If a piece of software is End of Life (EoL), should you upgrade immediately?
Is it an instant Cyber Security or a Business issue?
To understand the challenges/issue, conduct a risk assessment.
Consider the scenario.
You host a vSphere Farm internally running 6.7 which has gone EOL. The management network hosts reside on our internal network and is only accessible from a specific secure workspace.
Maybe this is a low cyber security risk. So, do you hold off on the upgrade?
How does the business see the issue?
EOL – Generally means, No vendor support. What happens if the hosts had a glitch and caused an Outage? How long could your systems be down? What’s the cost to the business of an outage?
Maybe this is a high business risk. So, can you hold off on the upgrade?
What happens when a zero-day vulnerability is announced/discovered?
EOL, again, potentially no vendor support equals no patches. Back to an increased Cyber Security risk potentially increases.
Some more questions?
Does the underlying Hardware support a newer version of the software going EOL?
What’s the cost to the business to upgrade hardware if required + the software upgrade? Vs What is the cost of a business outage and or security breach/ransomware incident?
Now digging a bit deeper than the EOL hypervisor, there are deeper impacts to consider.
Take the scenario further.
Virtual Servers running on the HyperVisor
- VMware Tools version (supported?)
- Virtual Server Operating System version (limited versions available and supported?)
- Virtual Servers, some internet-facing (Inbound and Outbound), older OS but still supported.
Now the Cyber Security risk is potentially High due to the internet-facing elements and the likely chance of exploitation is high if a Zero Day vulnerability becomes available and publicly exploited. Further mitigation controls would be recommended.
Now technical debt and risks are causing, additional costs. Tactical interim remediation costs, to implement mitigation controls, to try and reduce the potentially high risk to the business
- Build the business with technology and cyber strategy.
- Plan and prepare a 12-month roadmap.
- Develop a 3-5 year technology and cyber strategy.
- Don’t let systems go End of Life. Upgrade or Replace
- Plan, budget, and evolve the technology. Don’t let technical debt build-up
(Opinions are from the Author only)