Major events in the IT landscape, such as the availability of a new operating system (OS), cannot go by unnoticed, because they affect businesses of all shapes and sizes.
Many will ask themselves “should we migrate to a new version and if yes – when?” Anyone who has ever gone through the process knows that it is full of questions and considerations.
When it comes to the information security aspect, what risks are involved and what should businesses pay special attention to?
First step: Planning
Let’s start with an evaluation of costs and benefits – a key step in any business plan. The release of a new version of an operating system in itself is not a reason to start migration. There will be additional costs, regardless of the price tag on the OS license. These include hardware and software upgrades, changes in the network infrastructure, consultants, IT and auxiliary staff wages, user training, as well as administrative costs.
It is also important to clearly understand how the company would benefit from migration. Will it simplify the administration processes or reduce the time to perform operations, etc.? From a security standpoint, using an older version of the OS brings greater risks and vulnerabilities. For example, as time goes on, the manufacturer may discontinue support for older operating systems and this can be detrimental to the company’s business processes.
When a company recognises the need to migrate, the second step is to test its IT services and software for compatibility with the new OS, so that there is no chance left for loss of important data or downtime. You should also make sure that all hardware meets the new OS requirements. If necessary, include the appropriate adjustments (memory expansion, HDD replacement, and so on) into the plan.
The third step of the planning stage is defining the tools and migration scenario. To ensure migration is as trouble-free as possible for the company’s business process, it is important to choose the most suitable software to automate the migration process as well as being able to roll back the scenario if something goes wrong. For smooth migration you should first of all pay attention to the migration tools provided by the vendor of the new OS.
Once a migration tool is selected, create a scenario that includes a thorough description of the process and schedule – will it take place at night or on weekends; will the entire company migrate at once or will it be done by branch, department, floor, etc.?
It is extremely important to determine where and how to store backups of the users’ computers and which data will be copied. For example, it may be useful to enforce the rule of backing up only work-related information, asking employees to remove all personal data, audio and video files in advance (if your information security policy allows for this in the first place). This will help you keep the size of the backup copies at a reasonable level. And, of course, these backups have to be secured from falling into the wrong hands. Don’t neglect a test of a rapid recovery procedure that will save you time and money if anything goes wrong.
Second stage: Pilot migration:
A pilot migration will allow you to run the entire scenario from beginning to end, identifying and eliminating any technical or organisational weak points that might have eluded your attention in the planning phase. As a result of the migration process, each user must receive a fully functional computer containing all necessary software (including an information security suite), data and settings – so they are able to start work the very second after they get the system. If this is not achieved, the impact on the business will depend on the amount of additional effort IT specialists have to put into fine tuning the systems. That is why it is especially important to cover as many different configurations as possible for the pilot migration process: different capacities of the operating system, office and language packs. Bear in mind that even the slightest differences in hardware may complicate the migration process.
Third step: Migration:
After the scenario has been rehearsed, all complications considered and all vulnerabilities eliminated, you can finally move to the main step – migration to the new OS. When the time to migrate comes, IT specialists are prepared and armed with a detailed action plan. This is the only way you can be confident of avoiding unpleasant consequences for the company.
In conclusion, here are some tips that will help avoid information security incidents during the migration process:
1. Pay attention to where data backups will be stored and how the data storage is protected against unauthorised access. The same applies to the data transmission channel.
2. If you have no experience of migration, outsourcing specialists will help prepare a suitable plan and avoid unnecessary difficulties.
3. Technical support should be prepared. Employees should be trained. A scenario of prioritising users’ requests should be developed.
4. All employees should be informed that during the specified period certain maintenance works will be carried out. Never forget to have a special emergency scenario.
5. When shaping a migration schedule, be aware that other vendors whose software you are using will need time to update their products to support the new OS. Wait for the updates, and only then launch the migration process. This will help to avoid unnecessary administrative and technical difficulties and make sure that you don’t get surprises with new vulnerabilities in corporate networks.
6. The most optimal migration scenario, in our opinion, is to do it department by department starting with the IT department and ending with the business-critical units (finance, sales, procurement, etc.). By taking this approach, IT specialists will accumulate knowledge and experience to help avoid business-critical errors during migration of the business-critical units.
By Riaan Badenhorst, Managing Director for Kaspersky Lab, Africa