Ignore Patches at Your Peril

With the rapidly increasing numbers of attacks on vulnerabilities in enterprise systems and software, data center managers face a mounting challenge to receive and apply the appropriate software patches. The pressure is on to protect the organization's applications and assets from hostile intentions, so data center managers need to be sure that patch codes are safe, are appropriate for their own configurations, and can be implemented without interrupting vital business services.

Viral and worm-based attacks can damage the data center, resulting in:

This is almost an arms race between the good guys and the bad. Many attacks will result shortly after vulnerability is announced by software vendors. The most commonly used solution to this problem is the deployment of patches that sequentially address each new vulnerability discovered (although occasionally a patch can itself give rise to a new set of problems). Overall, the importance and sheer number of patches demands that they be effectively managed and carefully deployed.

Patch management needs to take into account the business factors that are most important to the organization, such as the availability of business systems, which might dictate only a small window of opportunity for patch deployment. The management process should also first allow time for assessment of the patch and for testing in a controlled environment that mirrors the effects of the patch in a live environment.

Other issues arise from the complexity of the enterprise infrastructure, both inside and outside the data center. For example, the patch may have to be deployed across hundreds of servers, some of which may have to be visited at remote locations. Furthermore, large organizations are likely to be using thousands of desktop workstations, and each must also be monitored for compliance to the patch deployment.Perhaps the most difficult problems arise from mobile devices such as laptops and PDAs, which may have been infected by a vulnerability exploit but remain inaccessible until they reconnect to the main network, when they may pose a serious threat to infrastructure integrity. The heterogeneity of data center environments is also a major added complexity, with underlying operating systems and application environments bringing more difficulty in applying a patch only where it is appropriate.

In 2003, the U.S. Internal Revenue Service managed the problem of deploying patches, designed to block the attack of the W.32Blaster Worm, by using IBM Corp.'s (NYSE: IBM) solutions based on autonomic computing. The patch was successfully rolled out to 5,000 servers and a combined total of 125,000 desktops and laptops within the space of a week, using Tivoli Software Distribution and Tivoli Event Management. However, this level of investment in automated procedures is still quite rare -- most organizations do not, as yet, have sufficient investment in autonomic resources to ensure that a new patch can reliably be rolled out to every required point in the enterprise network, depending instead on human overseers taking responsibility for the success (or possible failure) of the task.

Organizations need to adopt a patching methodology as soon as possible. This must include a process whereby emerging patches are rapidly evaluated, and procedures to control the rapid and secure patching of network resources, as well as a measurement for compliance that verifies the success of the patching. The methodology must be an integrated part of the organization's security policy, to which the agreement of operational management is obtained in order to ensure that the policy is rooted in business priorities. Most importantly of all, such a policy must be seen to be active, and highly pervasive, throughout the organization rather than just in its data center.

Alan Lawson and Alan Rodger, Research Analysts, Butler Group