• United States



by Dave Gradijan

Windows Vista Migration 101

Dec 04, 200612 mins
CSO and CISOData and Information Security

CSO: At the Gartner Conference in San Diego in June, Gartner recommended that enterprises consider a phased migration beginning in 2008. Why 2008, and is this still Gartner’s recommendation?

Michael Silver: It’s really important to understand where the 2008 date comes from. It’s not when you would start working on a migration, but it will take most organizations 12 to 18 months to do all the preparation that they need to do leading up to a migration that starts for mainstream users in 2008. To really begin your migration in 2008 for most of your users, you’ll need to begin pretty soon by taking a look at your applications and working with your application vendors to understand when they’re going to support Windows Vista and with what versions of their products.

What types of questions should they be asking their vendors?

Well, there’s two pieces to application support. The first is, “Will my application work?” That’s something they should be asking their vendors and verifying for themselves as well. The second piece is when will the vendor actually support them on Windows Vista for a specific application, and on which version? If it’s not the version they’re using, that means that they may need to take a look at upgrading as well, which could delay the project or make the planning phase take longer. If the vendor is not planning on supporting Windows Vista for their product for some time, and the organization really needs to use that product, that could be a showstopper. Organizations need to decide how critical these products are and for more critical products, they may decide that the risk of moving to Vista without a safety net, without the vendor officially supporting that product on Vista, may actually be too high.

How long should the evaluation phase be when you’re considering a migration?

It’s evaluation, but it’s also testing, building images and doing pilots. So that’s where we believe this 12-to-18-month time line comes in. You’re not actually doing headstand work that whole time. Part of that time you may actually be waiting for some of your application vendors to support Windows Vista. The larger application vendors should support Vista relatively quickly, but as you start looking at smaller vendors and more vertical applications, it’s certainly likely that those vendors won’t support Windows Vista right out of the box and you may be waiting some number of months, or even more than a year, for them to actually support the operating system. So during that 12 to 18 months, there’s testing of your applications, training of your technical support staff and planning for user training, if any, which is probably more required for Office than for Vista. And we also include a three-month pilot program in that 12 to 18 months, so that’s sort of how it all breaks down.

What would you say the top issues are for a company that’s considering migration?

The top issue is always applications, applications, applications. A large company may have hundreds or thousands of applications. In fact, my rule of thumb is that if I divide the number of users at a large organization by 10, I get roughly a number equal to how many applications they have to worry about. So a 10,000 user organization may have 1,000 applications.

Not all applications may be officially supported by IT, but when push comes to shove, if users consider their apps business critical, IT needs to support them to some extent, or at least make sure they work before the migration starts. You need to get a handle on what your applications are, which ones are actually in use, which ones may not be in use, how many users are affected by each and then testing and, again, working with those vendors to understand the time line for application support.

Is there an estimated total cost of migration for desktop at this point?

When we look at migration costs, we look at costs for two different kinds of users: structured task workers and knowledge workers. The structured task workers usually have many fewer applications that the IS organization has to worry about.

Beyond the type of user, we also look at how those users are managed. Are they totally unmanaged? Does the organization use tools to manage their desktops or are the users locked down to the point where they can’t install software by themselves? If so, they probably have half as many applications as the typical unlocked and unmanaged organization.

The third component that I didn’t mention yet is end-user operations, which is lost productivity due to the move time out of the office, time in class, time reconfiguring your machine so it looks the same as it did.

So the cost is really going to range, probably from less than $1,000 per user, to maybe as much as $2,000 per user, depending upon the type of user and how they’re managed. Don’t worry. I know those numbers sound pretty high, and they certainly are, but some components of those numbers include hardware and software, and the more organizations move through PC hardware attrition, as they buy new PCs, they’re more likely to be able to bring those costs down significantly.

One of the most important components of the number to look at is the IS labor component, which is probably closer to the out-of-pocket expense that the organization will spend on labor. It could be as low as a little over $200 for a locked, well-managed task worker, or perhaps over $700 for an unmanaged, unlocked knowledge worker. These numbers won’t be finalized for a few weeks.

What users do you think will benefit from Vista soonest, if any?

From an organizational standpoint, organizations that are running Windows 2000 are the ones that really need to jump on Vista quickest. That probably means starting their testing earlier and planning more rapid deployment. Microsoft will support Windows 2000 until the middle of 2010, but we’ve already heard from a lot of our clients that some of their application vendors are not supporting Windows 2000 for the newest versions of their applications. There are a lot of organizations who are still on Windows 2000, and they really need to start moving to Windows Vista before they end up with real support problems.

You mentioned before that applications were the biggest potential issue for a migrator to consider. In Gartner’s experience, what are the biggest challenges in making in-house corporate applications run on Vista?

A lot of new security features will be an issue, especially for in-house applications. So the best practice for a long time has been to make sure applications run as standard user, but in most internal application development shops, that wasn’t done. And frankly, in most ISVs, independent software vendors, that wasn’t done either. From an internal organizational perspective, that’s probably the biggest issue.

We’ve heard from some of our clients that they have old 16-bit applications and some even have old 8-bit applications, some of which need to be updated or retired. But going through all the applications, making sure they’ll function as a standard user is probably the biggest issue for making sure that they’ll be compatible with Windows Vista.

Do you expect that any of the security in the new Vista system is going to have interactions with those corporate applications?

Well, it’s certainly possible. You know, a lot of organizations don’t run firewalls on their desktop PCs, and with Windows Vista, they’re more likely to really turn on that firewall function. They need to make sure that whatever they do to lock down the user or configure the firewall, that they configure the firewall to understand which applications are going to need to go through it, so that the user has as few elevation prompts or warnings as possible.

What one OS feature, or enterprise requirement, would make Vista migration a no-brainer?

What I’ve been hearing from my clients for the last three years is a real desire to lock down their desktops. So UAC, user account control, is probably the biggest thing in Vista for enterprises. UAC allows organizations to make their users standard users instead of administrators, and it does it without breaking applications. However, organizations really need to understand that locking down their desktop is more of a cultural issue, actually, than a technical one, and they need to make sure that the users who really need access to be able to install their own applications will still have that so they can get their jobs done.

If you look at the enterprise requirements and features that would simplify Vista migration, what restrictions or limitations are there that would make a CIO or CSO question it and say, “Ah, I think I’m going to wait a year.”

Well, certainly this big question on application compatibility is one, and if you’re taking a look at doing what we would call a forklift migration, trying to move all your users at once, the hardware requirements certainly could be an issue. While I think to some extent, the hardware requirements have been a little bit overblown in the press, we do think that the best move to Vista is one that’s only done as new hardware comes in the door. And for most organizations who are going to start moving to Vista in 2008, a 2005 machine that they bought will already be three years old and not really a great candidate for migration. Looking at hardware, trying to figure out if forklift migration makes sense, or if maybe running Windows XP on their existing PCs until they are removed from the organization and just bringing in Windows Vista on new PCs may be a better idea.

There’s been a lot of uproar in the security community about Vista. Symantec wrote a few reports, different people are looking at different elements in terms of compatibility issues with existing security software, but also there have been viruses that have come out that were proof-of-concept. What do you think about Vista’s security?

Well, a couple of things. First of all, the issues around PatchGuard that Symantec, McAfee and everyone has had are really only around the 64-bit version. We would say that the vast, vast majority of the market in the next couple of years will really be deploying 32-bit Windows Vista. So certainly if you’re deploying 64-bit Vista—and that’s really going to be mostly for your scientists, mathematicians, GIS users, very, very large database users—that’s definitely a concern that you have to worry about.

The biggest security issue, I think, is that Microsoft has made such a big issue on it because they’ve really had a lot of bad security experiences over the last few years. I think anyone who is expecting to see a totally secure, impenetrable operating system is really going to be disappointed. Vista has some new security features that will be of benefit. Microsoft has vastly improved their security development processes, but no operating system is totally secure.

We’ve already seen viruses targeting Vista. Are Vista’s security measures enough to protect it as the malicious code evolves?

You know, again, nothing is totally secure. Microsoft has put in a lot of effort to try to fill in the holes and then to try to make holes that are found less exploitable. So some of the proof-of-concepts were done in the beta time frame, and I would think that Microsoft has removed most of those issues. But certainly, it’s unrealistic to think that Vista will be totally secure once it ships.

Now I know you’ve been using Vista for a few weeks. Do you have any words of wisdom for enterprises based on what you’ve learned?

Test your hardware, test your software before you do anything. I think anyone who is in the early testing phases really needs to make sure that all of their critical applications run before they really start using Windows Vista in production. Security products, as you’ve mentioned, are some of the most important because in many cases, those have a very close tie to the hardware and to the operating system. For other issues, like virtual private networks, you need to contact those vendors and make sure that the VPNS run on Vista. WAN adapters, any special hardware that you’re running, really needs to be tested before you can fully commit to running Windows Vista in production.

What items do you expect to be on the help desk’s FAQ list 30 days after Vista is installed?

The help desk will certainly be on the lookout for any user interface issues. Probably the biggest issues will be around security and perhaps elevation of permission, especially if users are now set to be standard users. Another big issue could be permission to open ports in the firewall, if the organization doesn’t configure those properly. Beyond that, I think some of the bigger questions will be around Office, which has really a radically new user interface, and many organizations may actually end up deploying Windows and Office 2007 together.

In a nutshell, what do you think of Vista for the enterprise?

Overall, I think Vista is a good, evolutionary release. Don’t expect that it’s going to revolutionize your IT department. While a new version of Windows usually brings some benefit, the bigger benefit is always how you manage it. Just because Vista has the opportunity to help you lock down your users doesn’t mean that you’re going to do it. You still need to put a lot of process and policy and perhaps additional tools around the deployment of the new operating system to try to get the most out of it and really make a good, cost-justified business decision to move to it.

Michael Silver has been with Gartner for more than a decade. He specializes in IT asset management and personal computers.

Keep checking our Security Feed page for updated news coverage.