Virtual Twins as part of a Compensating Controls Process

Virtual Twins in a Compensating Control Process for Windows 7 & Server 2008 EOL

Converting physical systems to virtual representations when Microsoft End of Lifes (EOLs) Occur on an Operating System 
Ron Brash

Virtual twins as part of Vulnerability Management programs that have risky Commodity-OS elements to manage

Technological progress cannot be undone, and Microsoft’s extended support is ending soon for two widely deployed products: Windows 7 and Server 2008. Microsoft wishes for everyone to upgrade to ensure security against vulnerabilities. But for asset owners, this represents a series of new questions or pain points if a host is physically deployed.

This Windows-host upgrade approach may involve using VMware V-Sphere Converter as an example to create “digital twins” or “virtual twins” from a stand-alone perspective, but other tools are available including Microsoft’s migration tooling.

In a vendor agnostic fashion, the process is broken up into five steps:

  • Step 1 – Get started with Inventory Information. Enumerate affected hosts and collect asset information for each, including configurations and associated risks.
  • Step 2 - Virtualize the First Host. Assuming a small prioritized sample of affected low-risk assets, and adequate backup/recovery process/technology, move to virtualize the host through conversion software delivery through a management solution.
  • Step 3 – Conclude Basic Testing. Engineer against consequence, so the virtual twin moves to an environment where the upgrade/migration and incremental testing is performed with minimal impact and quickened rollbacks should an error occur. Continue developing all documentation and automation where possible.
  • Step 4 – Roll Out Tested Procedures. Once testing has concluded for one asset, move onto the next asset with similar risk or priority, moving from low to high, and document the process. If a specific amount of trust and risk appetite is met, then consider a strategy for identifying another batch of devices for a roll out using the process laid out in Step 3. Re-iterate, improve and continue onwards unless barriers to an upgrade exist.
  • Step 5 – Legacy Exclusions & Conclusion. Not all systems can be upgraded (although most should given the nature of environments today), and in these cases, examine compensating controls to improve risk exposure and vulnerability of these assets, with a focus on prevention and recovery.

Advantages of Compensation Controls:

  • Even if an upgrade is not possible, virtualization itself offers several advantages such as leveraging economies of scale, easy backups, and quick restores/rollbacks
  • Reduces risks of a deployments and technology transitions
  • Documentable at each step of an upgrade or testing by way of digital “snapshots”, which are complete artifact outputs that can be archived
  • As part of a bigger picture, it provides an opportunity to understand and standardize on prioritizing assets and building roadmaps/campaigns
  • Re-usable as a testing process component for any software updates and upgrades
  • Re-usable as a risk assessment exercise and process
  • You now have a virtual and digital twin of the asset

This isn't an exhaustive guide, but it should help you get started with migrating to a virtualized deployment. However, this process might help you test legacy software in newer Operating Systems (OS) or convert systems to virtual ones so you can retire legacy equipment where possible.


Verve Security Center Brochure
OT cyber security expertise, trends and best practices to protect your industrial systems
Verve Security Center Brochure

Recent Blogs