Study Shows Windows Beats Linux on Security

REDMOND, Wash., June 23, 2005 – Security is one of the chief concerns of IT decision makers. Along with purchase price, interoperability, maintainability and deployment costs, security is a critical factor in determining which platform to deploy across an enterprise or to serve a particular role.

For proprietary and open source software (OSS) alike, administering security updates are a reality in the enterprise and a significant factor in total cost of ownership (TCO). In order to get an accurate picture of how costs associated with patch management figure into the TCO equation, Microsoft recently commissioned Wipro Technologies Ltd., an independent consulting firm, to study the cost of updating Microsoft and open source software in a real-world environment for desktops, servers and database servers.

Wipro surveyed 90 companies in the U.S. and Western Europe with 2,500 to 113,000 employees where both the Windows and open source operating systems were simultaneously being run. When the costs of updating are distributed across the size of the environment and evaluated on a per-asset basis, the study shows Microsoft software to be less expensive to patch than open source equivalents. These findings confirm what many customers are experiencing in their deployment scenarios.

Customers Confirm Benefits

At Chicago-based Cole Taylor Bank, internal analysis showed that Linux costs would be at least 20-percent higher than those in a Windows environment. “Once Microsoft lets us know that a patch exists, we’re able to evaluate them very, very quickly and remotely deploy the patches,” says Manuel Montejano, CIO at Cole Taylor Bank. “It not only keeps our cost down but it keeps our time-to-market very, very short.”

With the specific aim of improving security management, value and reliability, Independence Air, a regional passenger airline based at the Washington-Dulles International Airport, moved its e-commerce Web site from Linux to Microsoft. “We already know how to secure a Windows-based solution and keep it running smoothly,” says Stephen Shaffer, the airline’s director of software systems. “With Linux, we had to rely on consultants to tell us if our system was secure. With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.”

In fact, Microsoft is recognized globally for the effectiveness of its network security management tools. The State of Qatar’s Radio & TV Corporation, which provides television and radio services for the country’s 840,000 residents, uses Microsoft Systems Management Server (SMS) 2003 to deploy enterprise-wide security updates and to manage update processes, ensuring network-wide security compliance within minutes of deployment. “SMS 2003 has provided the foundation for network security, says Project Manager Shezhad Anwar Khan. “Microsoft helped us radically improve update management with its prescriptive security guidance, expertise and technology. The Microsoft approach to security is characterized by supportive tools and responsiveness to our needs.”

Security updates impact the bottom line and Microsoft has built tools to help enterprises efficiently and securely manage their networks. Microsoft’s monthly rollout of updates, initiated in October 2003, is intended to improve both the updating process and the quality of security fixes.

Nevertheless, the prevailing perception in some quarters is that patching a Windows environment is more expensive than updating open source software, which also has inherent vulnerabilities and must routinely be updated. Because the Windows installed base is many times larger than the open source software installation, Windows can appear more expensive to updated, even though this view overlooks benefits widely associated with economies of scale.

“Customers have told us that patch management is a significant part of the total cost of ownership equation,” says Martin Taylor, general manager of the Platform Strategy Group at Microsoft. “Wipro’s analysis shows that Microsoft helps address vulnerabilities faster than Linux distributors, enabling organizations to update their Windows environment more quickly than with open source alternatives. Organizations that employ solid management practices and Windows automation technology can significantly reduce the cost of patching and lower their risk exposure.”

Wipro on Windows vs. Linux

Methodology of the study involved Wipro assembly of an appropriate sample of organizations that ran both Windows and open source software. Each of the 90 participating organizations surveyed was interviewed on their patching practices and costs for both environments. The research firm Meta Group Inc. audited the survey instrument and associated cost model.

Key findings of the study include:

  • On a per-asset basis, the Microsoft platform is less expensive to patch than a similar OSS environment.

    • Windows desktops cost 14 percent less to patch than Linux desktops.

    • Windows servers cost 13 percent less to patch than Linux servers.

    • Windows database servers cost 33 percent less to patch than Linux database servers.

  • OSS-based systems faced with high-level and critical vulnerabilities are at risk longer than comparable Windows-based systems.

  • Survey respondents consistently overestimated the number of Windows vulnerabilities, while underestimating those for OSS.

  • Through the use of best practices, Windows patching costs can be reduced by up to 55 percent.

Based on a cost model created by Wipro these measurements tools take into account six essential aspects of patch management: Threat Assessment, Patch Assembly and Testing, Patch Deployment, Failure Resolution, Help Desk and Infrastructure Reconfiguration. Risk is defined as the number of days between when a vulnerability was identified and when a patch was made available, combined with the amount of time it took organizations to deploy the patch. The study concludes that even when a greater number of patches are deployed for Windows, the costs are lower because it takes about half as much effort per patch to complete the task.

Wipro also found that businesses could realize an additional 55 percent reduction in patch management costs in the Windows environment by adopting a core set of security best practices. Chief among the recommended best practices are the centralization of IT operations, standardization of operating systems in the enterprise and the use of multiple tools for patch management.