Alternatives for Software Distribution and Patch Management
It is fair to say that the old model of centralized patching and its associated processes are becoming less effective than they were in the past. With a number of suppliers using the upgrade/replace method rather than patching, it is much more difficult to follow the process of identify-test-pilot-deploy-force (or a variation thereof) that has been commonly followed and automated.
Today this cumbersome practice is completely automated. IT departments are under constant pressure to accomplish more with an ever-decreasing budget. Paying the entire IT staff, a full weekend’s worth of overtime whenever a new software version or patch is released would be cost prohibitive. Thus, over the last few years several software distribution and patch management solutions have been released by various companies. Let’s look at a few traditional alternatives, as well as a newcomer that looks very promising.
Systems Management Server
Microsoft’s preferred patch management and software distribution solution is SMS Server. While I haven’t worked much with the new version of SMS, from what I’ve seen it does a great job for larger organizations requiring massive deployments. However, there are some problems. The first downside is price. To run SMS Server 2003, you will need a server running Windows Server 2003. On top of the Windows licenses, an SMS Server 2003 license costs about $1,200. A five pack of client licenses will cost $279. There is also a fairly steep learning curve involved in packaging applications and distributing them.
Standardize software, lock devices down and force upgrades
Use deployment tools built into operating systems or use applications to do this. The trade-off between disruption to business operations and the time required to apply updates needs to be considered, however.
Use the cloud
The cloud may offer a realistic way to manage updates and patches. With instances being provisioned according to demand, cloud providers can create builds and deploy them when required. As instances are terminated, old builds can be removed from the service very quickly. The cloud provider will have to have a very good identify-test-pilot-deploy process, but that is something that can be requested and examined both before buying and when using the cloud service.
Another common solution to the software distribution and patch management problem is to use Terminal Services. For the most part, this solution works great. There is no extra software to buy because the terminal services are included in Windows Server 2000 and 2003. Furthermore, you don’t really have to worry about distributing software or patches to the clients because most of the software is running on the server end. When updates are required, they can be applied directly to the terminal server.
If your users bring their own devices (BYOD), then it is up to them to upgrade/patch them. Make it part of the acceptable use policy (AUP) or employment contract and educate users so they do it.
Use 802.1X, network access control and quarantine
Treat any device that connects to your network as untrusted. Check devices as they connect to your network and if they are not running the latest (or approved) software, do not allow them access to the network. Instead, direct them to a network where the only option is to upgrade or patch software.
Focus on data, applications, systems and devices that are critical to your business or that handle sensitive (including personal) information. Use a risk assessment to decide what is critical and then patch the critical data, applications, systems and devices as a matter of priority.
Make sure patch management (and the time to do it) is part of outsourced IT provision or of any service contract.