When Microsoft stops supporting Windows XP next month businesses that have to comply with payment card industry (PCI) data security standards as well as health care and financial standards may find themselves out of compliance unless they call in some creative fixes, experts say.
Strictly interpreted, the PCI Security Standards Council requires that all software have the latest vendor-supplied security patches installed, so when Microsoft stops issuing security patches April 8, businesses processing credit cards on machines using XP should fall out of PCI compliance, says Dan Collins, president of 360advanced, which performs security audits for businesses.
But that black and white interpretation is tempered by provisions that allow for compensating controls supplementary procedures and technology that helps make up for whatever vulnerabilities an unsupported operating system introduces, he says.
These can include monthly or quarterly reviews of overall security, use of software to monitor file integrity and rebooting each XP machine every day in order to restore it to a known safe state, says Mark Akins, CEO of 1st Secure IT, which also performs compliance audits. That safe state can be reset using a Microsoft tool called SteadyState that was built for XP but not later versions of Windows.
"Risk is the factor," he says, and mitigating it is the goal, but the mitigations must reduce risk just as effectively as the original regulatory requirement that is not being met. To some extent that is a subjective call, and depending on the auditor businesses may have more or less flexibility in what compensating controls are deemed OK, says Akins.
Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) financial regulations have provisions similar to those in the PCI standard, says Collins. In fact, PCI provisions are pretty much the baseline for the other two, which have some additional requirements tacked on, he says. So the issue goes well beyond businesses that handle credit cards.
These workarounds may sound good to businesses that haven't upgraded to Windows 7 or 8/8.1 yet, Akins says, but it's not likely to save any time, effort or money. "For IT it's easier to upgrade to Windows 7 or 8 versus implementing file integrity monitoring and installing SteadyState," he says.
Compensating controls can place a big load on IT departments because, for example, updating anti-virus software daily or constantly monitoring for file integrity or for evidence of intrusions, Collins says, isn't simple. "It's an arduous task," he says.
"Compensating controls should be as short-term as possible," and used only in order to keep key business applications running. Some legacy or proprietary business-critical software runs best or only runs on Windows XP, he says, and there are no feasible alternatives yet. "It's a major issue if the software deployed is unstable on newer versions of Windows."