Microsoft

Compliance: Why you can't afford to stay with Windows XP

If you continue to use Windows XP, you'll no longer be compliant, and that could ultimately cost more than proactively migrating to a newer, supported operating system.

Compliance
 iStockPhoto

Water and oil, cats and dogs, toothpaste and orange juice, Detroit Lions and Super Bowls -- there are many things that simply don't mix well. You can add Windows XP and compliance to that list now.

Many companies, large and small, have relied on Windows XP for years, and it hasn't been an issue for compliance. However, all of that changed on April 8, 2014, when Microsoft support for the operating system expired.

To my knowledge, none of the major compliance frameworks have come out with any specific statements or guidance labeling Windows XP as non-compliant. However, even without such overt declarations, an unsupported operating system -- by definition -- violates some of the core tenets of most compliance efforts.

In general, regulatory and industry compliance frameworks like PCI-DSS, Sarbanes-Oxley (SOX), Health Insurance Portability and Accessibility Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) don't call out specific platforms or tools. Compliance requirements are typically written as broad guidelines to provide a baseline for security and data protection without endorsing any specific solution or painting the compliance framework into a corner using technology that might be obsolete next year.

Some requirements might simply specify that the operating system must have the most current patches applied. One could make an argument that as long as any updates for Windows XP up through April 8 have been installed, that this requirement is met, because those would be the "most current" patches available. Such an argument clearly violates the spirit of compliance, even if it doesn't explicitly violate the letter of the rules.

In some cases, risk can be mitigated through compensating controls. In English, that means that performing more frequent audits of security configurations, implementing additional layers of defense (such as firewalls, file integrity monitoring, intrusion detection / prevention, or other security tools), or including supplemental processes or technologies might be used to reduce the overall risk and stay in compliance.

Tyler Reguly, security research manager for Tripwire, points out that there is no such gray area, however, for PCI-DSS. The PCI-DSS Approved Scanning Vendors (ASV) Program Guide specifies on page 18: "The ASV scan solution must be able to verify that the operating system is patched for known exploits. The ASV scan solution must also be able to determine the version of the operating system and whether it is a version no longer supported by the vendor, in which case it must be marked as an automatic failure by the ASV."

According to Reguly, the bottom line is, "Now that XP is out of support, it would register as a failure on PCI ASV scans. This would mean that compliance against PCI-DSS would not be possible for organizations running Windows XP."

Even if we assume that Windows XP somehow doesn't inherently violate SOX, HIPAA, or other common compliance frameworks simply by being unsupported, the reality is that almost every company falls under the jurisdiction of PCI-DSS. The PCI-DSS standards apply to all organizations that store, process, or transmit cardholder data. It is exceptionally rare to find a business that doesn't process credit card transactions today -- even food trucks and farmer's markets swipe credit cards from their smartphones using tools like Square.

Granted, the guy selling tomatoes at the farmer's market using Square on his iPhone probably doesn't realize or care that he technically falls under PCI-DSS guidance. Businesses that store, process, or transmit cardholder data do fall under PCI-DSS rules, though, and using Windows XP puts them at risk of no longer being able to do so.

Many companies that continue to use Windows XP have cited cost, or a lack of business need as justification for clinging to the legacy OS. However, remaining compliant is a clear business need as well, and continuing to use Windows XP will ultimately cost more than proactively migrating to a newer, supported operating system. Do you agree? Share your thoughts in the discussion thread below.

About

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He...

45 comments
str4ngS
str4ngS

Yeah. This is for industry and commercial users. Home users can stay and please TechRepublic, don't tell home users to install bloatware like Windows 7 and trash old computers just because developers were too lazy to pay attention to the efficiency of their code.

Jow Below
Jow Below

If you're not compliant, so what.  At least with XP, you'll have less backdoors to the NSA surveillance architecture.  There's a reason why MS is so rabid to get us onto their newer products.  If you're worried about security, maintain a robust anti-virus and -spyware set up.  The OS itself is the risk and no amount of patching is going to help.  Otherwise, they wouldn't need to play whack-a-mole with a new patch every week.

Stick with what works.  Compliance is setup up to frighten people into conformity.  Secure the operating system with separate products.

carlsf
carlsf

And what about the article the other day where it states that Americ'a Nucelar missles are controled using 8" Floppy disks to hold the launch codes.

So what would Microsoft suggest??????, Move to WIN 8 what a joke.

ADarkAria
ADarkAria

Wow, Tony...you really are on a mission to strong-arm a savvy, tech-weary public into whatever agenda you seem intent on touting for Microsoft.  You started your campaign with an article reminding folks that XP was about to lose support.  Then it became an issue where everyone EXCEPT China was losing support, and for those who decided to remain, perhaps they too should just move to China.  Then came a greater litany of security concerns XP users were exposing EVERY user to by continuing to access the net.  The next elevated covert threat came with a diatribe about the correlation between Heartbleed and XP...and how XP concerns will actually surpass Heartbleed as destruction for the masses.  And now...a sortie about how non-conformists continuing to use XP will NOT BE COMPLIANT facing castigation, potential crackdown and knocks on our doors by government goons?  Yes, how Un-American can we possibly be not to be buying into your form of communism?

Every article you've written about this issue mimics how other, similar technical advancements have affected us as we "move forward" without including any ability to look back.  I.E., the extreme threat of Y2K, the incandescent to LED lightbulb, analog to digital, and now healthcare to ACA.


What will the next chapter present that is intended to make XP users shiver in their boots with guilt as they weather being browbeaten into submission?  That all XP users will soon cause a massive sinkhole that will swallow ALL of us up sucking us down to the other side of the planet...like China?  Sadly, this analogy in general has been under way for quite some time, with a company/government-driven market rather than consumer-driven.


And therein lies the problem.  I am a consumer who still staunchly believes that I am footing the bill, steering my car, doing what I need to do, utilizing technology in the way it works FOR ME without exposing myself or anyone else to its unsavory underbelly.  I also still believe I have a right to be considerately appreciated and treated with respect by businesses who target innovation rather than antiquation or extinction of systems MANY users and businesses CHOOSE to or NEED to rely on for use at their discretion.


C'mon, Tony -- what's next?

fjp
fjp

"Every single one of you have moved past XP"

Er, no. XP is latest in this house -still have Win2k on two machines. XP on my desk at work, too (where we still maintain 20-year old kit for customers).

wbedfordjr
wbedfordjr

You guys crack me up. Tony is pointing out the inevitable truth that an operating system made over 10 years ago will fail PCI audits in the future. Somehow the vast majority want this to be some conspiracy to keep M$ relevant and profitable. Um... Duh yes that's called planned obsolence. Every single one of you have moved past XP by in large and now because this article is the boggyman it's just fine. Any argument that xp is faster better and more secure is ridiculous. Sighting one off situations that we all know to exist in every environment is not the topic of discussion here. I agree that's its bull poop to be forced into unnessary upgrades. That's not the point. Many open source platforms if not all fail PCI scans because of the very fact that they are open source and they aren't being patched appropriately makes them a higher risk for being tampered with. All of you have bought into the hype of Microsoft and have inadvertently supported them for many years. You don't have to like it or think its necessary for it to be true. Ask Edward Snowden. You're missing the point if you perceive this as a ploy to get more sales. I'm not disagreeing that it might be a ploy but that is how the world turns folks. Cyclical consumption is reason we all have jobs. Rather than argue to keep old systems patched why not embrace your own future?

skf
skf

If your controls are working, they will tell you that you have a problem, regardless of the operating system.  This article is a stretch.  Don't try to spook people.  (And I have stock in Microsoft).

Haznoclu
Haznoclu

Q. When did the technology industry become terrorists?

A. From the beginning!


My first involvement with computers was DOS 2.0. Ever since I've been bombarded with articles, emails, and so much commercial horror stories, it makes me think that NO OS IS SAFE!


It has always been and "Protect now from future threats!" This was originally used by the Anti-#&%! ware lobby.


NOW, they are up in arms about XP. Non-compliant? Hogwash. This is marketing based on fear. Just like stocking up on goods in case of Natural Disaster or other perceived threats.


Every day another flaw is found somewhere. M$, just to name one, keeps a steady stream of updates going out to try to cover the holes and flaws in their products. In any other industry this activity would produce recalls and law suits.


Many, Many, companies rely on UNIX Servers to get things done. Apart from Open Source is there anybody producing patches to keep those systems compliant?


I believe that M$ knows they had a very good thing with XP, and aren't willing to admit they made a bad decision in not staying with it, improving it, and keeping a larger share of the market. Instead they pushed out hastily produced, inferior products, to make customers feel they were getting " New and Improved " technology.


Bottom line - XP works. The number of PCs still running it shows this. Yes, it has issues. Please, show me an OS that does not. One that is not susceptible to millions of people trying to find weaknesses in it. Just one OS that doesn't require constant tweaking for proper operation and security.


My $0.02 CDN



Liling Zoltán
Liling Zoltán

Migration has costly components, especially when apps cannot be easly moved to Linux :) Still, if migrating is possibble to other os and/or other infrastructure model, than it will pay off on the long run in terms of TCO, and migrating later would mean loss from that saving.

fwes
fwes

There is a HEE-HAW joke that begins with "I'm so smart that I can ask myself a question and then answer it."

Tony, your issue is COMPLIANCE.

M$ issue is IT WILL SELL STUFF

The Responders issue is IT WORKS.

Choose your issue, get your result.

remuda
remuda

I read all of these comments (except Tony's) as pro-XP and agree.  The word "compliance" is only reserved for official penalties and  consequencial damages, to scare us like the code enforcement people in a county on our land.  They can suffer 14th amendment tort issues therein. 


It may only be a matter of time before a ground swell causes MS to go open source and allow fixes by outside resources, or recant.  XP has fewer bugs than Vista (on my primary laptop which still has a modular phone connection for non-web ISP and winmail) on broadband and ESET NOD32 (works great).  It has frailties unlike any ever encountered on XP (on my other three that also have instant download free ESET NOD32 web-based AV/cleaner). 


So, listen up MS!.  Some really smart folks here are suggesting you take a deep breath, step back and rethink your decisions.  Eminent domain is not for government land-theft only.  Clark and Nye Counties in NV (Mesquite & Gold Butte "Rebellions") and the TX Gov & AG ("Red River") are proving that.

sbarman
sbarman

With all due respect, where in the PCI-DSS ASV does it say that Windows XP would not pass the compliance scans? Under what circumstances or requirements would make WinXP non-compliant? Based on your logic, Every Windows system between the last Patch Tuesday and the next Patch Tuesday would be non-compliant. At the time of this writing, if the Windows system had Internet Explorer installed (and the last I looked they add do, with the exception of WinXP-Embedded that runs most point-of-sale terminals), the system would not be patched for known exploits.


Can we please put a little reality into reporting and stop spreading FUD!

bobmattfran
bobmattfran

Another do as I say not as I do story from the Microsoft know best supporters group. Just a little one for you lot to chew over. Not one Micorsoft OS was DefStan compliant so guess what? The rules were changed i.e. a lower stamdard of compliance was forced through, only in the USA where money makes decisions rather than stqndards quality.

fwes
fwes

Rah! Rah! New  stuff...  Tony, When TR asks for an article, how tightly do they specify the content?  Do you lose the gig if you THINK? I am retired from a professional software career. Had a functional Z-80 system at home in 1978 (20 MB hard drive for $2K, WOW). Through the years, i followed the herd with every upgrade, ran to purchasing with requests for new hardware, software upgrades, whatever it takes to keep running after each M$ innovation. Move from XP to WIN7: also need new M$ Office, upgrades to numerous software packages, and lo and behold, they are all 'better' so I'd better set aside a few weeks to learn how to do what  I did so easily a couple of months ago. Did I mention that there is  no driver for my Epson scanner or my HP laser printer? Call Purchasing ... Whoops, now I write the check! Causes me to THINK: It's like Alice in Wonderland, we have to run ($pend) hard, just to stay in place. How drag much does this barely hidden cost put on the US economy? Does each upgrade provide enough increase in productivity to balance the total real cost? Interesting that M$ will continue to support XP for DOD, but will deny the patches to us.


I challange M$: maintain XP or make it open source.  Could WIN 7/8 compete?


In the meantime, I run XP on an non-Internet machine and use a Win7 machine to talk to the world. A few scripts make this a rather seamless and functional environment.

bwexler
bwexler

I think M$ has just provided a small boost to Chromebook, Apple, Linux, IOS and Android. Each of these will take a small bite out of the M$ Windows franchise. Only time will tell if this will be big enough for M$ to notice.


What they do with Windows 9 will be a major step forward or backward for M$. I have not seen W9 yet and have no idea if MS wil give us the option of a familliar user interface. As for compatability with legacy 16 bit software, I would not count on that comming back any time soon.


I still have clients continuing to run legacy line of business sotware on XP, and they can not change to 7 or 8.

I have played with 8 but will not use or sell it to my clients.

I am running Win 7 but spliting my time with IOS and Android. Looking at getting more involved with Linux.

purelabor
purelabor

Too bad Microsoft never finishes anything.

I remember a story about Gates talking to someone in the auto industry,. He was spouting about how good windows was against automobiles. Funny thing, We are not forced to buy new cars after so many years. And car makers are required to make their product work like advertised. Why can't we do this with software? Why can't we mandate if you sell software, you must make it work or give the money back. Then lemon laws would crush Microsoft, guess I answered my own question. There is a reason that Microsoft is so rich, they make garbage operating systems then force customers to keep buying the same broken crud. 

Now they have another allied in the Fed. making laws about what kind of software you use in your business. How much did gates give to the Democrats?

And before you jump all over this post, please answer one question or I won't even read your reply. 

What windows system ever really worked from day one? Your new car didn't come  with out a seat that you would get next Tuesday...


jimbrubaker
jimbrubaker

I don't see any reason for the industrial user, like bank ATM's, car washes, gas pumps to have to upgrade to a new O/S.  The banks are paying for support for extended updates to keep their system up to snuff as far a compliance.  The way the rules are written, you are responsible if you are not current.  It in no way suggests that you are any safer, its just not your fault at that point.


As an IT tech, most of my problems are when functioning machines can't function with the new windows upgrade. A ticket pricing system or a coin counter works great with windows 98, but it is hard to interface with a windows 7 end user computer.


However the end user of the internet, can benefit from the upgrades.  The upgrades protect them from their own carelessness, naivety  and flat out laziness.


You must admit, if you have nothing new to sell, you won't make as much money repairing what you have already produced.


One thing never brought up is the fact that if Microsoft was to produce a real crapy O/S, most people would never complain--they would not want to appear stupid. Millennium, Vista and Windows 8 come to mind for some reason.


The real question, is what is business  going to use after Windows 7 stops being supported?

Gayle Edwards
Gayle Edwards

Yet another... EVERYBODY MUST SWITCH AWAY FROM WINDOWS-XP... OR, THE WORLD AS WE KNOW IT WILL END!!! (and, I guess, move to another Microsoft-Windows version?)... article.

I also have to ask the motivations for this tripe. Clearly, Microsoft is spreading this because they want to sell software, and the marketplace (I.E. us...) just doesn't seem to want to go where Microsoft is shoving us.


Some of these articles threaten that we'll suddenly be less secure running Windows-XP (than we were mere minutes before "official support" ended). Others, have gone so ludicrously far as to flatly state that anyone refusing to "upgrade"... is, literally, a danger to society, itself. And, now, intercommunications, itself, will shatter... because of... what? Foolish stubbornness (is the implication)?


The fact is that, I do agree that there are far better alternatives to XP (Windows-7, Linux, Etc.). However, many that can "upgrade", have. And, many that haven't... simply can't. And, many of those that have consciously chosen to use XP do so within production-environments that do not, truly, need to worry about Internet-threats. Nor, do they have the luxury of starting from scratch with their production processes and equipment.


So... I must join the chorus, and again ask, what is the TRUE motivation for the hyperbolic scare-mongering?


Nitramd
Nitramd

I know of many defence companies who still run XP out of necessity, as W7 & W8 are not yet compatible with essential engineering & business systems. However they still pass the audits that permit their operation with government bodies.

Sorry, I'm calling bollocks, as this just comes over as another sky is falling story.

Does Tech Republic have an agreement with an increasingly panicky MS?   

fjp
fjp

Are you being paid by MS for this XP doom stuff? There are over 100 million users still extant, and with no simple upgrade path on existing hardware, it's MS who is abandoning them. Most won't worry too much, but the duty of care, such as it is, is on MS, not the users.

kirk_augustin
kirk_augustin

Not true.  Governnent has never and never can force OS compliance away from legacy OS.  In fact, NASA still uses Windows 3.1 and MS-Dos for lots of programs.   This is bogus.  The facts are that XP is actually better, smaller, faster, and MORE secure than later versions of Windows.

TechRepublic
TechRepublic

Those standards are only going to apply to the computer systems that actually handle the sensitive data. Most PCs in an organization will not have any access to that information.

phasys303
phasys303

It's too late for "proactive migration". Duh.

str4ngS
str4ngS

@Jow Below Completely agree. Keeping the computer safe IS NOT THE ROLE of the operating system. Operating system runs and schedules processes and provides interface to physical devices. We should do something about this corporate bullsh*t campaign run by Microsoft and IT websites just to convince people to waste their many on products they don't need.

wbedfordjr
wbedfordjr

Software companies choose to abandon older platforms all the time. We all value choice but at the end of the day - xp is going to fade away. As the hardware dies off and the compliance issue stays relevant - like it or not - it's there.

Nothing to do with socialism. More to do with the reality. If you truly think xp is here to stay - start hoarding parts on eBay. Then at least you'll be able to run it longer than most. Your choice will change somewhere along the line. Its sooner rather than later.

I fail to see the value of choice when knowing it's only 50/50 at best. You think you're in control but I have to tell you-you're not. No one is. Your choices are made through uncontrollable consequences. You decide based on what's in front of you. Not everyone is required to comply with regs but if you do/are then your choice is being made for you.

Rann Xeroxx
Rann Xeroxx

@fjp  Have your company ever paid a consultant or performed in house transforms to make that application work on newer versions of Windows?  Even just using MACT can "shim" a app to make it work on W7 or something like VMWare's ThinApp might be able to virtualize that app.  Could even try a Terminal Server to present the app to newer OSs.


My company started the move years ago when Vista came out but ended up skipping Vista and going with W7.  Not only that but also moving to x64 W7.  There was not one single app that we could not figure out how to move.  W7 (and 8) do a rather good job of running these older apps.

wbedfordjr
wbedfordjr

I knew someone would answer like this. You aren't facing compliance standards obviously when you willingly admit xp is the latest in "this house"

If you think that's a viable solution long term I wish you luck. One day it will change. Windows 2000 like 98/me won't run on newer hardware so unless you start hoarding parts from eBay I'm not sure this is a viable strategy into the future.

Face it XP's days are numbered.

Rann Xeroxx
Rann Xeroxx

@skf  You can mitigate running an unsupported OS in your environment, my company has a few W98, W2K, and XP machines doing things like running CNC machines because they can't be upgraded.  Mostly we will virtualize these OSs and run them on a local W7 PC on VMWare Player and isolate them so they only talk to the device they need to control.


But if you have just desktop office machines running XP, connected to the internet, running MS Office and email, running Java and Flash Player, etc. then you are really not in any form of security compliance regardless of what your governance documents say. There really is no excuse for that.

Rann Xeroxx
Rann Xeroxx

@Haznoclu  Why do you use "$" to denote Microsoft as "M$"?  They are a for profit company that makes popular products that people and businesses want.  Just like the company that you work for and provides and income for you to provide for your family, they do the same.


Cont. to using XP all depends on how you are using it.  Use your UNIX analogy, running an old UNIX box is fine but you would not put it in your DMZ serving up web pages, it would be hacked in minutes.   Same with XP, you would not want it running on a person working in HR laptop while they are at Starbucks on a unprotected WiFi, that's crazy.


As far as support, I think only IBM *might* support their OSs longer, everyone else; Apple, RedHat, Oracle, etc are not supporting a 14 yo OS.  


And the point is... why?  Even if you simply upgraded to W7 or 8 through attrition using only OEM licensing on new computers as you update your PCs, you would be 80% there already.  My company was able to convert all our apps over (minus CNC and embedded) both to W7 and running on x64.   

Tony_Bradley
Tony_Bradley

@fwes -- Agreed. The premise of this article, however, is limited to the compliance angle, and compliance is an issue companies have to address no matter what their opinion of Microsoft or Windows is.

skf
skf

@purelabor Gate's point was that autos haven't really advanced in terms of functionality or form or efficiency since their inception where software (and hardware) has advanced immensely.

Tony_Bradley
Tony_Bradley

@purelabor - I guess it depends on your definition of worked. Windows XP was fairly hated out of the gate as well--but look at it now.


I think it's worth pointing out that there have been major recalls every week for months from just about every vehicle manufacturer you can think of. The analogy loses merit when the car manufacturers are constantly asking people to bring their cars back because they weren't manufactured properly in the first place.

As for your other point, the "Fed" has absolutely nothing to do with PCI-DSS. It is an industry mandate created and imposed by the credit card issuers, not a law. And, the laws themselves--like SOX, HIPAA, GLBA, etc.--are vendor and platform agnostic. In other words, the government takes no stance on whether or not you use Windows or any other Microsoft software. The compliance mandates simply lay out baseline standards for network and data security--and it is difficult in most cases to stay secure and keep data protected on an operating system that is no longer supported no matter who the vendor is.

purelabor
purelabor

@Gayle Edwards  We should change to the to make Microsoft make the software work, at least.  Then it should not need updating. 


Tony_Bradley
Tony_Bradley

@Nitramd -- It has only been three weeks since support for XP expired. I'm calling bollocks on the assertion that any--much less many--defense companies have conducted and/or passed a PCI-DSS audit in the last three weeks.

Again, this isn't "panicky" and it isn't even related to Microsoft. PCI-DSS requirements say what they say. You can click the link in the article and read the quoted section for yourself.

h3driver
h3driver

@Nitramd I read last week that Microsoft has agreed to continue providing XP patches to the Department of Defense. The article did not mention whether that would pertain to companies under contract to DoD.

Tony_Bradley
Tony_Bradley

@fjp - I don't write the compliance mandates. PCI-DSS says what it says. That has no impact on the vast majority of individual users, but any company that deals with credit cards falls under PCI-DSS requirements.

Tony_Bradley
Tony_Bradley

@kirk_augustin - PCI-DSS is an industry standard, not a government mandate. As one of the previous comments pointed out, the PCI-DSS requirements would only apply to systems actually interacting in some way with credit card data, so not every system in a company would be impacted.

To correct the last part, though, the only parts of that which are fact are that Windows XP is smaller, and possibly faster depending on the hardware and scenario. "Better" is a subjective term I would disagree with, and more secure is just laughably and verifiably false.

fjp
fjp

@wbedfordjr "XP's days are numbered."


As are Win8's and every subsequent version. Some of us are just happy to keep the old stuff going for longer. I just don't like being strong-armed into a 'solution' I don't need yet.

bobmattfran
bobmattfran

@Tony_Bradley Difficult to separate anything in the finance industry from the Fed, they are all part of the scam pyramid and feed of each other.

Nitramd
Nitramd

@Tony_Bradley @Nitramd Thank you for your courteous (& restrained) reply.

I have read through the PCI-DSS guide & how it relates to my companies business.

We of course have suppliers & customers which include various governments as well as civilian.

Transactions made by our procurement & from our customers  include credit card type to which we have an account with a large American Card  company.

They of course subject us to comply with their security standards which incorporate  PCI Security Standards. We are permitted to operate with XP, as we have been given extended support (at a considerable cost financial cost, hence my short shift with MS), and apply the government required additional strict security requirements for our LAN & WAN network (a  PCI Security Standards  requirement)

If a standard is in place, then compliance is required from the day it comes into force. An audit will pick up any past non compliance, so no audit within 3 weeks is irrelevant. 


For the record, we will be moving to W7 asap, (my personal preference to XP too!).

Editor's Picks