A patch in time saves nine

The new year is now in full swing and all the signs suggest that the Australian economy is powering ahead. Buoyant business sentiment is renewing investment in critical enabling technologies as enterprises shift from what S2 Intelligence managing director Bruce McCabe calls "defensive" projects to more "offensive" initiatives.

Complexity is often said to be the enemy of reliability, and nowhere is this truism better observed than in enterprise software. Most large organisations are now making a concerted effort to consolidate and simplify their software infrastructure through long-term partnerships with a small number of trusted applications and operating systems vendors.

Nevertheless, complexity issues continue to dog the stability and performance of core business systems. A central concern is the almost unmanageable flood of software patches, bug fixes, minor upgrades, security plugs and other running repairs that confronts enterprise IT managers on a daily basis.

Organisations are forced to contend with a disheartening rate of change as vendors respond to existing problems and the dastardly cunning of hackers and virus writers. CIOs are crying out for effective tools to cope with this permanent state of flux as their IT teams struggle to decide which patches require immediate implementation and which can wait. Few organisations can thoroughly test urgent upgrades before releasing them into production - let alone explore the way patching one platform will affect other systems.

The consequence is that a significant share of large enterprises are not keeping on top of all the patches they need to apply. This further encourages worms, viruses, Trojans and hackers by allowing them to exploit known vulnerabilities.

Why enterprises can't stay on top of patches

The lack of effective patch management can be attributed to a number of factors:

• The sheer volume of patches released each year
• The difficulty of prioritising patches
• The time required to identify which systems need patchin
• A reluctance to install patches due to negative experiences deploying poorly tested vendor patches in the past
• The time involved in testing a patch works properly
• The complexity of testing a patch's impact on linked systems
• The workload involved in deploying the patch to all relevant systems
• The cost of rolling back from a failed patch and cleaning up the damage
• The lack of holistic patch management software to automate the process

While some vendors offer management tools to simplify patch handling, customer reaction to date is less than favourable. Indeed, many organisations are now shell-shocked from bad experiences with patch management software. IT teams are particularly aggrieved when vital business applications crash following the installation of patches that vendors have not tested properly prior to release. This can have a major business impact through unscheduled downtime and the costs associated with correcting the problem.

Desperately seeking support

Such concerns mean many organisations still approach patching without tools to assist them. This ensures patch management remains inordinately time-consuming. Of even greater concern is the tendency for important security patches and bug fixes to be delayed until a service pack can be implemented. This leaves organisations at a greater risk of compromise for a longer period, as the window from vulnerability notification to patch deployment increases substantially.

Although there are utilities to help identify which systems require a particular patch and even to handle the patching process, these tools have limitations. Most are product-oriented or platform-specific, meaning for example they can only patch Microsoft operating systems or HP/UX environments, but not both. Some can apply patches to the underlying operating system and/or applications from a single vendor, but few can adequately address all applications running on a particular server or workstation. Some utilities can only identify which systems require a given patch while another application is required to apply the patch.

Fujitsu's patch management service

Driven by many years' experience in resolving clients' security and IT management challenges, Fujitsu offers a sophisticated approach to patch management that helps customers defuse this issue. Our track record as a systems integrator and outsourced service provider to many of Australia's leading public and private sector organisations enables us to offer clients the benefit of insight and technical know-how to make patch management effective and manageable within realistic price parameters.

Fujitsu helps clients clarify their requirements to create successful patch management strategies. Our technical know-how also means we can help you identify the best software tools to put this strategy into effect, while highlighting the strengths and weaknesses inherent in each toolset.

Fujitsu can also assist in setting up an inexpensive test lab environment where patches can be evaluated. This test network will closely resemble your live environment, enabling much more exact validation than any software vendor could achieve. Test facilities reduce risk by allowing thorough assessment of potential problems before implementing a patch on production systems. Further assistance is available in the form of Fujitsu quality control test plans that enable IT managers to conduct detailed evaluation across a range of critical indicators.

With proper verification and processes, the good news is that IT managers can stay on top of patching to deliver greater reliability and security for the enterprise.

More information

Fujitsu's Information Security services

Adrian Ashbury
Principal Security Consultant

Fujitsu Australia Limited
Tel: +61 (02) 9776 4555
E-mail:adrian.ashbury@fujitsu.com.au