Maksim Kabakou - Fotolia
It is fair to say that the old model of centralised patching and its associated processes are becoming less effective than they were in the past (if they ever really were).
With a number of suppliers using the upgrade/replace method rather than patching, it is much more difficult to follow the process of identify-test-pilot-deploy-force (or a variation thereof) that has been commonly followed and automated.
There are a number of patch management strategies that can be considered, either as stand-alone systems or in combination. Note that, in all cases, information security may not own these systems, nor are they responsible for applying patches (that is an IT operations job); but they should have input into the strategy or strategies adopted.
1. Standardise software, lock devices down and force upgrades
Use deployment tools built into operating systems or use applications to do this. The trade-off between disruption to business operations and the time required to apply updates needs to be considered, however.
Make sure patch management (and the time to do it) is part of outsourced IT provision or of any service contract.
3. Use the cloud
The cloud may offer a realistic way to manage updates and patches. With instances being provisioned according to demand, cloud providers can create builds and deploy them when required.
Read more from Computer Weekly’s Security Think Tank about the importance of software patching
As instances are terminated, old builds can be removed from the service very quickly. The cloud provider will have to have a very good identify-test-pilot-deploy process, but that is something that can be requested and examined both before buying and when using the cloud service.
4. Go BYOD
5. Risk assessment
Focus on data, applications, systems and devices that are critical to your business or that handle sensitive (including personal) information. Use a risk assessment to decide what is critical and then patch the critical data, applications, systems and devices as a matter of priority.
Treat any device that connects to your network as untrusted. Check devices as they connect to your network and if they are not running the latest (or approved) software, do not allow them access to the network. Instead, direct them to a network where the only option is to upgrade or patch software.
As devices and applications evolve – and become more cloud-centric – organisations should be actively thinking about whether they want to perform patch management, or whether their resources could be directed to better use elsewhere.