Applying patch management
With the security of the network at stake and new exploits arriving almost daily, an ad hoc approach to software fixes won't cut it
Follow @infoworldAt one time, the concept of patch management merely meant keeping an owlish eye on Microsoft’s download site. But in recent years, Internet security has steadily deteriorated. Anti-virus vendor Sophos reported a staggering 959 new viruses and worms discovered in the month of May alone, and the number of Windows exploits and vulnerabilities seems to have grown exponentially.
No longer a grunt-level headache for systems administrators, keeping abreast of security patches has become an essential business practice for any company, large or small. Although an ad hoc patching policy might once have sufficed, the surge in updates during the past two years demands that IT managers be aware of security at every level. After all, if even one critical system is compromised, the entire network can be exposed.
Unfortunately, the sheer volume of updates has made securing an enterprise network more difficult than ever. Preparing for a major OS upgrade is one thing, but too often, an unexpected fix can blindside IT administrators.
“It’s the security updates that are coming so fast nowadays,” says John Saulz, principal systems engineer for the City of Colorado Springs, Colo. “You’ve got to know when to find them, test them in almost no time, and then decide whether it’s safe to deploy them. And you’ve got to do it in just a few days.”
Navigating this increasingly torturous terrain doesn’t have to be a nightmare, but it does call for a comprehensive security strategy that gives patch management a central role.
Windows on the defense
Every platform is subject to security fixes, but Windows systems are typically the driving force behind most companies’ decision to implement a patch management solution. Not only does the Windows platform account for the bulk enterprise systems, it has also been the source of the greatest number of security vulnerabilities.
For a time it seemed that IT departments’ calls for more secure software were falling on deaf ears in Redmond, but Microsoft has since made security a top priority. Last fall, the company initiated a full-force drive to revamp its patching strategy, beginning with the announcement that it would begin issuing patches each week. These scheduled updates have won acclaim from harried IT administrators, causing even other software vendors to take notice.
“It’s extremely expensive to patch systems, so consolidating and centralizing the process is hugely valuable to customers,” says Mary Ann Davidson, chief security officer at Oracle. “Microsoft has taken some good first steps in this direction with their announcement of scheduled releases last fall. Customers really like that, so we’re looking into it as well.”
In addition, Microsoft offers a number of products aimed at helping administrators keep abreast of new updates and security fixes as they arrive. Windows Update forms the baseline defense, with the forthcoming release of Windows Update Services — previously known as SUS (Software Update Services) — providing additional tools for network administrators. Finally, SMS (Systems Management Server) 2003 offers advanced deployment, reporting, and compliance-enforcement features for environments with more demanding management needs (see Secure Enough for a Bank).
