Lech Sandecki
on 8 December 2020
Ubuntu 16.04 LTS upgrade vs extended security maintenance
Weighing the options with an Ubuntu 16.04 upgrade
Ubuntu 16.04 LTS Xenial Xerus is transitioning from its five-year standard security maintenance window in four months, leaving many asking the question: can I manage an Ubuntu 16.04 LTS upgrade by April 2021, or do I need more time to plan this migration?
In the Less than 6 months to Ubuntu 16.04 ESM: 6 things to prepare blog post, I provide a guide to start thinking of your whole stack and multi or hybrid cloud infrastructure estate when answering this question – from the Linux kernel up to your open source applications, and from OpenStack to containers to the public cloud. When creating your plan, it is important to identify the risks and associated costs, as is recommended with any major upgrade.
Outlined below are two major risks to incorporate into a migration plan, which is unpacked in more detail in the webinar, Ubuntu 16.04 LTS moving to Extended Security Maintenance: Six considerations, with Ubuntu Server Engineering Manager, Rick Harding.
Risks and costs associated with major upgrades
Downtime
Infrastructure teams work hard to optimise workloads to make sure they are performant, avoiding downtime at all cost. However, with system updates and migrations that may be required on the back of an OS upgrade, downtime is oftentimes a necessary evil.
For most organisations, downtime can be costly, so it is crucial to ensure that 1) impacted stakeholders are aware and 2) downtime is scheduled within low-impact maintenance windows.
This is a key piece of upgrade planning due to the risks and costs it can pose, which can differ across industries and systems. The Ponemon Institute’s Cost of Data Center Outages 2016 Report estimates the average cost of downtime at $9,000 per minute, which would equate to more than $500,000 an hour.
With downtime costs figures increasing year on year, and with every business having specific requirements, dependencies and timeframes, planning for downtime is a critical piece when mapping out any upgrade and migration.
Security
To maintain stability and continuity of critical workloads, ensuring security and compliance of systems is key. Without proper preparation and testing, workloads can be exposed if package vulnerabilities are not addressed quickly while planning a major migration.
For example, after Ubuntu 14.04 LTS transitioned into its extended security maintenance (ESM) period in April 2019, the Ubuntu Security Team patched over 500 vulnerabilities – including Linux kernel, python and GRUB2 vulnerabilities – issuing more than 200 Ubuntu Security Notices for Ubuntu 14.04 ESM from April 2019 to date. For those who delayed migration from 14.04 LTS and opted to not continue patching their systems via ESM, those systems were exposed to potential security breaches.
Interana, a company that provides an analytics solution and supports the two largest business intelligence vendors in the world, Microsoft and Salesforce, required the scheduling of large-scale data migrations with each client, making software updates from Ubuntu 14.04 LTS a challenge.
Zivago Lee, Director of DevOps Engineering at Interana, explains, “As a managed service provider handling large amounts of customer data – some of it sensitive – it’s our duty to ensure that we keep security as tight as possible. Running an unsupported operating system was out of the question, but upgrading all our customers at once would have put considerable strain on our time and resources. Since we’re going up two LTS versions, we’re not just doing a disk upgrade, but a full new build of the cluster – so we need to schedule with each client to migrate their data.”
As Ubuntu 14.04 LTS reached the end of its standard maintenance window, Interana chose ESM so that it could maintain the security of its solutions without having to rush major updates before customers were ready. Instead, ESM enabled the company to perform a controlled rollout of Ubuntu 18.04 LTS at the same time as it upgraded customers to the new Interana V4 platform release.
Learn more about Interana’s upgrade challenges in the case study ›
For most organisations, running an unsupported OS is out of the question, so it is crucial to plan in advance to make sure systems are not exposed. For those who cannot action on an Ubuntu 16.04 LTS upgrade by April 2021, it is recommended to continue receiving security patches through ESM to avoid a potential security breach. As far as associated costs of unpatched systems, the global average total cost of a data breach is $3.86 million according to Ponemon Institute’s Cost of a Data Breach Report 2020, which also provides a way to estimate breach costs by industry and geography.
Costs associated with extending the security maintenance of Ubuntu 16.04 LTS
There are a myriad of reasons why infrastructure updates do not go to plan, whether due to the above risks or to poor capacity, timeline or budget planning. That is why it is recommended to weigh the migration risks and their associated costs with that of extending security of your Ubuntu 16.04 LTS estate with ESM.
Extended security maintenance (ESM) is provided by Canonical, the publisher of Ubuntu, to give organisations more time to plan upgrades, while still ensuring the integrity of Ubuntu LTS systems. ESM ensures Ubuntu 16.04 LTS systems receive patches for high and critical CVEs (Common Vulnerabilities and Exposures) in the Ubuntu base OS and scale-out infrastructure (Ceph, Openstack, Kubernetes and more) on the 64-bit x86 architecture.
For those with Ubuntu 16.04 instances on AWS or Azure, ESM is baked into Ubuntu Pro and Ubuntu Pro FIPS premium images. Moving to Ubuntu Pro gives you open source security patching, alongside the flexibility of public cloud pricing – billed by the hour with no additional contract necessary. Pro pricing ranges from $0.01-$0.127+/hour by instance size.
Get started with Ubuntu Pro for AWS ›
Get started with Ubuntu Pro for AWS ›
ESM is also available for physical servers, virtual machines, containers and desktops through an Ubuntu Advantage subscription, ranging from $25-225/machine for the Essential plan (without phone, ticket support). For a more accurate estimate of an Ubuntu Advantage subscription, visit ubuntu.com/advantage. Personal Ubuntu users get access to an UA Infrastructure Essential subscription for free on up to 3 machines.
An Ubuntu Advantage subscription also gives organisations access to additional security and compliance features such as CIS hardening, FIPS 140-2 compliant modules and Linux kernel live patching.
To learn more about ESM and considerations when creating a migration plan and cost analysis, watch the Ubuntu 16.04 LTS moving to Extended Security Maintenance: Six considerations webinar. Together with Rick Harding, Ubuntu Server Engineering Manager, we deep dive into the options and considerations, such as:
- How does extended security maintenance (ESM) work?
- What does it take to plan an Ubuntu 16.04 LTS upgrade or migration?
- How to prepare a successful migration project?
- What other options are worth considering before making a decision?
Get in touch with your upgrade or ESM questions