> Homepage > News & Events > EQ MONTHLY > Features > 01/04 - The change challenge
|   Privacy policy  |   Sitemap  |   Subscribe  |

Knowledge center
Subscribe for news

Features

The change challenge

Strategy

All software is in a constant state of being patched, upgraded and patched again. For large organizations this can be a considerable headache. A mature approach to patch management requires a broader view of change management.

In the physical world, a change is often as good as a rest. In the software realm, however, change is often fraught with difficulties. Stability and simplicity are the goal of every IT manager, and yet software must be regularly updated with new security patches.

Managing patches can be a daunting task because of the number of dependencies in the average software infrastructure. Every time an application or operating system is altered, it affects many other components of a company’s network. “You have to be sensible about it. Every change has the potential to cause a problem,” warns Debbie Rosario, a former change manager at Marks & Spencer who heads up the service management practice for Compass Management Consultants.

Consequently, many larger companies are loath to implement patches as soon as they are released. Instead, they go through a testing and impact analysis phase to ensure that the patches will not adversely affect elements of their computing infrastructure, which could have an indirect effect on business processes.

Patch management
Patch management tools can help companies to coordinate software patches by assisting with impact assessment and deployment planning. Mark Nicolett, research director at Gartner Group, identifies three major classes of patch management product. The first consists of point solutions designed purely to handle this task. The second is software distribution tools that generally manage software deployment and upgrades within an organization. These tools have begun to include patch management facilities as part of a broader feature set. Finally, vendors of operating systems and application software will provide their own patch management utilities.

Both the point solutions and the software distribution tools will have automated patch analysis and packaging, along with some method of grouping systems and patches to control the installation, explains Nicolett. “To this day, while some of the software distribution vendors provide patch management on paper, it's less usable than some of the point solution guys,” he warns. “There are still differences in the speed of reporting, deployment, and usability.”

While software distribution vendors build out their patch management features, vendors of dedicated patch management products are now expanding into other areas such as security configuration. However, purchasing a broader solution that doesn't just focus on patch management has some advantages, argues Nicolett. “Many of the software distribution vendors have a suite approach, or have an asset inventory as part of the capability. The more functions you buy from that vendor then the more encompassing that inventory is,” he says.

The same is true in most regions worldwide. In the US, an IBM survey found that ensuring business continuity and resilience was one of the top three objectives for organizations in information technology, after aligning IT investments with business objectives and increasing automation.

The bigger picture
This becomes important for companies wishing to approach patch management as part of a wider change management strategy. Change management is a central tenet of IT services management as defined by the IT Infrastructure Library (ITIL), a set of best practice recommendations covering aspects of IT service governance including configuration management, release management and service desk operation. A robust asset database encompassing configuration information is a valuable tool in supporting a change management strategy.

But a database alone may not be enough. “Taking testing as far as you can is important. Make sure that if you're applying patches, you take advantage of any market intelligence out there – and there is lots of intelligence,” says Rosario, adding that the list of prerequisites for any software patch deployment should be readily available. “Make sure you take advantage of any notices posted about impacts suffered previously,” she said, adding that a sensible company will give itself time to back out of a change in the event of any problems.

Ultimately, intelligent patch management relies on a mixture of planning, thorough testing, and background research to ensure that a company does not run foul of any system incompatibilities. Given the speed with which vendors release patches to resolve issues such as security flaws, the integrity of a patch within a wider computing infrastructure can never be taken for granted. When it comes to updating software code, a stitch in time really can save nine.




 
© Equant 2006