By Nick Coleman, Cloudhouse CTO
Almost everyone will remember the WannaCry cyber-attack in 2017. It wreaked havoc on 230,000 computers around the world and caused major, long-lasting disruption to the NHS here in the UK. If anything positive was to be taken from the attack, it was how it exposed the true vulnerability of large organisations like the NHS that were running applications on an outdated, unpatched legacy system – Windows 7.
Any organisation using a legacy OS like Windows XP (and from January 14, 2020 – Windows 7and from January 14, 2020 – Windows 7) continues to be at high risk. Earlier this year, Microsoft released fixes for a vulnerability in Remote Desktop Services, which could have allowed “wormable” malware to spread between machines without user intervention just like WannaCry.
So severe was the risk, that Microsoft decided to break from their end-of-support plan and implement special fixes for Windows XP and Server 2003 for those still running the software.
To eliminate this danger, the ideal solution would be for businesses to move their applications off these old operating systems and either onto Windows 10 or into the cloud as part of a digital transformation strategy. However, this is easier said than done.
Most businesses have critical applications built to perform specific business functions, such as accounting or sales reporting. They function well and the business has come to depend on them, but the apps themselves depend on legacy operating systems. This has the potential to turn a business’s greatest asset into its greatest liability. Nobody wants to see their trusted software, which all the staff have been trained to use, become a weak spot in their security.
Legacy applications and the vulnerability they can cause
When we say ‘legacy applications’ we’re usually talking about apps that were developed more than a decade ago, built to run on older operating systems or through unsupported browsers like IE7.
To carry on using these applications as is, in their preferred environment, opens up organisations to ransomware, malware, DDE attacks and many other threats. The problem is about to become even more severe. While security patching for Windows XP and Windows 2003 stopped some years ago, Windows 7 and Windows Server 2008 R2 will move out of support in the middle of January 2020. Bear in mind that about three-quarters of computers in the US are still running Windows 7, while in the UK, IDC reports that Windows 7 still has a percentage market share in mid-30s. Other estimates place Windows Server at approximately 70 per cent of server OS installations with about 40 per cent of those on Server 2008/2008 R2.
Many large enterprises still prefer Windows 7 because they fear their complex legacy applications will be disrupted by migrating to Windows 10 or the cloud, regardless of the provider.
And their fears are largely justified. Incompatibility between locally installed browser releases, application libraries and operating systems remains a severe problem. Applications built for legacy systems can frequently fail to function on Windows 10 or in the cloud on Windows Server 16 or 19. Legacy applications moved on to Windows 10 can often be impaired by its regular security updates.
Things that don’t work
So far, the challenge has seemed insurmountable. Despite paying increasingly high fees to Microsoft for extended support the service does not include patching and security updates. Microsoft has, for example, been ready to sell paid Windows 7 Extended Security Updates (ESUs) on a per-device basis to enterprise users with volume-licensing agreements. Yet this is costly, with the price increasing each year to January 2023 – a tough sell for any IT department to take to their CFO.
The alternative has historically been to shoulder the great cost of recoding and refactoring. But this can be time-consuming, often requires considerable expertise, and is very expensive.
For cloud migration, virtualisation and layering solutions have also proved to be inadequate, producing applications that at best only fulfil a narrow range of their original functions. While virtualisation simplifies deployment and addresses some application-to-application conflicts, it fails to resolve compatibility problems between the application and the cloud-provider’s platform.
Compatibility packaging keeps applications secure and evergreen
The solution to these difficulties lies in application compatibility packaging. This lifts and shifts the application and its underlying environment to the new system, allowing the application to fully function without recoding or refactoring. Applications do not conflict with other applications on the desktop or server.
Deploying applications on to new operating systems can take teams hours or days and involve much testing and retesting. This is hugely reduced by compatibility repackaging which ensures applications are deployed to the latest, supported Windows platforms, no matter whether they are running on-premises or in the cloud.
Application compatibility packaging provides the redirection, isolation and compatibility needed for the apps to function inside the external cloud service. It abstracts the application from the underlying operating system, also preparing it for Windows-as-a-Service.
By enabling applications to run on modern, secure and supported platforms that receive regular security patches, administrators improve the security within their organisation while migrating applications dependent on less secure platforms.
Compatibility packaging offers a solution that future-proofs applications and workloads, excluding viruses from containers from the outset, while retaining the organisation’s antivirus and firewall protection. It also requires the least possible local administrator privileges, thereby reducing risk and adhering to security best practice. In simple terms it means the underlying environment can be kept up-to-date without impacting the application – delivering true evergreen IT.
Digital transformation is at the top of the agenda for many businesses, and legacy applications are a real barrier to progress. They leave businesses vulnerable to the proliferating threats that exploit well-known vulnerabilities in unsupported operating systems. Application compatibility packaging will resolve all of these difficulties, leaving organisations in control and fully secure well into the future.
FREQUENTLY ASKED QUESTIONS
Cloudhouse costs are split into two elements – the licensing required to deploy application compatibility packages, and the professional services needed to create the application compatibility packages.
Licensing is offered on a per user basis for desktop applications and a per server basis for server applications. There are discounts available based on volumes.
Professional Services costs are dependent on the nature and complexity of the application. We quote a cost for packaging once we have been able to see the application, or portfolio of applications.
Contact us here with your requirements and we will provide you with a quote.
Packaging and Maintaining Applications
Cloudhouse provide the Professional Services to package applications.
Cloudhouse recommend packaged applications are tested in the standard UAT environments used for natively installed applications, or applications packaged in App-V. The more representative the test environment is of the live environment, the greater the chance of finding any issues prior to go-live.
Service packs and updates can be applied to the applications in a package using the Editor, refer to Updating, Editing and Maintaining Containers which describes how a new snapshot is created for the update, and how it is then applied to the package.
Cloudhouse recommends the same team who manage the operations of native apps.
Applications running in Application Compatibility Packages can be deployed, and managed with same tools, or scripts used to deploy natively installed applications e.g. SCCM, InTune, LAN Desk. Please refer to Supported 3rd Party Products and Versions for details.
The Cloudhouse Package does not include OS components, it only contains the packaged application plus Cloudhouse components. Cloudhouse recommend the same team that is responsible for supporting applications packaged with App-V, or delivered as natively installed applications, support Cloudhouse Application Compatibility Containers.
Full documentation is made available to Cloudhouse partners and customers as required.
Cloudhouse offers a full packaging service that can scale to meet any requirement. In the event, however, that a partner wishes to offer application compatibility packaging as part of a wider solution, Cloudhouse will work with that partner. Please contact us here for details.