As a reasonably accomplished technical person it started to bother me this past weekend that I’m just too accepting of the plethora of updates heading my way across the numerous devices I own. In particular what struck me is that I’m so weary from being prompted all the time that I just accept them without reading most of what they do.
Initially I’d take the time to read all the update information provided for each patch for each and every application and platform update but now, as a consumer, I find I just don’t have the time. Quite frankly, does anyone with children and a fulltime job have that kind of time?
On a daily basis I’m inundated with patches from at least 2 or more of my many devices including my Blu-ray player, television, multiple IOS-based iThings, my Mac and, of course, my families Windows Phones and Windows-based computers.
I’m starting to think patch Tuesdays make way more sense than being bugged continually and randomly all the time. What must an average consumer feel like? They just want their stuff to work after all!
As I think more about the problem and its wider impact, there are some pretty compelling issues to deal with. After all, if nearly the whole world is outsourcing their updates to vendors, then when will corporates and enterprises find themselves in a similar situation?
While it might well sound naïve to be talking about outsourcing updating to vendors, in most cases we already do. What we don’t outsource is compatibility testing and making smart choices about which patches/updates affect us and what to implement. However, if we feel they apply to our needs we implement them, usually without looking further than the list of improvements.
The biggest cloud services we don’t see (or rather don’t realize actually are cloud services) are the update services we depend on. Whether that is Windows Update, Marketplace, Xbox Live, Apple’s App Store updates, antivirus and anti-malware updates or just automated updates from popular application vendors the sheer scale of what they do is remarkable. Consider just how many Windows-based systems are out there and consider that many of them are being updated more than once a month from a central services and you start to understand just how incredibly huge that is. Add updates for Apple, Samsung, HTC, Dell, Lenovo, HP, Adobe etc. and the scale hits the stratosphere. It seems so much greater than just cloud that we’d probably need to name it something else, like Sky!
Now add some additional complexity into the mix.
Consider that hundreds of millions of devices are being updated almost daily and that many of them are running twenty or more different applications with a plethora of different devices attached and yet we rarely hear much about devices being bricked or rendered unusable. Consider that some of these systems have been rooted, jail broken, had their interfaces changed by applications that dig a little deeper down into the core operating and system files than they should and many are infested by malware of some sort of another, and somehow all of them keeping on ticking! Yes occasionally bad things happen, but generally not at the type of scale that causes mass systems failures across the planet.
To add to that, consider the trend we’re seeing for more and more users wanting to make use of their various personal devices and device form factors, ranging from smartphones through slates to entire systems to do their work rather than using the company provided devices and a picture starts forming of a world where IT departments need to spend more time controlling information and security policies rather than simple software stacks and patches.
In essence the IT organizations are losing the war and, even more so, losing control of the patch world. It goes without saying that IT organizations do need to flex their muscles in order to ensure their end-to-end systems are reliable and sustainable enough to support the business needs. No retailer can live with their points of sale or online stores being up and actively processing transactions but the mindset on how we maintain that seems to be shifting.
If my 11 year old son can take charge of keeping his Xbox, iPod Touch, iPad, HTC Windows Phone and Windows PC up to date, all from reliable sources such Windows Update, Marketplace, the Apple App Store and Xbox Live, then why do we need to bother about patches in enterprises?
Again, it’s a seemingly naïve question which usually results in a number of answers ranging from, “of course enterprises need to worry about patches because they can’t afford downtime,” to more reasoned through arguments like, “we can’t migrate from Windows XP or IE6 because we know it breaks some of our line-of-business applications.” I could counter-argue and suggest those are problems from a different era, but for the sake of our sanity I’ll just suggest that outsourcing the patching problem appears to be the way the World is moving.
Perhaps we’re not there yet, but a lot has changed in a short time and I think IT shops needs to spend more time thinking about services like Windows Intune and much more time thinking about how they influence governance and policies for information and security rather than assuming that locking everything down and only allowing in what they fully control is going to help them. The next employee that walks through the door wanting to connect his Droid to Exchange when all that your company does is support Blackberry should sound alarm bells. It is impossible to patch all systems and devices that walk through a company’s door and they are walking in whether you know it or not!
In a world where patching is easy it logically follows that security should be improving but somehow we have to find exactly the right mix of features, functionality and commitments to allow people to make the leap of faith necessary in their organizations. As time goes by I expect we’ll be ringing in the changes and as a result all of us in IT careers will finally be able to loosen the shackles a little and move on to more creative tasks than simply controlling the patches.
So what do you think? Am I being controversial for the sake of it, or am I simply pointing out that patching is becoming something even kids can do because backend vendors are getting better and better at the scale and complexity of it all?