Microsoft's release earlier this month of 13 patches has more than a few CIOs searching for a bottle of aspirin.
Two bottles, if you're a CIO with a large mobile workforce.
This patch release, which addresses issues in Windows, Internet Explorer, Exchange, Media Player, PowerPoint and Word, was the most released by the software giant in more than a year. The sheer volume had IT departments scrambling to evaluate and deploy the patches. And few were without incident. In fact, within a few days, users started reporting that one of the patches was preventing them from using dial-up Internet connections.
But Tom Lenz, IT director of the accounting and business consulting firm Wipfli LLP, claimed to have had very little trouble deploying the critical patches on his systems.
That would not have been the case a few years ago, when Lenz was relying on Microsoft's Software Update Services to deploy patches to his company's employees. Seventy-five percent of Wipfli's 700 associates are laptop users who often work off site with clients outside the company's system. It was difficult to push patches out to those remote workers, and nearly impossible to know whether the patches were installed successfully.
He said his staff had to check machines manually to make sure they were up to date. The process was labor-intensive.
"We found it took quite a bit of care and feeding to operate effectively," Lenz said. "There was very little reporting."
However, Lenz took a new approach in May 2005. He purchased Endpoint Policy Management from iPass Inc., a Redwood Shores, Calif., mobile workforce solutions provider. The service interacts with most enterprise management systems to manage mobile devices. When a remote worker logs onto the Internet, Endpoint detects the device, assesses it and updates any outstanding patches and antivirus protocols.
Lenz says the improvement in his company's ability to distribute critical patches has been remarkable with the iPass solution. Prior to using Endpoint, Lenz estimates that only 30% of Wipfli's computers had every critical patch applied to it. "Now it's consistently 98%," he said.
Companies with complex IT environments and a large number of mobile and remote workers often find the deployment of software patches labor intensive and incomplete.
Chris Christiansen, vice president of security products and services at IDC, said companies with complex environments and large mobile workforces need a sophisticated approach to patch management.
Christiansen said a company that has a limited number of mobile workers and a system that runs only Windows software can get by with more common approaches to patch management. But if a company is running software from multiple vendors, it needs a more robust solution, even if it is more costly.
"You have to get patches from multiple vendors, and they don't always come out at the same time," Christiansen said. "There might be a complex order that they must be loaded in, or they may have conflicts with other patches."
Lenz said using Endpoint Policy Management has allowed him to streamline his patch management operation, reducing the amount of time spent managing patches by 30%.
"We have IT staff in six of our 17 offices," Lenz said. "Previously at least one person from all six locations was involved in deploying patches. Now we have two people who share the load firm-wide. They deploy all the patches and monitor them."
The process of assessing and testing patches before distributing them has also improved, Lenz said.
"We meet every Wednesday, the patch management team, and go through each patch. We look at the rating, decide if we need to push it out or not. After that meeting we push the all the patches that apply out to a test group of 30 people."
The test group of 30 people represents all the different business units and functions of the company so Lenz can see how each patch might affect different parts of his organization. If the test group goes a week without any problems, he then pushes the patch out to all employees.
"Before iPass, we had a smaller test group," Lenz said. "It was much smaller and not as representative of the company. It was only IT staff. We were not able to have all the functions of the firm represented, so we didn't have a good idea if we should expect issues when we pushed it out firm-wide."
Lenz said the biggest change for him has been the level of his confidence in his department's ability to push patches out consistently.
"When I'm reporting to my CEO that 98% of our machines are patched, I'm more confident. I feel better about that report."
Let us know what you think about the story; e-mail: Shamus McGillicuddy, News Writer