Patch management: a necessary evil


If you’re an IT administrator, you’ve probably come to regard the first Tuesday of every month as the Day of Necessary Evil.  It’s the day that Microsoft comes out with its security patches.  Some months they’ll have more…some months, less.  But this month?  Man, you’ve hit the jackpot.

According to Network World, Microsoft is delivering 14 security updates this week to patch 34 discovered vulnerabilities in Windows, Internet Explorer (IE), Office and Silverlight, eight of the 14 are labeled as “critical,” Microsoft’s highest threat ranking.   From here, I can hear IT guys muttering under their collective breath.  And I’m not sure I blame them.

Look, it’s IT’s job to make sure things are running smoothly.  The last thing they want is news of yet another threat that has the potential to compromise or crash their system. Yet, stuff is being discovered all the time “in the wild” that will do exactly that.  Hence, the continuous “cat and mouse” game that I referred to before, between the bad guys who want to infiltrate your network, and the IT administrators (the good guys) who need to prevent it from happening.

I’ve spoken with more than one CIO or CSO who rues the day that his or her company opened up its network to this thing called the Internet.  While it’s obviously an absolute requirement to do business today, it’s also an absolute pain in the firewall.

There is always the temptation to forego the updates, when issued by Microsoft or some other vendor:  “what if they cause something else to break?” has always been a common complaint.  And yet, we know that ignoring the updates and ignoring the work required to implement them is tempting fate at best.

IT administrators running Windows should budget these updates into their workflow, and make sure their personnel are ready to install them.  If you’ve outsourced your infrastructure to a third party, like Hosted Solutions, make sure your provider has done the same.  But make sure that you have someone available to work with your provider, just in case something unexpected occurs.

It’s to Microsoft’s credit that it’s scheduled regular patch releases and keeps companies updated about potential vulnerabilities.  So, as an IT guy, the best thing you can do is listen carefully, patch…and trust that you’ll make it through another Day of Necessary Evil.  Until next month.