In the pharmaceutical industry, a company's ultimate
nightmare is that its intellectual property will leak out of the
network and into the hands of competitors.
Microsoft vigorously touts Windows Vista as an operating system
built to protect a company's crown jewels, but Steven Dietz isn't
so sure.
As the information security principal for Quintiles
Transnational, a healthcare services provider, Dietz watches over a
network serving some 20,000 employees in 50-plus countries,
including China, India, Africa and Australia. The company is also
on the hook for a variety of global regulatory rules such as HIPAA
and the European Union Data Privacy standard.
 |
| Vendor IT shops also feel Windows Vista
pain | Vendors don't like to hear it when their customers complain they
were too slow in preparing their products for Vista compatibility.
But Alan Shimel, chief strategy officer for Superior, Colo.-based
StillSecure, readily admits his shop isn't 100% Vista-ready. His IT administrator, Jake Reynolds, said the company has yet to
purchase new computers of its own with Vista pre-installed and that
it is still dealing with the same testing pains many customers are
experiencing. "The biggest blocker for us is that while Vista has some nice
deployment features, we can't deploy it in any real numbers until
we get our own product working properly with it," Reynolds said.
"It's one thing for our CTO to have his own Vista laptop and
another for everyone to have it." The problem, he said, is that StillSecure's Safe Access NAC
product can't read PCs the way it could with Windows XP. "Vista
looks exactly like XP so our team has to go in and differentiate
Vista from other Windows flavors," Reynolds said. "It's about going
back and teaching our product to recognise Vista's language."
StillSecure expects to be Vista-ready by August. Despite the work that needs to be done, Shimel believes
company-wide Vista deployments will proceed far faster than most
people expect. Every time someone buys a new PC or laptop it comes
out of the box with Vista, he said. The world is being forced into
the Vista universe kicking and screaming, he said, so vendors can't
afford to move as slowly as IT shops can. "Vista will find its way into corporate IT a lot sooner than
most people would like," he said. "The more new machines are
purchased with Vista pre-installed, the faster we all have to
move." |
|
| |
|
He has a multi-layered security wall around the network that
includes
encryption in case of laptop theft, host-based intrusion
protection and personal firewalls. And he's not ready to mess with
any of it by deploying Vista.
"We try to be risk averse," he said. "Because we are a
pharmaceutical testing company, we do business with all the large
pharmaceutical companies and we have to keep data separate and
independent from client A and client B. There can't be any
confusion and we need to make sure data from client A isn't
accidentally sent to client B."
Given all the added security Microsoft says is in Vista, one
might expect Quintiles to push it on the fast track to
enterprise-wide deployment as companies like Papa Gino's have done.
But while
Papa Gino's has moved aggressively on Vista as a
way to better protect its customer credit card data, Dietz
is worried the features in Vista could actually conflict with
his third-party and home-grown defenses, leading to unintended
data leakage. To ensure that doesn't happen, Dietz, like many
other IT professionals, is taking the slow approach, putting
Vista through a rigorous testing process and holding off on
large deployments until 2008 at the earliest.
"One thing that's important to understand is that in this
environment, you need documentation, pharmaceutical validation and
IT system qualification processes," he said. "In a perfect world,
the dream OS would give us the capability to easily update these
things and get reports in a seamless, encrypted tunnel. We have
more and more field devices that need to be able to exchange
information with the network but still protect the data."
Dietz also dreams of a day that, when there's an infection, the
company can immediately update devices globally without having to
go through the internal McAfee repository, he said.
His initial review of Vista shows it isn't compatible with the
default software packages he relies on. It also seems to conflict
with his antivirus and host-based intrusion protection controls.
Each month the list of Vista-compatible products grows, he said.
But for Vista to be worth a full deployment, he needs immediate
compatibility. For now, Dietz is content to test Vista against
every application that touches the clinical systems. His 2008
deployment estimate is based on the knowledge that validation
testing is a painfully rigorous process.
Can Vista be supported?
Dietz admits he's at the very beginning of dealing with the
operating system. His estimate of a 2008 rollout is based on three
initial findings:
- Only one-third of all Quintiles desktop and notebook computers
are currently capable of running Vista.
- The depth and breadth of applications beyond the usual office
suite of programs shows initial incompatibility, requiring various
application upgrades and other workarounds. Adhering to the
validation requirements of Big Pharma would drag out the timetable
even further.
- The differences between XP and Vista are significant enough to
have a direct impact on support, requiring advance in-depth
multi-layer support planning and training.
"Interestingly enough, none of these reasons have any direct
relation to IT security," he said. "The security of Vista is
improved, and will require an appropriate baseline for any
deployment. My current interest and perspective is focused on how
encryption and certificate management integrate and are different
than in XP."
Are third-party vendors ready?
Adding to the complexity of the problem is that Dietz's third-party
security tools aren't Vista-ready. His main security vendor is
McAfee and it's a struggle to keep up with all its different
product versions without the added difficulty of determining which
flavor is the best fit for Vista, he said.
From what he can tell, McAfee only has a beta intrusion
prevention offering for Vista, and he's hesitant to even consider a
product until it has had an initial release update. Throwing a new
operating system into the mix would put more of a crunch on his IT
support desk than he's willing to take right now.
Andrew Jaquith, a senior analyst at the Boston-based Yankee
Group, can understand people's reluctance to charge ahead with
Vista. But he cautioned IT professionals not to let compatibility
concerns blind them to the many security benefits within the new
operating system.
"When it comes to an industry like the sciences or the
pharmaceuticals, you need to be very careful," he said. "But with
Vista there's a lot to cheer about as well. Vista has some
appealing features like drive encryption. You see people worried
about laptop theft and private information floating around, and
Microsoft's answer is to make hard-drive encryption easier."
Don't skip the road test
That doesn't mean Vista is perfect by any stretch of the
imagination. When Yankee did its initial Vista research, Jaquith
said it was evident to him that Microsoft rushed Vista to the
masses without adequately preparing third-party vendors and giving
them time to make compatibility adjustments. That's why IT shops
shouldn't rush deployments without a thorough vetting process.
"With any OS you have to put it through a thorough road test to
see if it's really right for you," he said. "With Vista you have a
hardware upgrade as well as a software upgrade, so it requires
great care."
That's Dietz's philosophy as well, and it's an approach he has
followed with every new program, including Windows XP when it was
first released.
"I familiarise myself with the security, then do more testing,
then plan a deployment model," he said. "Good standardised security
is just one piece of the pie for a successful Vista
deployment."