What Windows-as-a-Service will mean for Australian security

By Sasha Pavlovic, director of cloud and data centre security, Trend Micro Asia Pacific

For long-time Microsoft watchers, we are hearing more talk around the possibility of Windows-as-a-Service becoming a reality in the not too distant future. Recent developments related to support and upgrades from the company seem to indicate that Microsoft would prefer users be on a more consistent platform with relatively little differences in software in use. This platform would also be subject to smaller but more frequent feature updates – something that has already been promised to members of Microsoft’s Windows Insider Program.

The idea of Windows-as-a-Service is also being discussed amongst the IT community. It’s not quite the same as other “as-a-service” concepts used by cloud vendors, but there are broad similarities: the service provider rolls out an update to all their users, which they can easily do as the service lives on their servers. In this case, while Windows doesn’t live on a server, it is still the subject of constant updates from Microsoft.

This approach would offer clear business logic but it is a significant change in how Microsoft has done things until now. It also raises several security and operational changes and challenges of which IT administrators need to be aware.

Security: closing the vulnerability gap

Enterprises can currently control how and when patches are installed onto their machines, with the controls available to Windows 10 more powerful than earlier versions. In terms of security, the concept of Windows-as-a-Service is a clear win. Having automatic downloads and installation updates shrinks the vulnerability gap; the time between when a patch is made available and users are able to download and install a fix.

Consider how Google Chrome silently checks for, downloads, and then installs new versions in the background. This helps ensure that any vulnerabilities in that browser are quickly patched before they become a widespread problem. If moving people on to Windows-as-a-Service is Microsoft’s long term goal, such a situation would be more secure than the current variety of browser versions with varying states of (in)security.

It will be important to keep in mind that, if Windows-as-a-Service does happen, there will be some risks in the short term. Many enterprises are slow to upgrade their software, and inevitably some organisations will be caught out and fall victim to exploits targeting now-unpatched browsers. In the long run, however, the overall security picture will improve as fewer systems run these vulnerable browsers.

Organisational resistance to change

The high speed of change that this future path imposes on Windows may come into conflict with the slower, more measured pace that organisations often prefer.

Many Australian organisations tend to follow the “if it ain’t broke, don’t fix it” rule when it comes to technology. While this approach may have worked in the past, today’s higher-paced environment means that businesses will have to get used to change.

If we take a look back at how businesses across Australia and New Zealand have responded to the uptake of new Windows versions over the years, most would fall into the laggard category. That’s not to say that our IT departments aren’t innovators, they’re just a little more adverse when it comes to change based on previous experiences, with criticism of 2006 Windows Vista as a prime example.

Simply put, many organisations have a slow culture when it comes to technological change. The move to Windows-as-a-Service will push organisations towards adopting a faster culture.

Based on a 2015 study that was conducted across 300+ organisations in Australia and New Zealand by Tech Research Asia, 75% expressed interest to move to Windows 10 within 12 months whilst others were contemplating a mid-term move and some downright refusing it.

Such a transition will not be easy or painless but it is already taking place with somewhat surprising speed: surveys of IT professionals around the world have indicated that Windows 10 is being adopted faster than initially anticipated.

Planning for the future

Windows-as-a-Service presents a very different way of doing things. Ordinary consumers won’t feel much change, if at all; they’ll get their updates automatically and not particularly mind. Enterprises more used to controlling their experiences will have a bigger challenge trying to find the right balance of change and control that works for them.

Getting there will not be an easy task for everyone. It will be important for organisations to plan for the transition by ensuring they have security in place capable of providing protection to various users that cannot be upgraded immediately to Windows 10. This will allow IT administrators to upgrade their users at planned-for intervals, providing the transition additional (and perhaps much-needed) breathing room to carry out the transition in a way that is less disruptive to business.

Once a relatively quick and automated patch cycle is accepted, we will see a significant improvement for security. Exploits found in the wild frequently target old vulnerabilities that have yet to be patched, so more automatic patching in the promise of Windows-as-a-Service will result in a better, more secure future.

Sasha Pavlovic is the director of cloud and data centre security for Trend Micro Asia Pacific www.TrendMicro.com.au

Join the CSO newsletter!

Error: Please check your email address.

Tags Australian securityMicrosoftWindows 10IT SecurityGoogle Chromewindows insider program

More about GoogleMicrosoftTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sasha Pavlovic

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place