While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Tick. Tick. Tick.
That’s the sound of July 14 — a date that virtually every agency IT director has circled on his or her calendar — getting closer. That’s the day when Microsoft will end all support for its popular Windows Server 2003 operating system.
Although the end-of-support announcement came well over a year ago, agencies are still working to get data and applications moved onto newer OSs, and some are already preparing for what they’ll do if they can’t meet the deadline.
“We’ll be close,” says Dennis McCrary, deputy CIO for the Department of Justice’s Drug Enforcement Administration. The DEA began moving away from Windows Server 2003 about three to four years ago, at a time when the agency had 700 servers running the OS, before Microsoft’s most recent server OS, Windows Server 2012 even existed.
“I think we’re down to about 120 left, and we have plans to get them done on time. There are always bumps in the road.”
Other agencies are at different points on the same path.
“We’re about 40 percent there,” says Greg Ambrose, director of consular systems and technology for the State Department’s Bureau of Consular Affairs, which started out with around 2,000 instances of Windows Server 2003.
The move is more than just data transfer drudgery: Agencies are encountering several hurdles, including hiccups that arise when they try to move applications that have resided on Windows Server 2003 for a decade or more. But the switch is also giving agencies a chance to beef up security, streamline their data centers and redirect resources to other priorities.
Al Gillen, program vice president for servers and system software at IDC, notes that “nothing changes” on the day when Microsoft terminates support. “The operating system doesn’t fail to boot up. But you no longer have access to security fixes and other updates,” he says. “If there’s a problem, you’re on your own.”
Gillen says the biggest concern for organizations that continue to operate with unsupported servers is security. Many agencies also face compliance regulations requiring them to operate with current and supported systems, he notes.
Organizations, Gillen says, must conduct triage with their applications as they migrate, using four criteria: whether an application connects to the world outside the internal network (making it more vulnerable); how critical the application is; what sort of data is stored within the application; and whether the organization wants to keep the application in-house or move to a hosted version.
“They have to do an inventory and decide which systems are most critical to get moved first, and move from top to bottom on that list,” Gillen says.
The U.S. Customs and Border Protection agency has done just that. While around 150 of its servers haven’t yet been migrated, all of its mission-critical applications have been, says Donald Matheson, deputy executive director for engineering and operations.
“We feel that we’ve met the deadline for our critical systems,” Matheson says. “The ones we have left, it’s not a threat to our critical missions if we lose Microsoft support. But we hope to get that down to a handful by the time the deadline arrives.”
Gillen says applications that are incompatible with newer servers are an “anchor” keeping many organizations tethered to Windows Server 2003. “In some cases it’s going to be a matter of rewriting the application, because it’s code you wrote internally,” he says. “In other cases, you have to go back to the vendor and get an upgrade from them.”
Matheson says that IT staffers at Customs and Border Protection weren’t “running around with their hair on fire” when the end-of-support deadline was announced, because they were already trying to keep their infrastructure as current as possible.
But the agency has hit a sticking point with two applications in particular: some specialized lab equipment that’s embedded with Windows Server 2003, as well as its online training system (which Matheson calls “our biggest offender”). Both were built by third parties, and neither vendor has certified that its product is compatible with newer server OSs.
But both the lab equipment and the online training system are accessible only by internal employees, so the agency can isolate them, insulating them from attack.
“If we have to run 2003 without Microsoft support, I think we will be OK for a while,” says Matheson. “It’s difficult, because you’re pulling the tablecloth out from under your crystal and expensive plates,” says the DEA’s McCrary. “You’re changing the foundation of the house. You’re going to have to potentially change your applications to ensure that the features and functions you once had still work.”
The Veterans Affairs Department is currently unable to migrate some third-party medical applications that aren’t supported by Windows Server 2008 or Windows Server 2012.
“In order to provide continuity of care, the VA may need to continue to support Server 2003 until the vendors update their code,” says Art Gonzalez, deputy CIO for service delivery and engineering at the VA.
That support would have to come in the form of a custom service agreement with Microsoft, which is likely to carry a steep premium.
In addition to receiving the security benefits and improved features that come with migration to a newer server OS, a number of agencies are using the switch as an opportunity to downsize or reconfigure their physical infrastructure and reallocate resources.
“Veterans Affairs will review each server and determine if it can be virtualized or if the application running on the server can be consolidated, saving on hardware, support and licensing costs,” says Gonzalez. “Virtualizing and consolidating systems, as well as updating to the latest versions of the application, improves VA’s ability to be nimble and provide the best healthcare available.”
The Bureau of Consular Affairs is implementing virtualization in many of the areas in which it makes sense. That move will help the agency “increase our efficiency and reduce the footprint,” Ambrose says.
“We’re still working through those numbers, but we expect at minimum a 25 percent decrease, maybe even more,” says Ambrose. That decrease in physical servers saves space, reduces energy usage, and frees up administrator time. “Savings are still being calculated, but what we anticipate is that the investment would get rolled into other modernization that has not occurred.”
The modernization effort Ambrose has his eyes on is a project called ConsularOne, which will roll many of the agency’s applications — some of which were developed 10 or 15 years ago — into a suite of services.
“You can have just one common portal,” Ambrose says, likening the suite to online banking, where customers can see all of their accounts and pay their mortgage and credit card in one place. “That’s the modernization we’re driving toward, and we’re very excited about it.” Currently, employees have to log in to several applications and keep several windows open on their desktop to perform tasks such as passport adjudication.
Although most of the applications will be business-facing, some will be accessible to the public, including online passport renewal, which will allow people to upload their passport photos and pay online, rather than trekking to the post office.
Ambrose hopes to get that system up and running by the end of 2015, in time for the expected renewal crunch in the lead-up to 2017 (the 10-year anniversary of new travel regulations that required many people to get a passport for the first time). When those travelers renew their documents from the comfort of their own home, the Microsoft Windows Server 2003 end-of-support deadline will have played a part in the modernization.
Once the migration away from Windows Server 2003 is complete, many agencies will immediately turn their attention to moving away from Windows Server 2008.
Mainstream support is scheduled to end for that server in 2015, with extended support scheduled to end in 2020.
Matheson says that Customs and Border Protection will have all of its 2008 servers upgraded to 2012 by the end of 2016.
McCrary notes that it’s less costly to operate and maintain one server version than two. He says the DEA will start replacing its 2008 servers once the agency has completed the migration away from 2003.
“It’s like painting the Golden Gate Bridge,” McCrary says. “Once you get to the other side, you get to start again. It’s never done.”
Virtualizing servers that previously ran Windows Server 2003 will increase data center efficiency, says Greg Ambrose of the State Department’s Bureau of Consular Affairs. (Photo by John Davis)
According to IDC’s July 2014 report, “Windows Server 2003: Why You Should Get Current,” agencies upgrading to Windows Server 2012 will see a number of improvements over Windows Server 2003. These include: