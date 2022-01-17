In IT, we face a daily battle to avoid death by a thousand cuts. While we can automate, script and control tens, hundreds or even thousands of devices in short order, yet we still face ever more pressure. The amount of devices that have to be managed, the volume of security vulnerabilities going up every month, and all the patches to deploy can quickly feel overwhelming. The number of cyberattacks is trending to all time highs, while support requests and problems to fix grow every day too.

Getting on top of things through planning ahead can help. The biggest job in 2022 will be keeping your systems in the right desired state. There are some big potential changes around your IT that you can manage more effectively to make the job of maintenance and security easier. You can also ensure users don’t go off and do their own thing around IT, which can increase the workload further. We all try to strike a balance between empowering employees and locking down, so whichever path you choose, here are some options to look for to make your job more efficient, employees happier and your company more secure.

Prevent users from upgrading operating systems without permission

Both Microsoft and Apple have released major updates for operating systems in October 2021 - Windows 11 and MacOS Monterey both promised new features and performance, and early adopters may be keen to move to the new versions. If you let your users have administrator privileges on their machines to handle major and minor OS updates, this can be a problem.

While new operating system versions will be thoroughly tested before being released, there will always be teething problems. Letting others deploy and find those issues can be an effective way to avoid this. However, the biggest problem is normally compatibility between your existing applications and the new OS. If your employees rely on specific applications to work, testing them with the new OS will help show any issues that might be in place.

To give you time to carry out that testing, it is important to stop employees carrying out their own updates prematurely. This is something that you can control centrally, using your directory and device management platform. When testing has been completed, and you are sure your applications are updated and compatible, then you can roll out the new operating system to your users. Essentially, you can block the OS update until you have tested it, then remove the block when you are comfortable with it. Once it has been effectively checked, you can allow them to carry out the install when they are ready.

Once you have everybody on the right version of the OS, now it is time to move to the latest application versions so all your systems are up to date. Achieving this in practice means looking at how you automate rolling out patches and updates. Every day, new holes are discovered in applications - according to CVE Details, 18,325 issues were found in 2020 and a similar amount in 2021.

Each of these issues will vary in how serious a risk they pose and how widespread they are. Some - like flaws in Microsoft Windows - will affect the vast majority of user devices, while others will be specific to applications that are only used by a small percentage of employees. Some will be inauspicious failures in application or incredibly hard to exploit, while others will need immediate patching.

Tracking all this is a hard job. You won’t be affected by every issue that comes out, and not everything requires you to pull the metaphorical emergency cord. Where it gets tricky is making sure that everyone has all the right patches for their applications in place.

You can get ahead of this by knowing what applications, devices and operating systems employees have. Your device management component can display the OS versions for any assets that you have listed and manage updates being applied. Similarly, you can use asset management tools to tell you what assets are on the network and any applications that are installed on them. Ideally, you should consolidate all this data into one place so you can track users, application entitlements on devices and device status at the same time.

Using this platform, you can then automate the patching process to put any updates in place and ensure that you can continue to stay up to date. This is one of those jobs that is tough to manage, but it can provide the best defense against IT security risks.

Patching is a hugely important task for IT, and it can make a huge difference to overall security and efficiency. However, one of the biggest challenges to an effective patching process is user behavior. More specifically, users often refuse updates.

The logic here is understandable. After all, no-one wants to stop working on their tasks in order to carry out something that they don’t see as valuable to them. Applying patches can easily fall into that category, particularly if end users don’t understand how serious something can be.

The companies that design operating systems and applications do understand this - they will often allow users to pause or delay an update until it is convenient for the user. However, this then leads many users to hit ‘remind me later’ each and every time that update box pops up. If something can be delayed, it will be delayed.

For sysadmins, letting users control when patches or updates are deployed is necessary to keep employees happy. However, it is not a situation that can go on forever. Not only does it lead to potential security issues staying in place, it also increases the support burden when you have multiple versions of each application or operating system in place. Instead, putting a process in place to manage this is necessary.

The ideal here is to deliver an effective compromise for users and for the IT team, where updates can only be paused or delayed a set number of times before they are enforced. For example, with most application updates, you could set the total number of pauses to five reminders; after that, the update would be automatically deployed. This gives the user a chance to prepare and do this later, or decide to deploy the update.

Alongside this, you should also instigate a communications policy for the company around updates. This should spell out how you will manage and enforce updates, and how you will categorize them over time. For instance, you can explain the approach around pausing updates and when they will be deployed, so that everyone has been informed about the process and can’t claim they were not aware of their role. You can also put together exceptions for this - a good example here would be urgent security updates, which might be enforced immediately once tested.

There may be other categories of applications in your organization too, such as applications that are critical to the business but that are outside support or have other specific circumstances to consider. As part of your communications strategy, work with users on finding any applications that will need more specific handling in advance.

Planning ahead

For any sysadmin, being on top of new updates and patches is a big part of the day job. Keeping these systems up to date helps security and support. However, taking this out of the world of theory and making it part of your practical processes every day involves more work to achieve the right results.

To achieve these goals, look at how you can automate your processes and scale them up. By consolidating your approach across users, device management and application entitlements, you can improve your efficiency by linking these processes together. This should be consistent across any and all devices, applications and assets that those employees have access to. Alongside this, your practical communications plan should be in place telling users about any changes coming up, as well as what will happen in the event of an unexpected risk.

By thinking ahead, you can make the process smoother and more efficient for everyone. IT can help everyone stay busy, but not at the expense of security.

Greg Armanini, Senior Director Product Management, JumpCloud