Patching as Resilience

This seems to be a revolutionary idea, as it seems that I am always having to argue this: Patching is an absolute MUST! When I manage IT operations and vulnerability management, I patch continuously. What does that mean? Patch Tuesday comes along? I patch immediately. There’s a new patch for Pulse Secure VPN appliances? I patch immediately. I have patch management systems implement workstation patches daily. It could be a patch from Microsoft, LogMeIn, Adobe Reader, Firefox, Chrome, Java, WinZIP, or any other commonly patched program. Daily.

So why are people afraid of patching? Mostly, because of two reasons, both associated with fragility:

  1. Critical systems are left unpatched by many organizations because they are considered too fragile or risky too patch. When downtime could cost millions, companies leave the systems at the same state for a decade. A SQL Server patch might break an application. A security patch may break the way an application uses an old version of SSL. Patch avoidance avoids the consequences.
  2. Administrators have all experienced that rogue patch that kills a server. Install a patch and the Exchange Server transport service refuses to start. Install a patch and the domain controllers won’t boot. You get the idea.

The fragility is real, and the risk is real, but so is the threat of attack to unpatched (vulnerable) systems.

I approach patching as an exercise in resilience. Your business needs to plan for patching, plan to recover quickly from bad patches, and plan redundancy to maintain system availability during patching. These are critical core skills for your organization. If you are unable to design for resilience in order to patch while during business operations, how is your business going to deal with a server failure, site failure, ransomware attack, or bad code deployment? Your business depends on you to plan your infrastructure in a way that you can patch during production and recover from bad patches during production without skipping a beat.

Published by artocain

I am a DevOps advocate, not because I am a developer (I’m not), but because of the cultural shift it represents and the agility it gains. I am also a fan of the theory of constraints and applying constraint management to all areas of business: sales, finance, planning, billing, and all areas of operations. My speaking: I have done a lot of public speaking in my various roles over the years, including presentations at SBDC (Small Business Development Center) and Central PA Chamber of Commerce events as well as events that I have organized at MePush. My writing: I write a lot. Blog articles on the MePush site, press-releases for upcoming events to media contracts, posts on LinkedIn (https://www.linkedin.com/in/artocain/), presentations on Slideshare (https://www.slideshare.net/ArtOcain), posts on the Microsoft Tech Community, articles on Medium (https://medium.com/@artocain/), and posts on Quora (https://www.quora.com/profile/Art-Ocain-1). I am always looking for new places to write, as well. My certifications: ISACA Certified Information Security Manager (CISM), Certified Web Application Security Professional (CWASP), Certified Data Privacy Practitioner (CDPP), Cisco Certified Network Associate (CCNA), VMware Certified Professional (VCP-DCV), Microsoft Certified System Engineer (MCSE), Veeam Certified Engineer (VMCE), Microsoft 365 Security Administrator, Microsoft 365 Enterprise Administrator, Azure Administrator, Azure Security Administrator, Azure Architect, CompTIA Network+, CompTIA Security+, ITIL v4 Foundations, Certified ScrumMaster, Certified Scrum Product Owner, AWS Certified Cloud Practitioner See certification badges on Acclaim here: https://www.youracclaim.com/users/art-ocain/badges My experience: I have a lot of experience from developing a great company with great people and culture to spinning up an impressive DevOps practice and designing impressive solutions. I have been a project manager, a President, a COO, a CTO, and an incident response coordinator. From architecting cloud solutions down to the nitty-gritty of replacing hardware, I have done it all. When it comes to technical leadership, I am the go-to for many companies. I have grown businesses and built brands. I have been a coach and a mentor, developing the skills and careers of those in my company. I have formed and managed teams, and developed strong leaders and replaced myself within the company time and again as I evolved. See my experience on LinkedIn here: https://www.linkedin.com/in/artocain/

Leave a Reply

%d bloggers like this: