Why Patch Tuesday need not be a monthly headache

For many IT professionals, the first Tuesday of each month represents a busy day, or rather, the beginning of a busy few days. But should that really be the case?
18 November 2020

For many IT professionals, the first Tuesday of each month represents a busy day, or rather, the beginning of a busy few days. Patch Tuesday, as it’s become known, is when several large technology vendors release software updates that address the security flaws that have been discovered in the previous four weeks or so.

Initially started by Microsoft, several other companies use the same day to announce and release their updates: among them, SAP, Adobe, and Oracle. The resulting installation of code to shore up security holes can cause network-wide slowdowns, lost working hours, and a not inconsiderable number of lost hours’ sleep by those tasked with keeping the technological wheels of industry turning smoothly.

On the most recent Patch Tuesday, Microsoft’s most notable new desktop arrival, the Edge browser, required patching, which may well be the sign of things to come: its Chromium underpinnings are well-known to be complicated and have many dozens of dependencies, all of which have their own update cadences. That could spell potential problems for companies that use Edge to connect to cloud services — watch this space.

New software’s security flaws notwithstanding, Microsoft’s undertaking each month is impressive when considering the number of products in the wild that emanate from Redmond: ARM-based versions of Windows, multiple server platforms, SQL instances, SharePoint, Exchange, 32- and 64-bit architectures; the list is varied enough to cover just about every area of modern and not-so-modern computing.

Almost every organization in the world is affected by Patch Tuesday as a result, and the resources required to keep treading water (in terms of security) by rolling out patches and updates are significant. Going over and above that base level of relative safety takes even more time and money, which, unfortunately, many organizations don’t possess. Many security breaches emanate from unpatched instances, so applying all updates should be a matter of course. The difficulty comes when updates cause applications and services to break!

On behalf of the harried IT Manager and the frustrated end-user waiting while Windows updates itself at the most inopportune moment alike, we ask: what can we do differently to make keeping safe easier (and significantly cheaper)?

Use the tools provided

A turning point in the growth of many organizations will have been when they stopped using a mish-mash of operating systems that happened to have been installed on the desktop at the point of purchase. Moving from a mixed environment of Windows Home and Pro, Windows 7, Vista, and ME to a formal licensing agreement for the OS from Microsoft (or partner) will cement the company’s legal standing in terms of legitimate, licensed software. Also, it will have given IT administrators access to resources designed to help.

Automated tools like WSUS — essentially a free product as long as admins have a spare IIS and Microsoft Management Console box to hand — help alleviate network loads: updates and patches can be downloaded once by the WSUS instance and distributed locally to each endpoint (or client). The solution doesn’t even necessarily have to use the Active Directory schema to ensure its proper operation. All that’s required is a properly enterprise-licensed version of a supported Windows operating system.

Outsource the problem areas

Another option considered by many takes advantage of the increasing power of remote computing resources and fast networks that connect to the cloud. Virtualizing desktop environments is a concept as old as computing itself, but over the last twenty years or so, isn’t one that has been used a great deal. That’s down to many factors, the dominating one being the relative cheapness of hardware that could run applications locally. In the XaaS age, having a powerhouse on one’s desk often isn’t necessary.

As well as putting the onus of desktop security onto a third-party that can be bound by KPIs and other contractual obligations, end-users can be equipped with relatively cheap hardware that only needs to be able to display what’s being processed elsewhere. Perhaps the 2020s will become the decade of the new-style thin client?

To ensure that the headache of security issues isn’t replaced by poor service problems, careful planning and partner choice are necessary, naturally enough. We suggest starting with the security policies and performance metrics of prospective providers. These should be freely offered, and if not, move onto a provider that does.

Migrate software away

For cybersecurity experts, the term “industry standard” when used about software platforms in particular often means “the biggest target.” Moving away from the most common software platforms can offer a degree of protection by dint of relative obscurity. While no piece of software (or hardware) is immune from attack or inherent security flaws, if an organization offers a less enticing target than its competitors, it may well escape a great deal of unpleasant attention.

Increasingly, file formats and platforms that were once locked-in, and proprietary have had to open up to be more broadly compatible with other vendors’ solutions. It’s worth considering these on a platform-by-platform basis.

Interoperability offers multiple options: from office suites to graphics formats, web servers to software firewalls, SQL servers to virtualization techniques. The de facto choice for many of these technology types is often established not by the inherent technical solidity or usefulness of any solution but by the resources thrown behind the solution’s marketing team. Looking beyond the first solution that jumps to the front of one’s mind can pay dividends.

In many cases, organizations can not only save themselves significant resources by avoiding security issues that dog the common herd but also escape from expensive license agreements that for a long time seem to have been considered a necessary evil. The cost of licenses can be re-assigned to purposes that are in the organization’s own interest rather than in that of the vendor’s shareholders.