Thursday, October 21, 2021

Stemming the Flood of Patches

As CIO for Tasty Baking Co. in Philadelphia, Autumn Bayles faces a

constant stressor — the onslaught of security software patches and

updates.

”When a patch is released at 9 a.m., you need to have it installed in

all your machines by 9:05,” Bayles says. ”Doing this manually is

impossible.”

Bayles says automation is the only answer for today’s security patch

needs. ”We used to live in a little private network where we enjoyed a

level of control,” she says. ”Now, my users need access to the Internet

from any desktop and I want them to be able to do that for a productive

business.”

But she knows openness has its drawbacks.

”Any one of these desktops can be a gateway to bring a virus or

something else bad into the corporation,” Bayles adds. ”I just don’t

want one infected PC to ruin the rest of the PCs on my network.”

Bayles is not alone in her dilemma.

IT administrators and techies are being worn down from the almost daily

barrage of patches and updates deployed for critical enterprise software.

The flood often forces managers to pull IT workers off other projects to

handle the load, diverting attention and scarce budget dollars to

managing, testing and distributing patches.

To alleviate the pain of going desktop-to-desktop for 500 users, Bayles

employs tools that distribute critical software updates automatically via

a desktop agent.

Audrey Rasmussen, vice president at Enterprise Management Associates in

Boulder, Colo., says the combination of increased patches and more remote

access to corporate networks is forcing IT managers to consider automated

patch management and software distribution tools. In fact, a

cross-section of companies, such as HP (with its Novadigm purchase),

iPass, Symantec, Altiris, Marimba, Novell and a slew of others, are all

making a play for the automated software distribution market.

”It’s a hot area right now,” says Rasmussen. ”The frequency of patches

and the risk of exposure poor security brings companies, as well as the

volume of systems to patch — servers and desktops — can be

horrendous.”

Patches, she says, sometimes come out as frequently as every day. ”If

it’s just a program bug, IT managers can live with the current version

for a bit, but when it’s a security patch that can open them up to

attack, they need to get it quickly and efficiently across the

enterprise,” says Rasmussen.

For James Payne, the advent of automated tools is a godsend. Payne, an

end user support supervisor at Roto-Rooter in Cincinnati, Ohio, used to

spend his time after a patch was announced burning CDs to quickly

distribute to the company’s 60 locations. ”Someone at the site would

have to walk around and do the installs. Half the computers never got the

update,” he says. ”It was cumbersome.”

Payne also says the manual approach wreaked havoc with the network.

”There were viruses that would take advantage of a hole in Windows

because a patch wasn’t applied correctly or was missed during the manual

install,” he says. ”We never really had an on-site guru at other

locations… so we would have to spend time fixing [problems].”

Most software distribution tools feature an auditor that lets IT managers

know whether a computer has received the latest patches and updates. If

the computer is not up-to-date, it can be blocked from accessing the

network.

Rasmussen says it’s critical for IT managers to make sure they still

leave room for testing the patches. ”This is the bottleneck for totally

automating patch management,” she says. ”IT managers need to test

patches on different platforms and different configurations they might

have. They need to design a process for doing that efficiently.”

Joel Snyder, senior partner at Opus One, a consulting and information

technology firm in Tucson, Ariz., agrees.

”It’s difficult to keep up with updates because of the quality assurance

problem,” he says. ”But every time you push something out, it’s going

to break something else. This problem is magnified with remote access,

but that doesn’t mean you stop trying. You just have to invest the time

to make the patches work.”

Al Stern, director of systems architecture at the University of Dayton in

Ohio, has a multi-step approach to vetting patches. Stern and his team

have what they call a ”critical patch committee”.

The committee, a group within IT, reviews Microsoft patches on their

release date. They then push the approved patches to a group of 100 test

users, Stern says. The goal is to see if that test group notices any

serious problems. If nobody is ”detonated”, then the patch is pushed to

the rest of the campus’ 12,000 users within days. Virus updates and

critical patches are on a much quicker schedule, being tested every hour

and then dispatched. ”That process never stops,” he says.

Although the university has an e-mail list used to announce all viruses

and remedies to students, Stern says he relies on the automated tools.

”We can’t take the chance that they might not read the e-mail, or see

it’s from the PC Help Desk and ignore it,” he says. ”That’s

tremendously ineffective.”

Stern cautions his peers to be careful with the length of automated

updates, though. ”If it’s more than 20 seconds to scan and update the

PC, users complain,” he says. ”You have to be fast.”

Tasty Baking’s Bayles says if the update is going to take a while, she

prefers to let users know ahead of time. ”I wouldn’t want to disrupt

somebody’s workday.”

Similar articles

Latest Articles