Patch management: All talk, no action?

commentary Corporate networks are under siege. With battalions of hackers toiling night and day to find entry points for attack, systems managers have only hours to close security holes before an invisible enemy tries to exploit them.
Written by Joseph Owen, Contributor
commentary Corporate networks are under siege. With battalions of hackers toiling night and day to find entry points for attack, systems managers have only hours to close security holes before an invisible enemy tries to exploit them.

New-found vulnerabilities must be sealed promptly with software patches, a task which is hard enough within the LAN (local area network), and which becomes more challenging the farther computing devices are from headquarters. Yet under competitive pressure to make the sale and improve service at the front lines, companies are pushing more and more technology beyond the firewall into the field.

Executives carry laptops around the globe; sales reps and field technicians rely on handheld devices or dashboard-mounted Win32 machines; and retail and restaurant clerks use increasingly complex store systems designed to increase customer service and cut operational costs.

In the unpredictable environment outside the corporate firewall, where each device is a potential target, efficient patch distribution is essential. Nevertheless, sad experience has shown that simply rolling out patches to the field doesn't provide adequate protection. Patch management must be combined with full-featured systems management tools in order to ensure the security of remote and mobile devices.

Facing the realities
The frontlines are typically made up of both static and mobile machines -- devices connected to the headquarters in a bandwidth constrained environment. Mobile devices are by their nature more vulnerable to attack than LAN PCs. The fact that laptops, handhelds and smart phones are carried on airplanes, tucked in purses or clipped onto belt loops makes it easier for them to -- quite literally -- fall into the wrong hands.

The more common danger, however, is that devices carried on one's person are more likely to be used for personal business. Forgetting that the device on which they practice chess can double as a hacker's pawn, users blithely change configuration settings, install unapproved software, and connect to virus-infected home computers. As a result, each time they dial in to the corporate LAN, they put the entire corporate network at risk.

Securing mobile devices is further complicated by the fact that the frontline environment is fundamentally different from the LAN environment. For one thing, mobile devices are only intermittently connected to a server, which makes it more difficult to schedule automated patch downloads. In addition, field-to-LAN connections often take place over low-speed, third-party networks with limited bandwidth, and are often interrupted without warning.

Store-based PCs, while not subject to problems associated with portability, share this challenge of a low-bandwidth environment. And because most tasks performed on store-based PCs are mission-critical (including credit card authorisations and other financial transactions) bandwidth bottlenecks can strangulate corporate efficiency. As the lifeblood of retail companies, point-of-sale systems must be available and functioning at all times.

No matter how critical their activities, users of store-based, as well as mobile systems, can't step down a hallway to get help if something goes wrong during a transmission. Neither can they be relied on to carry out system maintenance tasks, including urgent patch installations, even if this were a good idea (which it definitely is not). As a result, mobile and store-based devices often remain an open door for the first virus or hacker that happens along.

Faced with imminent security threats, systems administrators' first impulse is to rush software patches to the field. However, securing your mobile and remote systems through patch distribution cannot be effective if not supported by robust frontline management capabilities.

Companies should look for frontline management solutions that incorporate both security and general management functions that are optimised for operating beyond the corporate firewall so that administrators needn't cobble together two or more solutions to cover all their bases.

If patch distribution is to adequately protect frontline devices, corporations must be able to: 1) compensate for the limitations of the frontline environment; 2) lay the groundwork for efficient, automated patch deployment; and 3) keep a vigilant eye on mobile and store-based devices during and after patch distribution.

Compensating for conditions
Some companies have attempted to solve the frontline patch management dilemma using a LAN oriented solution. They have found, however, that patch management systems designed for high speed, continuous connections perform far less efficiently when bandwidth is limited and, in the case of mobile devices, connections are short-lived. A comprehensive frontline management solution compensates for these inherent challenges.

The ability to perform opportunistic downloads is critical in the mobile environment. Because machines connect to the LAN on an unpredictable basis, a good frontline management solution should allow patches to be downloaded whenever a connection is available. For instance, a software patch can be downloaded in the background when the user of a handheld connects to the corporate network to retrieve email or upload daily sales figures.

"Dynamic bandwidth throttling" is also vital in the frontline environment, for both mobile and point-of-service devices. This capability allows automated tasks to use only free bandwidth rather than gobbling all available resources.

It ensures that a patch download (or other system maintenance task) initiated at headquarters doesn't interfere with users' mission-critical activities, such as authorising credit card transactions or retrieving information needed for a quote. Without bandwidth throttling, users become frustrated by frequent slowdowns and interruptions, which leads to lower morale and reduced productivity.

Patch management at the front lines also must take into account that mobile connections are often severed without warning. While a LAN-based solution usually retransmits an entire file if a download is interrupted, a solution for the front lines should remember where a cut-off occurred, and restart transmission at that point the next time a connection is established. With bandwidth at a premium on the front lines, this type of efficiency is essential. Companies that fail to compensate for real conditions in the field will never adequately address security needs at the far edges of the enterprise.

Laying the groundwork
Efficient patch distribution involves much more than automating deployment. In fact, for many corporations the first step is recognising that their front line can't be the computing equivalent of the Wild West. Because a patch must be tested against all system and software configurations used in the field, some level of conformity is required. Corporations must define and enforce configuration standards for field devices, just as they do for LAN PCs.

Policy management is therefore an integral part of effective patch management. By limiting device applications to those required for business, and by setting configuration standards, corporations are able to minimise delays in patch distribution when time is of the essence. Quality assurance tests can be automated and patches can be disseminated within minutes or hours, rather than days or weeks.

Before a patch is deployed, administrators must be able to automatically inventory each intended device, determining which applications are currently installed, whether they are appropriately configured, and when they were last updated. The ability to review device "patch levels" prevents redundant downloads and assures that the correct patches are applied.

This kind of preemptive checking is just as important in reverse: before a remote or mobile device is allowed to connect to a corporate server, its last virus scan should be reviewed, its security settings checked, and the presence of the latest software patches verified. Such automatic checks go a long way in protecting the corporate network from hostile infiltration. If a check reveals that a device no longer conforms to secure configuration standards (whether by accident or on purpose), the device can be automatically reconfigured by the frontline management system.

Neither an IT technician nor the user needs to lay a finger on it. For an organisation with hundreds or even thousands of devices in the field, this capability is essential. Without it, misconfigured devices remain an easy target for hackers, despite the "successful" distribution of a software patch.

Standing watch
There is no such thing as security without system visibility. Field devices must be fully visible, or administrators have no way of knowing whether security measures are working as expected or required. Prompt dissemination of software patches is simply not enough.

Ideally, administrators should view and interact with mobile and store-based devices from a single console at headquarters. After patches have been installed, each device must be automatically audited to verify that the patch was installed correctly. This kind of roundtrip reporting is critical: it's the only way to know which patches were successfully installed and which were not. If an application "breaks" after a patch is implemented, administrators must be able to roll back the patch at once, without involving the user. Any organisation that neglects post-rollout audits can plan on a nasty surprise down the road, when they're hit hard in a spot they thought was fortified against exploitation.

In addition, administrators must be able to run ad hoc scans to check device patch levels, registry settings and configuration compliance. They also should be able to routinely upload antivirus scan logs from devices, or view device connection records. This kind of ongoing system monitoring is proactive, while patch management is essentially reactive. By combining both approaches, corporations are far better equipped to withstand the enemies arrayed against them.

Patch management is not enough
The security risks beyond the firewall are real, but corporations recognise that they can't afford not to equip personnel on the front lines -- those who make the sales and serve the customer -- with the cutting-edge technology they need to do their jobs faster and better. Companies must therefore find ways to keep frontline devices as safe as in-house PCs.

They can do this by first making it clear to anyone using computing devices in the field -- from technicians to executives -- that portable devices are not personal playthings. They must then follow through by enforcing security policies using a frontline management solution, managing both mobile and point-of-service devices as closely as headquarters PCs. Second, companies must define and enforce configuration standards for frontline devices so that security holes can be closed fast, with confidence that the patches will not bring the systems down. Third, each device in the field must remain constantly visible to systems administrators, including its software inventory and patch levels, configuration status, and user activity. This kind of ongoing visibility is the bedrock of network security.

Clearly, patch management can only be effective in conjunction with a complete array of systems management tools that are designed specifically for the front lines. Without such integration, deploying patches to the field is a lot like shooting in the dark.

Joseph Owen is chief technology officer and vice president of Product Strategy at XcelleNet.

Editorial standards