Microsoft Corp. will end technical security support for its popular Windows Server 2003 operating system in July—and community banks should start making their upgrade plans now, if they haven’t already, technology experts say. Delaying action toward upgrading to a newer Windows platform will create risks of being caught with insecure and non-compliant, they say.
“These servers and applications will be vulnerable to cyberattacks, and you will be failing regulatory and compliance mandates unless you complete the migration,” offers Kesav Nagaraj, global director of advisory and planning solutions for data centers at Unisys Corp. in Blue Bell, Pa.
Here’s a checklist of items that technology experts say should be done to help community banks ensure they can make the switch to new Windows platforms on time.
1. Survey your bank’s systems. Find out how many Windows Server 2003 systems your community bank has in its computing environment, how those systems are being used, and what software is running on them. In particular, pay attention to any custom software developed specifically for your bank.
And don’t forget your vendors’ environments—your bank can outsource its technology and its maintenance, but not its ultimate security compliance responsibilities for those systems.
2. Prioritize. Figure out which systems are most vital, and make sure to schedule the work so that they get done. That includes servers exposed directly to the Internet, servers running mission-critical systems and servers running custom software that may take a long time to upgrade.
“Doing a detailed assessment of the current state and then developing a comprehensive migration plan lay the foundations for success,” Nagaraj says.
3. Keep it or toss it? Since you’re doing an upgrade anyway, now is a great time to begin jettisoning systems your bank is not using anymore or replace systems that are obsolete. In particular, a cloud provider could be a better investment than doing an in-place upgrade, particularly for email servers, suggests Jason Fossen, an instructor with the SANS Institute, a cooperative information security research and training organization in Bethesda, Md.
4. Consider going virtual. Virtualization, either on premises or with a secure hosting or cloud provider, allows banks to replace physical servers with easy-to-scale and easy-to-manage virtual machines, Fossen says. Physical servers often have wasted capacity on them, and are prone to downtime. Virtual servers can be adjusted on the fly to get the most of your community bank’s available physical infrastructure, and if anything fails they can be quickly reconfigured around the problem area.
“Virtualized servers are now the norm, not the exception,” says Fossen.
5. Skip ahead. Don’t bother with Windows Server 2008. Fossen and Nagaraj recommend jumping straight to Windows Server 2012 R2. “Administrators might feel more comfortable with the older products, but their comfort level is not the most important factor,” Fossen maintains. Instead, a bank’s choice of an operating system should also consider technical issues such as the potential for enhanced productivity, compatibility with existing software, and available support for cloud-based or virtualized deployments, he says.
Another option is for banks to wait for the next Windows Server release, rumored to be coming out this year as Windows Server 10. A preview release of the system was released in October for testing.
6. Start compatibility testing as early as possible. If a must-have application won’t run after the platform upgrade, it will take time to find a replacement—or to rewrite the software. And waiting until the last minute to fix problems could be dangerous if a rushed job adds bugs or if developers are in short supply, says Fossen.
7. Keep everyone in the loop. Developing a project communications plan to keep all people, departments and organizations involved in the process will go a long way to ensure the software upgrade and transition process goes as quick and smooth as possible, Nagaraj says.