Microsoft Surprises With Stellar Server Security Marks

Don’t look now, but Microsoft’s Windows Server 2008 R2 tied with IBM’s perennially bullet-proof AIX v7. Both were rated by corporate users as the most secure among 18 major server operating system distributions.

Nine out of 10 — 90 percent — of the 468 respondents to ITIC’s 2010-2011 Global Server Hardware and Server OS Reliability survey rated the security of Windows Server 2008 R2 and IBM’s AIX v7 as “Excellent” or “Very Good.”

Survey participants gave IBM and Microsoft the highest security ratings out of 18 different server operating system distributions.

Three-quarters, or 75 percent, of survey participants gave HP UX 11i v3 “Excellent” or “Very Good” security ratings; this was the third-highest ranking of the 18 major server OS distributions polled.

HP was followed by Ubuntu Server 10 and Debian GNU/Linux 5, which tied for fourth. Seven out of 10 survey participants — 71 percent — of those polled ranked the two most popular open source distributions’ security as “Excellent” or “Very Good.”

Survey Methodology

ITIC and GFI Software conducted an independent Web-based survey of 470 corporate IT mangers and C-level executives worldwide from November 2010 through February 2011. The survey’s objective was to poll corporate customers on the reliability of 14 of the most popular server hardware platforms and 18 of the top server OS distributions. Security and after-market technical service and support are two issues that play a crucial role in positively or negatively impacting network availability and uptime.

The survey participants came from 23 countries worldwide; approximately 83 percent of the respondents hailed from North America. The survey consisted of multiple choice questions and one essay question. ITIC supplemented the Web survey with two dozen first-person customer interviews. In order to maintain objectivity, ITIC accepted no vendor sponsorship monies.

Solid Security Is Essential Element of Overall Network Reliability

Solid security has always been an essential element and a cornerstone of the network infrastructure — from micro SMBs with fewer than 20 people to the largest multinational enterprises with more than 100,000 workers. Today, like never before, security is paramount. Hackers and their cyberattacks are becoming increasingly sophisticated. New technologies like virtualization and cloud deployments, which store data centrally, represent a bonanza for hackers if corporations fail to properly safeguard and secure their data.

The server operating system upon which corporate applications run — e.g., databases, word processing applications, spreadsheets and other mainstream line of business (LOB) applications — is the cornerstone of the entire network computing environment. As the saying goes, “the chain is only as strong as the weakest link.”

Server operating systems and servers literally run the business and incorporate a significant percent of the organizations’ sensitive data and intellectual property (IP). If server OS security is flawed, buggy, misconfigured or easily hacked, the entire business and its operations are potentially at risk.

Each survey invariably serves up some unexpected responses. And in this survey the biggest eye-opener came in the responses regarding server operating system security.

That IBM’s AIX v7 topped the poll, with HP UX and the leading-edge open source Ubuntu and Debian distributions close behind, is no surprise. All flavors of Unix, including IBM AIX and HP’s UX, invariably score high marks from IT departments on reliability and security — and with good reason. IBM, HP and, in its heyday, Sun Microsystems worked tirelessly to scrub the code and eliminate any potential vulnerabilities.

It also helps that IBM AIX IT managers are among the most experienced in the business. They have to be: IBM’s bailiwick is in banking and finance — from SMBs to global enterprises — and securing the data is a way of life. Unix engineers typically know their networks inside and out. Many opt to apply patches manually, specifically to ensure that network performance is fine- tuned and security is as bullet-proof as possible.

The biggest eye-opener was Microsoft’s Windows Server 2008 R2. Over the past several years, Windows Server security has undergone a transformation from Sad Sack to Iron Man. In the last decade, Microsoft has worked hard to shed the stigma that Windows is a porous server OS, perennially plagued with security flaws and as easily compromised as walking through an unlocked door.

It is now nine years since Microsoft publicly launched its Trustworthy Computing Initiative, which was designed to make all of the company’s software inherently more secure by default and by design. Based on the survey responses, Microsoft has succeeded — particularly with Windows Server 2008 R2.

Of particular note, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2 are the only three operating systems out of the 18 different server OSes in the GFI/ITIC poll in which the majority of the respondents indicated that the security had improved over the past three years. This is an 18 percent improvement over Windows Server 2008 and a 30 percent jump in the number of survey participants who gave a similar rating to Windows Server 2003.

It is equally true, based on analysis of the survey responses and first-person customer interviews, that the Windows Server OS was the platform that most needed to strengthen and shore up its security. Based on the results of prior ITIC surveys, as recently as 2008, user perception was that Windows Server security lagged behind nearly all of the other server OSes by a substantial margin.

Other Server Operating Systems Stay the Course

As for the other 15 distributions, the majority of survey participants indicated that the security of the server OS platforms “has remained the same.”

If Windows Server 2008 R2 is the “Prodigal Son,” then IBM’s AIX v 7.1 is the “Good Son,” which has consistently delivered superlative security year after year, always garnering top ratings for overall reliability and security in each of the annual ITIC Reliability surveys.

The 2010-2011 Global Server Hardware and Server OS Reliability poll was no exception. Many of the IBM security managers ITIC interviewed cited the consistency and inherent “rock solid” nature of the server OS source code, and the fact that IBM is quick to discover, inform and issue a fix when a security issue does arise.

Other distributions like HP’s UX, Red Hat Enterprise Linux , Novell SuSE Linux Enterprise and Apple’s Mac OS X 10.x also received high security marks and praise from customers.

The results of ITIC’s latest 2010-2011 Global Server Hardware and Server OS Reliability survey indicate that organizations of all sizes and across all vertical markets feel it is critical that they monitor the server operating system and the associated server-based line of business (LOB) applications for vulnerabilities.

A 51 percent majority of businesses feel that the security of the OS has an impact on the overall security and reliability of the network. Specifically, 60 percent of respondents indicated they place equal importance on monitoring the vulnerabilities of all network components, followed by 56 percent who rated the OS as crucial, and 42 percent who said the security of their databases and other main LOB applications were pivotal to the overall security of their network computing environments.

Based on first-person customer interviews, ITIC determined that the biggest customer complaint was not with the inherent security of a specific server OS platform, but rather in finding a fix and getting technical service and support when the organization was stymied.

In these particular instances, the organizations were very large enterprises, and a common complaint was that searching for a fix was akin to finding the proverbial needle in a haystack. Since the underlying reliability and security of nearly all the server operating systems and server hardware has improved, the majority of the more moderate and severe Tier 2 and Tier 3 outages are mainly due to integration and interoperability issues — e.g., incompatible applications or drivers.

Conclusions and Recommendations

Server OS security is fluid and not static. No server operating system, application or hardware component is immune to penetration. Customer perception can and does change the minute a security flaw is found or malware is unleashed that successfully penetrates or threatens to compromise the security of any platform.

None of the server operating system vendors can rest on their laurels. Microsoft has made impressive security gains making Windows Server inherently secure by default, design and deployment; now it must endeavor to maintain the consistency of its security.

Windows Server also has the biggest bull’s-eye on its back, since it is one of the most widely deployed server operating systems. Other server OS distributions — most notably Apple’s OS X 10.6x, which has so far managed to avoid falling prey to very major or public security holes, must likewise maintain its vigilance as the OS increases its presence in corporate enterprises.

Corporations also bear at least 50 percent of the responsibility for securing their respective environments. The most bullet-proof server OS can be compromised and undone by configuration errors and failure to install and turn on its security features.

Organizations are also advised to conduct quarterly threat assessments of their environments. Staying current on the latest patches and fixes is a must, as are regular updates of antivirus and other security packages. Corporations should review and update their security policies and procedures on an annual basis and strictly enforce them.

In addition to staying up to date on the latest patches and fixes, companies should investigate the emerging class of continuous monitoring packages and tools available from vendors like Red Seal and Arc Sight. These packages enable businesses to indentify and shut down security holes within their networks before hackers can find and exploit them.

These results are especially important considered in light of the increasing sophistication of cyberattacks. New malware, rogue code and phishing scams are cropping up on an almost daily basis. As they strive to accomplish more with fewer resources, IT departments must rely even more heavily on their vendors to deliver more reliable and secure servers and server OS platforms.

Time is literally money. Even a few minutes of downtime — especially when a hack or a suspected security leak occurs — can result in significant costs and cause internal business operations to grind to a halt. Downtime as a result of a security breach can also undermine a company’s relationship with its customers, business suppliers and partners, and raise the risk of litigation. If the cyberhack is severe enough, it could cost a company millions and take months or years to recover.