The three biggest challenges for IT managers are security, reliability and performance. Ideally, an organisation’s software will excel at all three but in practice we know that isn’t true.
Even the best-laid software development plans let bugs through which can cause problems in all these areas. So patching the organisation’s software is key.
Patching application and operating system software is often seen just as a way to eliminate security flaws, but it can also create a more efficient system by preventing performance bugs and memory leaks. It is a crucial part of any corporate IT security strategy, but unfortunately for IT managers it is also difficult to do.
The Australian Government Department of Defence found that operating system and application patching could have stopped 85 per cent of all security incidents it experienced, when used alongside application whitelisting and restricting administrative privileges.
It identified application and operating system patching as essential for security, but also ranked them as medium or high in terms of upfront cost (including equipment and technical complexity) and maintenance. Staff costs figured heavily in both these areas.
Simply put, patch management is complex, time consuming and hard to document when carried out manually.
The vendor trap
An efficient patch management strategy means automating the process. That brings challenges of its own, though.
One is that patch management software is often vendor centric. Microsoft sells its Windows Server Update Services product, for example, but it patches only its own operating system software and applications.
Then, there is Adobe, which provides its own update manager – and with 15 security flaws recently patched, it certainly needs one.
Some applications just try to patch themselves directly when they start up. IT administrators like managing everything from a central point because it reduces complexity and the process is less prone to error.
If applications are out there patching themselves from the desktop, it is hard to see what is going on. Relying on vendor-centric patch solutions creates a complex matrix of different services that probably won’t talk to each other.
Finally, viruses often target applications that patch themselves, disabling their ability to update.
So a third-party patch system that manages things centrally is a good idea. It should generate a report showing which patches were applied and when. Not only is that a good way to alert IT managers to any issues, but it can also satisfy other parties, including compliance managers who have to prove the extent of internal controls, for example.
The right tools for the job are important in patch management, but tools alone are not enough. A comprehensive strategy is key.
The first thing you need to do is build a solid inventory of your software infrastructure so that you know what must be patched, along with its current state.
Building and managing a detailed inventory can be difficult in a modern organisation, where many laptops may be used outside the corporate network. A cloud-based system can patch machines inside or outside the corporate LAN or WAN.
Standard virtual machine builds are easy to create and check with the right software
The other key part of any patch management strategy is creating standard builds for all software installations. This helps to reduce the complexity that can eat up IT budgets with maintenance costs.
Virtualisation can be useful here, as standard virtual machine builds are easy to create and check with the right software.
A patch management strategy should enable IT administrators to have everyone on the same baseline and keep software management simple.
In a cloud-based system using agents at the endpoint, organisations should be able to check the status of a machine automatically when they see it connect to the internet and carry out the appropriate patching tasks on the fly. That way, machines can be bought up to the current patching baseline without delay.
When it comes to patching computers, it can be worth checking and prioritising patches as they appear. An average-sized IT department may have a medley of different operating systems and applications, both at the endpoint and in the server infrastructure.
Applying all patches as they are introduced may not be feasible, especially if patches introduce flaws of their own.
We know that patches can sometimes break parts of the IT infrastructure, which is why it is important to test them before deployment. You need a user with non-critical business tasks to test the patching – so not the CEO, ideally, but maybe not Jane the office manager who really keeps the whole place running either.
Alternatively, a well-resourced IT department could develop a virtualised test environment to deploy patches on before rolling them out in production.
Frequently, the dangerous patches are full-version changes, or significant updates to software frameworks such as .Net or Java. Pay special attention to these.
It is also worth watching Twitter, vendor support forums and news sites to see if any patches are causing major problems. The more mission critical the software, the more risk is involved. Patching is an exercise in risk management.
It's a free-for-all
This takes care of your endpoint laptops and your servers, but there are other challenges ahead.
One of the biggest is support for a larger variety of devices. The hardware and software landscape is getting ever more complex and everything from VoIP phones to IP cameras and barcode scanners must be managed in a modern environment.
That can be difficult because the standards to identify and deploy patches for such a broad array of devices don’t exist. In many cases, it may involve direct, scripted interaction through a Linux or Unix command line terminal.
For now at least, this is the cutting edge of the patch management landscape and it is where organisations will rely heavily on human interaction.
This is where costs can inflate dramatically, even when you are doing things right, and it is where policies and procedures become an even more important of the picture. ®