The two headlines above, which appeared in leading industry publications recently, are not only noteworthy for their crispness of expression, but also because if you say them one after another, they describe perfectly both the momentous event in question, and its consequences.
Both articles appeared within a day or two of each other. The opinion of the media therefore seems clear: from 8th April 2014, businesses and individuals using Windows XP will find that their security will be compromised.
And they’re not swayed by Microsoft’s recent postponement of the withdrawal of the XP Security Essentials tool, either.
The tool addresses only part of the security issue, and as V3 has reported Microsoft as saying in a subsequent article, “Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited.”
The publication’s opinion, once again, is clear: “Windows XP users will still be at significant risk after the official April cut-off.”
Additionally, those in the payment device business will find that their industry compliance will not continue. So it is going to be carnage – for vendors, distributors, resellers, OEMs, enduser businesses and punters on the street alike. Increasingly, the media’s take seems to be “Get the hell out of there and move to some other system instead!”
Are they right? What follows is my attempt to answer that question. But I warn you – it’s not as simple as any of us would like.
Firstly, let’s make sure we’re all on the same page. On 8th April 2014, Microsoft is withdrawing its support for the Windows XP operating system. Significantly, in this context, “support” means, amongst other things, security.
Net result, businesses using XP will no longer be secure, businesses that use XP to produce or otherwise distribute payment devices will lose the PCI compliance that certifies their devices for the online movement of money (and be fined mightily for it!), and a lucrative world hackfest of XP devices is likely to begin.
It seems, therefore, that we’re being drawn ineluctably to the prospect of migration. The answer to the question I asked in the title of this paper is, by all accounts, yes.
Yet the simplicity of that answer belies a difficult migration scenario. Because XP is a product that Microsoft has essentially killed off before its time (V3’s Daniel Robinson notes that it is the “longest-running version of Microsoft’s operating system and is still widely used”), there is no logical, like-for-like migration path.
Windows 7 and 8, for example, which are often mooted as available successors to XP, do not support all of the devices that XP supports. Rather more seriously, 7 and 8 would not necessarily be PCI-compliant on those particular devices even if the devices did support them!
Freelance technology scribe Adrian Bridgwater has commented rather colourfully that: “To paraphrase the 19th century American naval rear admiral David Farragut, staying on with Windows XP is akin to issuing orders to damn the security torpedoes and plough on full speed ahead.”
He’s absolutely right, of course – ignoring the simmering XP withdrawal support issue might feel heroic, but it will not immunize you against the likely consequences!
But there is a disturbing lack of clarity in the industry as to what the migration options actually are. To paraphrase just one IT analyst house, for example, (Quocirca), the choices in a post-XP support world appear to be:
I take issue with this description. It’s incomplete. It ducks many of the available migration options.
Let’s support this beef with some examples:
It’s important to acknowledge that there are Open Source operating systems available, such as Linux, that are, prima facie, a viable alternative to XP. They do constitute a legitimate choice for businesses that are prepared to undergo a wholesale shift from one technology supplier to another, reskilling again from scratch in the process.
Upheaval aside, though, there are other concerns with migrating to an Open Source system. I have explained these in more detail in a recent paper but, in brief, they centre on the notion that such systems are “free”. In actual fact, support contract costs and the spiralling salaries of engineers specialised in these systems mean that they are most certainly not free.
I also take issue, in the same paper, with the unacceptably high levels of non-indemnified business risk, the slow development cycles, and the extensive stability and reliability issues that the use of Open Source alternatives typically exposes.
These points are all a matter of public record. You can see what’s said in some recent case studies – ITEC Digital Solutions (digital signage products), and Corghi (automotive measurement devices).
Can you fix it? Yes. … For a great deal of money.
The lack of understanding of the benefits of embedded operating systems, and their validity as a migration choice, in the marketplace, is breathtaking. Again, I have written at more length on this topic elsewhere.
But in summary, embedded technology represents an option which is often cheaper (up to 50% less per licence when compared to desktop), provides better performance (because it is designed specifically for a device environment, without the unnecessary “bells and whistles” of the PC), and benefits from far longer support and security provision (10 or 15 years is not unusual). Also – and critically – it often does not require a hardware refresh.
WES 2009 can constitute a particularly effective migration choice, in that it is to all intents and purposes an embedded version of XP.
It’s not quite true to say you can buy a WES2009 licence and instantly continue using your old Windows XP install. WES2009 does require some design time, but it’s limited work in a familiar environment. It uses the same kernel as Windows XP, so feature-wise it is the same.
This is a bigger ask than migrating to WES 2009, as it requires the production of a new “image” (the embedded term for an operating system install).
Additionally, if you’re producing payment devices there is still a question mark over whether these offerings will work with all devices, or be PCI-compliant on all of them – but, as an embedded technology, it has all the benefits over conventional PC software mentioned above.
OK, not really a migration option, but the point is worth making: if you’re happily running a mediaeval standalone machine somewhere that has no connection to the outside world, the impending doom of XP support withdrawal will matter nothing to you.
But then why would you be reading this paper?
So, there it is. When industry experts talk about migration, too often they limit themselves to the notion of migration from one conventional OS to another – and, even then, they don’t appear to have a clear view of all the options.
As for migrating from a conventional OS to an embedded system, perish the thought! It seems to be a bridge too far for them to contemplate – and yet, as we’ve shown above, the benefits (both migratory and, thereafter, operational) associated with it can be huge.
All of that said, the problem for those seeking to migrate to an embedded system is this: finding integrators who can actually perform the migration for you! The market is immature; there are very, very few skilled migration experts who can offer migration services that address the full gamut of customers from OEMs to end-users (that is, from bespoke development to ready-made migration packages).
Integration partners are even rarer. Pockets of skilled individuals of course exist in abundance, but in my view (and I live and breathe this market every day of my working life) they have not yet coalesced into organized technical and market offerings.
And all this less than one month (at the time of writing) before Microsoft pull the plug on XP support!
As Bridgwater affirms, “XP is over, it is time to go forward.” Migration – with all its challenges – beckons.