Big Migration: The Top IT Security Issues To Consider When Migrating To A New OS

Major events in the IT landscape, such as the availability of a new operating system (OS), affect businesses of all shapes and sizes and cannot go unnoticed. Many will ask themselves “should we migrate to a new version and if yes – when?” However, anyone who has previously gone through the process knows that it is a difficult and protracted one, full of constant queries and considerations – not to mention risks.

Of course, with any significant change to a business process there are risks involved, especially when it comes to the security of corporate and customer information. Here is my outline of the areas businesses should pay particular attention to when making such changes and advises how to ensure the most successful migration to a new OS.

Step One: Planning ahead

Start with an evaluation of costs and benefits – a key step in any business plan. The release of a new version of an operating system in itself is not a reason to start migration. There will be additional costs, regardless of the price tag on the OS license. These include hardware and software upgrades, changes in the network infrastructure, consultants, IT and auxiliary staff wages, user training, as well as administrative costs. For example, Gartner estimated the cost of the previous major wave of migration, from Windows XP to Windows 7, at around $1,200 – $2,000 per computer.

It is also important to clearly understand how the company would benefit from migration. Will it simplify the administration processes or reduce the time to perform operations, etc.? From a security standpoint, using an older version of the OS brings greater risks and vulnerabilities. For example, as time goes on, the manufacturer may discontinue support for older operating systems and this can be detrimental to the company’s business processes.

When a company recognises the need to migrate, the second step is to test its IT services and software for compatibility with the new OS. This will ensure that all compatibility issues are eliminated, so that there is no chance left for loss of important data or downtime. You should also make sure that all hardware meets the new OS requirements. If necessary, include the appropriate adjustments (memory expansion, HDD replacement, and so on) in the plan.

The third step of the planning stage is defining the tools and migration scenario. To ensure migration is as trouble-free as possible for the company’s business process, it is important to choose the most suitable software to automate the migration process as well as being able to roll back the scenario if something goes wrong. For smooth migration you should firstly pay attention to the migration tools provided by the vendor of the new OS.

Once a migration tool is selected, create a scenario that includes a thorough description of the process and schedule – will it take place at night or on weekends; will the entire company migrate at once or will it be done by branch, department, floor, etc.?

It is extremely important to determine where and how to store backups of the users’ computers and which data will be copied. For example, it may be useful to enforce the rule of backing up only work-related information, asking employees to remove all personal data, audio and video files in advance (if your information security policy allows for this in the first place). This will help you keep the size of the backup copies at a reasonable level. And, of course, these backups have to be secured from falling into the wrong hands. Don’t neglect a test of a rapid recovery procedure that will save you time and money if anything goes wrong.

Step Two: Pilot migration

A pilot migration will allow you to run the entire scenario from beginning to end, identifying and eliminating any technical or organisational weak points that might have eluded your attention in the planning phase. As a result of the migration process, each user must receive a fully functional computer containing all necessary software (including an information security suite), data and settings – so they are able to start work the very second they get the system. If this is not achieved, the severity of impact on the business will depend on the amount of additional effort IT specialists have to put into fine tuning the systems. That is why it is especially important to cover as many different configurations as possible for the pilot migration process: different capacities of the operating system, office and language packs. Bear in mind that even the slightest differences in hardware may complicate the migration process.

Step Three: Migration

After the scenario has been rehearsed, all complications considered and all vulnerabilities eliminated, you can finally move to the main step – migration to the new OS. When the time to migrate comes, IT specialists will be prepared and armed with a detailed action plan. This is the only way you can be confident of avoiding unpleasant consequences for the company.

In conclusion, here are some top tips to follow that will help avoid information security incidents during the migration process:

• Pay attention to where data backups will be stored and how the data storage is protected against unauthorised access. The same applies to the data transmission channel.
• If you have no experience of migration, outsourcing specialists will help prepare a suitable plan and avoid unnecessary difficulties.
• Technical support should be prepared, employees should be trained and a scenario of prioritising users’ requests should be developed.
• All employees should be informed that during the specified period certain maintenance works will be carried out. Never forget to have a special emergency scenario.
• When shaping a migration schedule, be aware that other vendors whose software you are using will need time to update their products to support the new OS. Wait for the updates, and only then launch the migration process. This will help to avoid unnecessary administrative and technical difficulties and make sure that you don’t get surprises with new vulnerabilities in corporate networks.
• The most optimal migration scenario, in our opinion, is to do it department by department starting with the IT department and ending with the business-critical units (finance, sales, procurement, etc.). By taking this approach, IT specialists will accumulate knowledge and experience to help avoid business-critical errors during migration of the business-critical units.

Kirill Slavin is general manager of UK and Ireland at Kaspersky Lab

Are you a security expert? Try our quiz!