of an ongoing series examining the challenges of deploying Windows Vista and the considerations that go into the decision to roll out the new OS. The series will highlight the setbacks and successes of those who are at various stages of deployment.
In the pharmaceutical industry, a company's ultimate nightmare is that its intellectual property will leak out of the network and into the hands of competitors. Microsoft vigorously touts Windows Vista as an operating system built to protect a company's crown jewels, but Steven Dietz isn't so sure.
As the information security principal for Quintiles Transnational Corp., a North Carolina-based healthcare services provider, Dietz watches over a network serving some 20,000 employees in 50-plus countries, including China, India, Africa and Australia. The company is also on the hook for a variety of global regulatory rules such as HIPAA and the European Union Data Privacy standard.
He has a multi-layered security wall around the network that includes encryption in case of laptop theft, host-based intrusion protection and personal firewalls. And he's not ready to mess with any of it by deploying Vista.
"We try to be risk averse," he said. "Because we are a pharmaceutical testing company, we do business with all the large pharmaceutical companies and we have to keep data separate and independent from client A and client B. There can't be any confusion and we need to make sure data from client A isn't accidentally sent to client B."
Given all the added security Microsoft says is in Vista, one might expect Quintiles to push it on the fast track to enterprise-wide deployment as companies like Papa Gino's have done. But while Papa Gino's has moved aggressively on Vista as a way to better protect its customer credit card data, Dietz is worried the features in Vista could actually conflict with his third-party and home-grown defenses, leading to unintended data leakage. To ensure that doesn't happen, Dietz, like many other IT professionals, is taking the slow approach, putting Vista through a rigorous testing process and holding off on large deployments until 2008 at the earliest.
"One thing that's important to understand is that in this environment, you need documentation, pharmaceutical validation and IT system qualification processes," he said. "In a perfect world, the dream OS would give us the capability to easily update these things and get reports in a seamless, encrypted tunnel. We have more and more field devices that need to be able to exchange information with the network but still protect the data."
Dietz also dreams of a day that, when there's an infection, the company can immediately update devices globally without having to go through the internal McAfee repository, he said.
His initial review of Vista shows it isn't compatible with the default software packages he relies on. It also seems to conflict with his antivirus and host-based intrusion protection controls. Each month the list of Vista-compatible products grows, he said. But for Vista to be worth a full deployment, he needs immediate compatibility. For now, Dietz is content to test Vista against every application that touches the clinical systems. His 2008 deployment estimate is based on the knowledge that validation testing is a painfully rigorous process.
Can Vista be supported?
Dietz admits he's at the very beginning of dealing with the operating system. His estimate of a 2008 rollout is based on three initial findings:
"Interestingly enough, none of these reasons have any direct relation to IT security," he said. "The security of Vista is improved, and will require an appropriate baseline for any deployment. My current interest and perspective is focused on how encryption and certificate management integrate and are different than in XP."
Are third-party vendors ready?
Adding to the complexity of the problem is that Dietz's third-party security tools aren't Vista-ready. His main security vendor is McAfee and it's a struggle to keep up with all its different product versions without the added difficulty of determining which flavor is the best fit for Vista, he said.
From what he can tell, McAfee only has a beta intrusion prevention offering for Vista, and he's hesitant to even consider a product until it has had an initial release update. Throwing a new operating system into the mix would put more of a crunch on his IT support desk than he's willing to take right now.
Andrew Jaquith, a senior analyst at the Boston-based Yankee Group, can understand people's reluctance to charge ahead with Vista. But he cautioned IT professionals not to let compatibility concerns blind them to the many security benefits within the new operating system.
"When it comes to an industry like the sciences or the pharmaceuticals, you need to be very careful," he said. "But with Vista there's a lot to cheer about as well. Vista has some appealing features like drive encryption. You see people worried about laptop theft and private information floating around, and Microsoft's answer is to make hard-drive encryption easier."
Don't skip the road test
That doesn't mean Vista is perfect by any stretch of the imagination. When Yankee did its initial Vista research, Jaquith said it was evident to him that Microsoft rushed Vista to the masses without adequately preparing third-party vendors and giving them time to make compatibility adjustments. That's why IT shops shouldn't rush deployments without a thorough vetting process.
"With any OS you have to put it through a thorough road test to see if it's really right for you," he said. "With Vista you have a hardware upgrade as well as a software upgrade, so it requires great care."
That's Dietz's philosophy as well, and it's an approach he has followed with every new program, including Windows XP when it was first released.
"I familiarize myself with the security, then do more testing, then plan a deployment model," he said. "Good standardized security is just one piece of the pie for a successful Vista deployment."
Dig Deeper on Windows Security: Alerts, Updates and Best Practices