Establishing Digital Trust: Don't Sacrifice Security for Convenience
''When a patch is released at 9 a.m., you need to have it installed inall your machines by 9:05,'' Bayles says. ''Doing this manually isimpossible.''
Bayles says automation is the only answer for today's security patchneeds. ''We used to live in a little private network where we enjoyed alevel of control,'' she says. ''Now, my users need access to the Internetfrom any desktop and I want them to be able to do that for a productivebusiness.''
But she knows openness has its drawbacks.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i ''Any one of these desktops can be a gateway to bring a virus orsomething else bad into the corporation,'' Bayles adds. ''I just don'twant one infected PC to ruin the rest of the PCs on my network.''
Bayles is not alone in her dilemma.
IT administrators and techies are being worn down from the almost dailybarrage of patches and updates deployed for critical enterprise software.The flood often forces managers to pull IT workers off other projects tohandle the load, diverting attention and scarce budget dollars tomanaging, testing and distributing patches.
To alleviate the pain of going desktop-to-desktop for 500 users, Baylesemploys tools that distribute critical software updates automatically viaa desktop agent.
Audrey Rasmussen, vice president at Enterprise Management Associates inBoulder, Colo., says the combination of increased patches and more remoteaccess to corporate networks is forcing IT managers to consider automatedpatch management and software distribution tools. In fact, across-section of companies, such as HP (with its Novadigm purchase),iPass, Symantec, Altiris, Marimba, Novell and a slew of others, are allmaking a play for the automated software distribution market.
''It's a hot area right now,'' says Rasmussen. ''The frequency of patchesand the risk of exposure poor security brings companies, as well as thevolume of systems to patch -- servers and desktops -- can behorrendous.''
Patches, she says, sometimes come out as frequently as every day. ''Ifit's just a program bug, IT managers can live with the current versionfor a bit, but when it's a security patch that can open them up toattack, they need to get it quickly and efficiently across theenterprise,'' says Rasmussen.
For James Payne, the advent of automated tools is a godsend. Payne, anend user support supervisor at Roto-Rooter in Cincinnati, Ohio, used tospend his time after a patch was announced burning CDs to quicklydistribute to the company's 60 locations. ''Someone at the site wouldhave to walk around and do the installs. Half the computers never got theupdate,'' he says. ''It was cumbersome.''
Payne also says the manual approach wreaked havoc with the network.
''There were viruses that would take advantage of a hole in Windowsbecause a patch wasn't applied correctly or was missed during the manualinstall,'' he says. ''We never really had an on-site guru at otherlocations... so we would have to spend time fixing [problems].''
Most software distribution tools feature an auditor that lets IT managersknow whether a computer has received the latest patches and updates. Ifthe computer is not up-to-date, it can be blocked from accessing thenetwork.
Rasmussen says it's critical for IT managers to make sure they stillleave room for testing the patches. ''This is the bottleneck for totallyautomating patch management,'' she says. ''IT managers need to testpatches on different platforms and different configurations they mighthave. They need to design a process for doing that efficiently.''
Joel Snyder, senior partner at Opus One, a consulting and informationtechnology firm in Tucson, Ariz., agrees.
''It's difficult to keep up with updates because of the quality assuranceproblem,'' he says. ''But every time you push something out, it's goingto break something else. This problem is magnified with remote access,but that doesn't mean you stop trying. You just have to invest the timeto make the patches work.''
Al Stern, director of systems architecture at the University of Dayton inOhio, has a multi-step approach to vetting patches. Stern and his teamhave what they call a ''critical patch committee''.
The committee, a group within IT, reviews Microsoft patches on theirrelease date. They then push the approved patches to a group of 100 testusers, Stern says. The goal is to see if that test group notices anyserious problems. If nobody is ''detonated'', then the patch is pushed tothe rest of the campus' 12,000 users within days. Virus updates andcritical patches are on a much quicker schedule, being tested every hourand then dispatched. ''That process never stops,'' he says.
Although the university has an e-mail list used to announce all virusesand remedies to students, Stern says he relies on the automated tools.''We can't take the chance that they might not read the e-mail, or seeit's from the PC Help Desk and ignore it,'' he says. ''That'stremendously ineffective.''
Stern cautions his peers to be careful with the length of automatedupdates, though. ''If it's more than 20 seconds to scan and update thePC, users complain,'' he says. ''You have to be fast.''
Tasty Baking's Bayles says if the update is going to take a while, sheprefers to let users know ahead of time. ''I wouldn't want to disruptsomebody's workday.''