Microsoft used last week’s Ignite conference to lay out the architecture not only for its forthcoming Windows 10 overhaul but the whole future of its entire software estate. Windows is to lose version numbers entirely and patching will now be a continuous process rather than a periodic one for the majority, delivered through something called Windows Update for Business (WUFB). Windows will become far more amorphous, organic and its evolution will move forward more rapidly than before.
Undoubtedly Microsoft has decided to make Windows 10 the most compelling and defining piece of software it has produced since Windows first appeared nearly 30 years ago. But it will still be a massive cultural shift for the large number of organisations that depend on its software and a considerable adjustment for security teams.
We asked Ignite conference attendee Russ Ernst of Heat Software, (recently formed through the merging of Lumension and FrontRange) for his thoughts on the demise of Patch Tuesday and the benefits of the new ring-based and distribution window patching architecture.
Techworld: So if the regular Patch Tuesday cycle is being replaced for most with automatic patching from Windows 10 onwards, can you spell out the advantages of this new approach?
Ernst: The way I see it, Microsoft will be moving to a ‘ring’ approach. This means that organisations and users willing to take additional risk can sign up to the first ring of updates, but others can install updates on the second or third ring, when the other users have vetted them thoroughly. Essentially, it’s a best of both worlds approach - 24/7 updates for organisations that already have a well-established patch management process, and for others regular scheduled patches not dissimilar to patch Tuesday as we know it already.
Microsoft has always had a very strong and extended internal patch network which receives and test patches before they are introduced to the masses via Patch Tuesday. The use of 24/7 updates simply extends this network, so that updates are immediately available to the entire Microsoft user base.
Techworld: Windows 7 and 8 won’t be on the same cycle so enterprises will have to contend with different versions of Windows on different patching cycles. Isn’t that adding to complexity in a way?
Ernst: It is adding to the complexity, yes, but it’s now easy to see why Microsoft is making Windows 10 free for business. This would fix the issue entirely, and gives organisations yet another reason to make the move to Windows 10.
Techworld: How do you think enterprises will react to this change? On the face of it, it makes Windows 10 look like a more attractive proposition.
Ernst: Microsoft’s decision follows a trend of 24/7 updates in other areas of IT, e.g. in the smartphone industry. As such, I think many smaller businesses will take up the chance to implement patches in the first ring, as they are already used to getting automatic updates.
Overall, I think implementation will be around 50/50. What will be interesting is the number of Fortune 500 companies that do so. Patch Tuesday created a rhythm for patch management, which will be missed by some IT teams. This goes double for large organisations, which may be reliant on a more regulated approach.
Organisations that have well established patch management processes in place will welcome the news, certainly. They will be used to having this kind of flexibility, and should be able to mix these more continual updates into their tiered deployments. The news may be something of a call to action for organisations that don’t have a patch management process in place too, and should hopefully raise awareness of third-party updates that are already released outside of Microsoft’s Patch Tuesday.
I think the change complements Windows 10 very well. Microsoft recently announced that it will be the last numbered version of Windows, and this approach to patch management follows the same kind of line. No more numbers, no more Patch Tuesday, just IT on demand.
Next page: Disdavantages?
Techworld: And are there any other disadvantages or wrinkles? Enterprises have already invested in their own cycles of testing and patching according to a pre-defined schedule so this is a culture change.
Ernst: I don’t expect a massive culture shock, since organisations can opt for the second or third rings and stick to regularly scheduled updates, as they had with Patch Tuesday. One wrinkle with this approach, however, is that organisations that don’t opt for updates as soon as they are available could be vulnerable to attack. Updates and vulnerabilities will be made public knowledge weeks before some organisations choose to patch their systems, giving hackers all the time they need to take action.
Techworld: One thing Windows 10 still doesn’t appear to have is a central patching function. Enterprises obvious have their own systems but consumers will still have to look after non-Microsoft programs on their own, correct?
Ernst: Yes, the announcements at Ignite were, understandably, very Windows focused. The 24/7 Windows updates doesn’t solve the problem of updating third-party applications and consumers are still on their own there I’m afraid. Indeed, I’d say that the majority of organisations could be more responsive when it comes to third-party updates, and should invest more attention and resources on the issue at large.
Techworld: So how does Microsoft and Windows 10 compare to the patching approaches adopted by Google, Adobe, Mozilla and others? Those vendors have already adopted a similar idea, have they not?
Ernst: There are certainly similarities between what Microsoft is looking to do and what other tech giants have already implemented. Mozilla Firefox for instance, has made attempts to be enterprise friendly, giving organisations a lot of choice about how they receive updates, with options that include a version with only security updates and another that receives all updates including new features.
Microsoft’s advantage is that it has always been very open and forthright about its updates, and its data is extremely well structured. It’s head and shoulders above the competition in this regard and should make every effort to stay that way as it moves to 24/7 patch management.
Techworld: It’s also interesting that Microsoft includes its mobile platform inside this continuous patching. Microsoft is correct that this is a weakness of Google’s Android.
Ernst: I agree that this is a weakness of Android. Unlike Microsoft, Google's Android platform doesn’t have a single, central update repository from which all updates are distributed. The fact that Microsoft can roll out updates across all devices, PC desktop, mobile, whatever, gives it the kind of advantage in the enterprise mobile space that Apple’s iOS has in the consumer space. Whether we’ll see this have an impact on consumer adoption of Windows mobile will be interesting to watch too.
Techworld: Do you have any thoughts about the other security designs changes coming in Windows 10, for instance Device Guard whitelisting? Does Microsoft’s Windows 10 security story stack up?
Ernst: The question in my mind is whether Device Guard is the next generation App Locker. If so, and if it addresses some of the existing flaws, it could be the true realisation of application control.
Techworld: Standing back from Windows, where do enterprises stand on the larger themes of patching? From almost nothing a few years ago it now seems to be imposing huge stresses on organisations.
Ernst: I was extremely excited by the Ignite keynote. To see such a focus on security was refreshing. Likewise, I enjoyed seeing patch management front and centre for a change. There’s a place for detection and response in the security industry, of course there is, but when you dig into any successful attack, you’ll often find that it could have been avoided entirely in a patched environment.
With patch management, we’re seeing technology come full circle. It burst on to the scene a few years ago and is coming back in a big way after being ignored somewhat. What’s old is new again, and patch management has been given a breath of new life with the convergence of mobile and desktop. With this renewed attention, enterprise IT should take the opportunity to establish a repeatable patch process, including updates for third party applications. With greater emphasis on patch automation, there should be less stress overall for organisations.