Arraya Insights | June 29, 2017
IT has had a long and sordid history with patching. From servers to desktops, Windows to Linux, it is the fear and bane of the IT administrator’s existence. A delicate balance has been struck between the risk of not patching and using third party tools to address security issues, but as the recent WannaCry and Petya attacks prove, patching is no longer an option and hackers might not be using perimeter attacks to infiltrate your network anymore.
Patching is just a solid and basic strategy, but both IT and the business have been burned with outages and application issues. These issues aren’t insurmountable though. Let’s take a look at some reasons IT has stopped patching (or worse stopped staying up to date) and how this is indicative of a cultural problem that is preventing innovation.
In the beginning
Since computers have been connected to each other (or had the opportunity to connect – see War Games, 1983), security has been a concern. Not only did firewalls go up, but Microsoft started learning that patching was critical to having a PC on every desk. The operating system needed to be secure. Starting with Windows 98, Microsoft introduced Windows update to help distribute patches. By 2003, they started Patch Tuesday – the second Tuesday of the month when patches would be released.
Something happened between 1998 and 2003 though – namely Windows 2000 and Windows 2003 server was introduced. This period brought two types of back office software into businesses – vendor written software to run the business and custom code written to fill the gaps that the business needed. From 2005 through 2009, these niche software companies shut down and businesses decided to lay off developers.
Here’s where patching problems started.
My application isn’t working, what did you do?
As time went on, it became clear that patching was critical for not only security, but basic maintenance. Companies wanted to reduce the risk of getting hit with an exploit, but it went beyond that. In 2007, the US government changed Daylight Savings Time, requiring a very specific path (and order of patching) for Microsoft systems.
At this point, patching strategies were fragmented. Some were using WSUS, others using System Center, still others using third party patch management solutions. These were all great for pushing out patches, but left something to be desired because they didn’t solve the main problem, which wasn’t patch distribution. Companies didn’t build a good methodology for patching.
And so, patches went out shortly after Patch Tuesday, maybe they were tested, maybe not and then things started breaking. Both niche vendor software and in-house developed software broke.
After the users would complain about the software breaking, two responses were given by management – “that company is out of business” or “we fired the guy who wrote that.” Both responses were followed with, “just make it work!”
At this point, patching either fell away because IT couldn’t make the argument it was critical when it was taking users offline or IT did it, but very cautiously.
The saga continues with modernization
With the introduction of Internet Explorer 10 with Windows 8, another problem surfaced – legacy web applications. IT had to pause the rollout of patches AND entire operating systems now because these applications, without support still, were incompatible. Here is where modernization goes to die.
As time has gone on, Microsoft has attempted to integrate more and more security into the operating system and the browser, but companies have allowed legacy applications to linger. This has led to a worsening situation within IT to support newer hardware and more secure end user computing environments while attempting to balance legacy applications.
Many IT shops struggle with this issue. It is less expensive, in fact it saves money, to run your end user computing environment out as long as possible. The argument to update is a non-starter with executives.
Here is where we are today. Legacy applications holding modern operating systems hostage, but the story doesn’t end there. This is causing a much larger issue within your business that you might not be aware of – namely, all of this is impacting your ability to innovate!
Your ability to patch affects the ability to innovate
Believe it or not, your strategy around patching and operating system upgrades directly impacts your ability to innovate. In today’s cloud first, mobile first world, technology is intersecting with employees and customers in new ways. The legacy applications that have been holding you back from patching and upgrading are also holding you back from moving forward.
Consider your competition. They are likely checking out ways to leverage technology to reach out and give customers a unique experience or build additional revenue streams. You simply cannot do this without having the basic building blocks of a modern IT infrastructure and end user computing environment. From the keyboard to the internet, your IT needs to run efficiently and fast – speed, but with control.
As painful as it is, it is time to start to start modernizing those applications and get your IT humming again so they can focus on bringing innovation back to the business.
How Arraya can help!
Arraya can help in a number of ways. We can bring standardization and simplification to your IT operations, enabling you to build the foundation for innovation. If you are stuck on a legacy operating system, we can help upgrade and ensure those legacy applications work until you can migrate. Lastly, if you want to develop a patch strategy, implement a patching solution or even offload your patching, Arraya can take on all of those challenges.