GUEST COLUMN: Give the IT Folks a Break
Today, IT professionals are facing harsh criticism. The IT magazines
are riddled with quotes from critics berating the pervasive security
flaws lurking in IT systems. When a new worm wreaks havoc, you can
bet that these same experts will lay the blame on the system admins.
Most likely, these experts will also say that patches are available
and the problems will go away if administrators would just install
them. IT professionals are regular targets of rhetorical questions
loaded with accusations of irresponsibility and incompetence. In fact,
the stories usually focus on the IT people and not the new worm,
which was the cause of the problem in the first place. Let's take
a different tact and agree that perhaps these folks deserve a break.
In today's business environment, where security is the focus, we
find ourselves at a juncture where best practices are changing and
the old standards are no longer acceptable. Before explaining further,
a brief history is required.
Consider software updates such as hotfixes and service packs. A year
earlier, it was considered bad practice to automatically deploy the
latest hotfix from Microsoft. IT professionals universally declared,
"It ain't broke. So, we're not fixing it." Indeed, not that long ago,
most of us thought that the risks associated with deploying all of
those hotfixes were too great, and we left well enough alone. These
risks included complete system lockup and other behaviors. IT managers
would test, test and test some more.
This process was time-consuming and tedious. Besides, nobody ever
got promoted for deploying hotfixes. In the end, the possibility of
causing such catastrophic system failures weighed on the IT pro's
mind to the extent that they learned to minimize the risks by not
deploying updates regularly.
During the summer of 2001, awareness of security vulnerabilities
reached critical mass ? and it hasn't subsided since. Gartner
estimates that 20 percent of enterprises will suffer material loss
as a result of a cyberattack by 2005. In the first half of 2002,
there were 180,000 Internet attacks on U.S. corporations ? a 28%
percent increase, according to Riptech. No wonder nearly 70 percent
of IT professionals worldwide surveyed by Computer Economics believe
large-scale cyberattacks will occur in their country within two years.
A cultural change was taking root, and system admins embraced it.
Even though the problems associated with deploying updates still
existed, a genuine desire to change the standard practice of reacting
when systems were attacked faded. Now, IT professionals were looking
for ways to deploy hotfixes, plug the security holes and be proactive
at managing their systems.
Their desires for proactive management were strong, yet they suffered
through a barrage of virus attacks, including "I Love You," Nimda,
Code Red (and other colors from the rainbow) and various other
intrusions. Although they firmly changed their culture and embraced
this proactive approach of deploying hotfixes, they had no available
solution offering the features that are necessary for total management
of hotfixes and other software updates.
Most current offerings fall into one of two categories.
If an administrator has to walk to all of the individual machines,
he or she can count on spending 20 or more minutes per machine to
install the fix. In the meantime, the project on which the admin
was working is put on hold, waiting for the unscheduled fixes to
- The administrator programs a script for inventory and deployment, or
- The administrator walks around to each machine to run the updates.
If the IT professional has to program a solution, he can count on
at least 24 hours before deployment into production. The scripts
must be tested for any exceptions, and, since no two hotfixes seem
to be exactly alike, it can be an ugly mess requiring special know-how for all implementations.
What's more, so-called free and automatic updates, like those that
come with licenses for Service Pack 3 for Windows 2000, are likely
to cause more pain and heartache. Blindly installing patches that
haven't been tested against each other can ruin the very data the
admin is intending to protect ? and it's no secret that Microsoft's
patches can contain bugs themselves. User groups have echoed this
sentiment time and time again.
A better solution for IT professionals is investing in products
that assist them in researching software updates, taking inventory,
deploying patches and validating hotfixes, service packs, roll-ups,
etc. In this model, a management console reports on activities and
matches the actual inventory against the policies defined by the
admin. The IT professional can then manage by objective using policy
to define the objective as well as manage by exception using reports.
The pain this solution alleviates for the administrator is in not
having to "de-conflict" the countless interdependencies among software
updates. The right software will know what order to install the
updates and if certain combinations are not deployable together.
Such a solution leverages an extensive database that has been
qualified by rigorous testing and analysis. This way, businesses
can easily deploy the latest security fixes safely, while eliminating
mistakes that can lead to system failures.
It is true that IT professionals are responsible for updating their
systems and need to know what updates are applicable for their
businesses, but when one understands the complexity of a comprehensive,
proactive approach to managing hotfixes and other software updates,
it is fitting to cut these administrators some slack. Deploying
hotfixes is an unplanned event, arriving without warning. IT pro's
need a break, and that break might just be spending some time and
resources procuring the right tool to ensure quality, uptime and
security ? and less time in the "blame game."
About The Author:
Ron Kaplan is the product Manager for St. Bernard Software's
UpdateEXPERT, which solves system and application security
problems by keeping software patch levels current.