Maksim Kabakou - Fotolia

Security Think Tank: Six alternative strategies to centralised security patching

What strategies can companies adopt to help keep up with and deal with the huge volume of software updates they are facing?

It is fair to say that the old model of centralised patching and its associated processes are becoming less effective than they were in the past (if they ever really were).

With a number of suppliers using the upgrade/replace method rather than patching, it is much more difficult to follow the process of identify-test-pilot-deploy-force (or a variation thereof) that has been commonly followed and automated.

There are a number of patch management strategies that can be considered, either as stand-alone systems or in combination. Note that, in all cases, information security may not own these systems, nor are they responsible for applying patches (that is an IT operations job); but they should have input into the strategy or strategies adopted.

1. Standardise software, lock devices down and force upgrades

Use deployment tools built into operating systems or use applications to do this. The trade-off between disruption to business operations and the time required to apply updates needs to be considered, however.

 2. Outsource

Make sure patch management (and the time to do it) is part of outsourced IT provision or of any service contract.

3. Use the cloud

The cloud may offer a realistic way to manage updates and patches. With instances being provisioned according to demand, cloud providers can create builds and deploy them when required.

Read more from Computer Weekly’s Security Think Tank about the importance of software patching

As instances are terminated, old builds can be removed from the service very quickly. The cloud provider will have to have a very good identify-test-pilot-deploy process, but that is something that can be requested and examined both before buying and when using the cloud service.

4. Go BYOD

If your users bring their own devices (BYOD), then it is up to them to upgrade/patch them. Make it part of the acceptable use policy (AUP) or employment contract and educate users so they do it.

5. Risk assessment

Focus on data, applications, systems and devices that are critical to your business or that handle sensitive (including personal) information. Use a risk assessment to decide what is critical and then patch the critical data, applications, systems and devices as a matter of priority.

6. Use 802.1x, network access control and quarantine

Treat any device that connects to your network as untrusted. Check devices as they connect to your network and if they are not running the latest (or approved) software, do not allow them access to the network. Instead, direct them to a network where the only option is to upgrade or patch software.

As devices and applications evolve – and become more cloud-centric – organisations should be actively thinking about whether they want to perform patch management, or whether their resources could be directed to better use elsewhere.

Adrian Davis is managing director for Europe at (ISC)2.

Read more on IT risk management