Big Microsoft Vista concerns for Big Pharma

The second installment of an ongoing series examining the challenges of deploying Windows Vista and the considerations that go into the decision to roll out the new OS.

In the pharmaceutical industry, a company's ultimate nightmare is that its intellectual property will leak out of the network and into the hands of competitors. Microsoft vigorously touts Windows Vista as an operating system built to protect a company's crown jewels, but Steven Dietz isn't so sure.

As the information security principal for Quintiles Transnational, a healthcare services provider, Dietz watches over a network serving some 20,000 employees in 50-plus countries, including China, India, Africa and Australia. The company is also on the hook for a variety of global regulatory rules such as HIPAA and the European Union Data Privacy standard.

Vendor IT shops also feel Windows Vista pain

Vendors don't like to hear it when their customers complain they were too slow in preparing their products for Vista compatibility. But Alan Shimel, chief strategy officer for Superior, Colo.-based StillSecure, readily admits his shop isn't 100% Vista-ready.

His IT administrator, Jake Reynolds, said the company has yet to purchase new computers of its own with Vista pre-installed and that it is still dealing with the same testing pains many customers are experiencing.

"The biggest blocker for us is that while Vista has some nice deployment features, we can't deploy it in any real numbers until we get our own product working properly with it," Reynolds said. "It's one thing for our CTO to have his own Vista laptop and another for everyone to have it."

The problem, he said, is that StillSecure's Safe Access NAC product can't read PCs the way it could with Windows XP. "Vista looks exactly like XP so our team has to go in and differentiate Vista from other Windows flavors," Reynolds said. "It's about going back and teaching our product to recognise Vista's language." StillSecure expects to be Vista-ready by August.

Despite the work that needs to be done, Shimel believes company-wide Vista deployments will proceed far faster than most people expect. Every time someone buys a new PC or laptop it comes out of the box with Vista, he said. The world is being forced into the Vista universe kicking and screaming, he said, so vendors can't afford to move as slowly as IT shops can.

"Vista will find its way into corporate IT a lot sooner than most people would like," he said. "The more new machines are purchased with Vista pre-installed, the faster we all have to move."

He has a multi-layered security wall around the network that includes encryption in case of laptop theft, host-based intrusion protection and personal firewalls. And he's not ready to mess with any of it by deploying Vista.

"We try to be risk averse," he said. "Because we are a pharmaceutical testing company, we do business with all the large pharmaceutical companies and we have to keep data separate and independent from client A and client B. There can't be any confusion and we need to make sure data from client A isn't accidentally sent to client B."

Given all the added security Microsoft says is in Vista, one might expect Quintiles to push it on the fast track to enterprise-wide deployment as companies like Papa Gino's have done. But while Papa Gino's has moved aggressively on Vista as a way to better protect its customer credit card data, Dietz is worried the features in Vista could actually conflict with his third-party and home-grown defenses, leading to unintended data leakage. To ensure that doesn't happen, Dietz, like many other IT professionals, is taking the slow approach, putting Vista through a rigorous testing process and holding off on large deployments until 2008 at the earliest.

"One thing that's important to understand is that in this environment, you need documentation, pharmaceutical validation and IT system qualification processes," he said. "In a perfect world, the dream OS would give us the capability to easily update these things and get reports in a seamless, encrypted tunnel. We have more and more field devices that need to be able to exchange information with the network but still protect the data."

Dietz also dreams of a day that, when there's an infection, the company can immediately update devices globally without having to go through the internal McAfee repository, he said.

His initial review of Vista shows it isn't compatible with the default software packages he relies on. It also seems to conflict with his antivirus and host-based intrusion protection controls. Each month the list of Vista-compatible products grows, he said. But for Vista to be worth a full deployment, he needs immediate compatibility. For now, Dietz is content to test Vista against every application that touches the clinical systems. His 2008 deployment estimate is based on the knowledge that validation testing is a painfully rigorous process.

Can Vista be supported?
Dietz admits he's at the very beginning of dealing with the operating system. His estimate of a 2008 rollout is based on three initial findings:

  • Only one-third of all Quintiles desktop and notebook computers are currently capable of running Vista.

  • The depth and breadth of applications beyond the usual office suite of programs shows initial incompatibility, requiring various application upgrades and other workarounds. Adhering to the validation requirements of Big Pharma would drag out the timetable even further.

  • The differences between XP and Vista are significant enough to have a direct impact on support, requiring advance in-depth multi-layer support planning and training.

    "Interestingly enough, none of these reasons have any direct relation to IT security," he said. "The security of Vista is improved, and will require an appropriate baseline for any deployment. My current interest and perspective is focused on how encryption and certificate management integrate and are different than in XP."

    Windows Vista:
    Is Windows Vista SP1 necessary before making the upgrade?  Microsoft informed its corporate customers that it plans to release Windows Vista SP1 in the second half of 2007, but should you wait for it? In this SearchSecurity.com Q&A, platform security expert Michael Cobb gives the answer.

    Windows Vista: Inside the new security features
    Windows Vista has a number of new security features, but how familiar are you with them and will they benefit you? Check out our tips on features like BitLocker and the Security Center

    Windows Vista vulnerable to long-time attack method: A researcher explains that a well-known attack carried out through StickyKeys, can be exploited in Windows Vista.

    Are third-party vendors ready?
    Adding to the complexity of the problem is that Dietz's third-party security tools aren't Vista-ready. His main security vendor is McAfee and it's a struggle to keep up with all its different product versions without the added difficulty of determining which flavor is the best fit for Vista, he said.

    From what he can tell, McAfee only has a beta intrusion prevention offering for Vista, and he's hesitant to even consider a product until it has had an initial release update. Throwing a new operating system into the mix would put more of a crunch on his IT support desk than he's willing to take right now.

    Andrew Jaquith, a senior analyst at the Boston-based Yankee Group, can understand people's reluctance to charge ahead with Vista. But he cautioned IT professionals not to let compatibility concerns blind them to the many security benefits within the new operating system.

    "When it comes to an industry like the sciences or the pharmaceuticals, you need to be very careful," he said. "But with Vista there's a lot to cheer about as well. Vista has some appealing features like drive encryption. You see people worried about laptop theft and private information floating around, and Microsoft's answer is to make hard-drive encryption easier."

    Don't skip the road test
    That doesn't mean Vista is perfect by any stretch of the imagination. When Yankee did its initial Vista research, Jaquith said it was evident to him that Microsoft rushed Vista to the masses without adequately preparing third-party vendors and giving them time to make compatibility adjustments. That's why IT shops shouldn't rush deployments without a thorough vetting process.

    "With any OS you have to put it through a thorough road test to see if it's really right for you," he said. "With Vista you have a hardware upgrade as well as a software upgrade, so it requires great care."

    That's Dietz's philosophy as well, and it's an approach he has followed with every new program, including Windows XP when it was first released.

    "I familiarise myself with the security, then do more testing, then plan a deployment model," he said. "Good standardised security is just one piece of the pie for a successful Vista deployment."

  • Read more on Operating systems software