It’s not as if Desjardins Group had much of a choice when it finally decided to standardize on Microsoft Corp.’s operating systems (OS) earlier this year. After all, the Montreal-based financial services provider had already witnessed many other Canadian banking institutions do the same, and Desjardins’ existing OS infrastructure, primarily comprising instances of IBM Corp.’s OS/2, was ready for the pine box.
“We are one of the last financial institutions in Canada to convert to Windows,” says Michel Sawyer, vice-president of development at Desjardins, a credit union with 5 million clients, more than $100 billion in assets and is this country’s sixth-largest financial institution with nearly 1,600 locations. “We were very satisfied with OS/2, but OS/2 will be dropped by IBM two years from now.”
You might peg Desjardins as a victim of software product lifecycles — or death cycles, as the case may be — forced onto Windows when OS/2 worked just fine. But that’s not the picture that Sawyer paints. Instead he describes a careful tech-choosing process that has impacted positively other aspects of his company’s IT infrastructure.
Sawyer says Desjardins first started investigating a transition from OS/2 to Windows a few years ago, but the financial firm wasn’t impressed with what the Redmond, Wash.-based software provider had on tap.
“We had a lot of concerns about stability and security,” Sawyer says, describing this as a reason for Desjardins’ reluctance to make the Windows jump. “We felt that Windows was not stable enough until early-2000. Before that it was not even an option for us.”
But as Desjardins followed Microsoft’s progress with its OSes, the bank witnessed an important change: the offerings seemed to be getting more and more stable. By the time Microsoft came out with Windows 2000 at the end of 1999, Sawyer and his colleagues started to think it might be something worth exploring. Desjardins also explored other OS options, notably Linux, the open-source operating system that has over the past few years come to be something of a contender in the operating system market.
After evaluating the financial, technological and operational impacts that Linux would have if Desjardins standardized on this platform, the company decided it wasn’t the right choice.
“We feel that Linux is not mature enough for critical banking applications,” Sawyer says. “Moreover, when you have 1,600 sites, we required support in case of problems.”
Linux was out of the running, but that’s not to say Desjardins simply rolled over and accepted its Microsoft-supported fate. The financial institution had many questions about Redmond’s offerings, and it wanted some answers before signing on. “If you look at security, everyone, including our IT management, was concerned,” Sawyer recalls.
According to Security Stats.com Inc., a computer security information provider, Microsoft put out 51 security advisories in 2003 — nearly one every week. That spells a heavy patch management job for Microsoft-intensive environments — something that may have aided the spread of “Blaster,” a worm that attempted to coral vulnerable Windows XP and 2000 machines into a denial-of-service attack against a Microsoft Web site in 2003.
Blaster exploited a problem in Microsoft’s operating systems — a problem that Microsoft identified and provided a patch for some weeks before Blaster hit the scene. But since there are so many fixes to contend with, IT departments often don’t have time to deploy them all immediately. The patch particular to Blaster may have been low on the priority list for some firms, at least until the worm did its damage: estimates as high as 30,000 machines infected worldwide.
Was this the sort of fire Desjardins could expect to douse if it standardized on Windows? Sawyer’s colleagues took similar questions straight to the source. “We went many times to Redmond to meet with the senior architect and senior security officer.”
In those meetings Desjardins digested the unique viewpoint of a software vendor whose products might be secure, but also happen to be prime marks for hackers.
“You must put things in perspective,” Sawyer points out. “The problem is that every hacker in the world wants to attack Windows. It’s the main target. I used to say OS/2 was very secure because none of the young hackers knew about it. I’m pretty sure if Linux becomes popular, you will find similar security problems.”
According to Michael Nowacki, enterprise group security leader at Microsoft Canada in Mississauga, Ont., the software vendor has been working to improve the security of its products. More than two years ago the company made security a top priority. It retrained its 18,000 developers on code writing so programs would come secure out of the hopper. It also started shipping software with features turned off by default. If customers wanted those services on, they would have to make it happen themselves.
Efficacy breeds responsible computing, Nowacki says. If customers are the ones to crank up features, they’re more likely to notice when Microsoft bulletins about those services come out.
Rosaleen Citron, CEO of WhiteHat Inc., an IT security provider in Burlington, Ont., says Microsoft’s wares are more secure today than they were even a scant six months ago, thanks to the vendor’s reexamination of its offerings. That said, Citron also points out that standardizing means having to beef up other security measures.
“It wouldn’t matter which system you’re running,” she says. “You still need to be able to patch. It just so happens that Microsoft gets hit more often.” Desjardins knows the score. “We have a new process in the company to deploy fixes rapidly,” Sawyer says. “We have a stronger platform for antivirus.”
Sawyer says his firm is in the process of converting 150 sites per month to Windows. The bank expects to complete the endeavour late-2005. He advises working closely with vendors to get a sense of how well they can address your concerns.
As well, “You have to use market researchers like Gartner Group or Giga,” Sawyer says. “They’ll help you. We used them many times to make these decisions. Even in our negotiations with vendors, we used them.”