Keeping off-network machines up-to-date…is it an impossible problem for IT?

One question that often comes up when we are out talking to IT administrators and IT executives is “Is patch management a solved problem?” On the surface it seems like this is the case, but as computing evolves, we have seen the challenges of patch management evolve right along with it.

Shavlik Systems Engineer John Rush and I sat down last week to discuss one of these newer challenges in patch management – how do we keep off-network machines up-to-date?

“For customers I talk to the biggest issue they have for patch management is that most of the tools out there require you to be connected to the network to get your patching done. That’s just not realistic,” Rush said.

Is this a new problem brought on by the proliferation of cloud-based applications and BYOD?

“It’s been a problem for a number of years now. Take the Shavlik Team for example, we exclusively use SaaS-based tools in our sales team like Concur, Salesforce, etc., so employees in the field never have to connect to our network,” Rush explained.

“In the old days, we had to VPN in to get email. Everyone had to be connected, but today, they never have to connect to the VPN. They are doing everything from their own laptops, and some are doing it from their iPads. The world has changed with respect to connectivity.”

With that change, IT is left with lots of questions about these off-network machines.

  • What’s being installed?
  • What versions are out there?
  • Is it time for a hardware refresh?
  • Are these machines lacking patches that make them vulnerable?

Rush added, “Today’s world no longer conforms to a Visio diagram. We are connected to the internet, but we are not connected to the corporate network.”

 

How can we solve it?

As an industry we need to build tools for managing machines in the wild, let those machines/users become self-sufficient when it comes to things like patch management and asset inventory, and then provide a mechanism to give that data back to corporate.

Shavlik addresses this problem with the Protect Cloud. The Protect Cloud is a cloud-enabled patch services that aggregates, analyzes, and distributes patch data and associated deployment policies over the Internet. This services is used to send patch data to your Protect console, but that is just the beginning.

The Protect Agent can be installed on off-network machines and be configured for use with the Protect Cloud. So long as the machine connects to the internet (off network or on network), the Protect Agent communicates with the Protect Cloud to receive patch and policy updates and to return update status to the Protect console. This means that without additional infrastructure IT can ensure that off-network machines are patched and monitored in the same manner as those PC’s that sit inside the firewall.

Protect Cloud Diagram

“Before The Protect Cloud we had to have a box outside in the DMZ, and we had to open up ports. Now, with this technology, we have business as usual for everybody; the only difference is the Protect Cloud,” Rush said.

 

 

How does the Protect Cloud work with the Protect Agent?

Protect Agents that are configured to use the Protect Cloud can receive updates via the console if they are on-network or via the cloud if they are off-network.

Here’s how it works.

  • The Protect Console uses a secure connection to push agent policy information to the Protect Cloud.
  • At its next scheduled check in time, remote agents first attempt to check in directly with the console.
  • If they do not have access to the console, they perform the check in using the cloud.
  • The agents use a secure connection to the cloud service to report the same information they would have reported to the console (e.g. scan results, threat information, etc.)
  • The cloud stores the uploaded agent results until the console retrieves that data.
  • Agents download and apply any new policy updates that were pushed to the cloud from the console.
  • The console retrieves the agent data from the cloud. This happens several times every hour.

Scan engines and XML data are not a part of the cloud synchronization process. Agents receive updated engines and XML data from either the console or the vendor websites.

Agent Check In Via the Cloud

Check out the video, “Introduction to Protect Cloud” at http://www.shavlik.com/support/training-videos/, to learn more about how the Protect Cloud works and how to configure agents to use the cloud service.

 

How can I get this?

This capability was introduced in Shavlik Protect 9.0 as part of the Standard, Advanced, and Government editions. All customers running 9.0 have access to it, and those who are on earlier versions of Protect can upgrade to 9.0 at no cost. Learn more about upgrading Protect here. http://www.shavlik.com/downloads/ug-prt-9-0.pdf

 

Public Cloud? No Problem With Shavlik Protect 9.0

Last week one of our Sales Engineers took the new Cloud Agent feature of Protect 9.0 for a spin.  Within minutes he had registered and installed Agents on several servers he had spun up in Amazon’s Public Cloud.  From the same console he uses to demo network discovery and agentless scan and deployment he also manages agents covering servers outside the network.  All of this without opening security risks on the network.  Once again, this shows that there can be simple ways to support and manage machines no matter where they may reside.

Shavlik Protect 9.0 is available as an early access release currently.  For more details you can contact us at Protect-Help@Shavlik.com.  Also take a look at some upcoming webinars covering the official product launch on May 15th. The “Introducing Shavlik Protect 9.0” webinar will discuss the new features in a demonstration geared toward new customers.  The “Upgrading to Shavlik Protect 9.0” will discuss the upgrade path and things that current customers will want to know about behavioral changes, etc.

 

 

AUTOMATIC Home Office and Small Business Patching

Every few weeks, we get an email from a small business or home user with a small slug of machines they want to make sure are patched. It awesome to see everyone care about patching, but implementing a routine patching plan is sometimes a tough thing to do. All of the emails we see always say something to the effect of:

  1. Patching isn’t fun, but I know it needs to get done.
  2. How do I do it in a non-intrusive way?

 
After thinking about this issue for quite some time, we now have a great answer. On Tuesday this week, we’ll be announcing the release of IT.Shavlik’s Site Manager. Site Manager is designed for the Small office IT administrator or home user who wants to patch, but not have to think about logging into the IT.Shavlik site to scan and deploy patches.  — We automate the entire process for you using your existing IT.Shavlik credentials.

The concept of Site Manager is simple; set it, and forget it. We want to make it so you can download the patching app once, set it up on one computer in your office, and then Site Manager takes over. In Site Manager, we’ll find the machines you can scan on your network, you can set a time for those machines to be scanned, and when that time is crossed, we’ll take care of scanning all the selected machines, and patch them for you automatically. — If you want to view the results, they can either be retrieved online using your IT.Shavlik account, or alternatively delivered to you in a forthcoming release.

No longer do small businesses have to think about patching. — You’re a few clicks away from making the process automated.  Get started by registering via the  “Join IT Now” button on IT.Shavlik at http://it.shavlik.com and click “Forget IT”

When does the cloud make sense?

If you talk with many small to medium sized businesses (SMB) about virtualization, unless they are a high-tech company many of them will tilt their heads sideways and deal you a “huh?” response.  The technology, although now mainstream at high-tech companies and enterprises is still facing an adoption curve as it moves down into SMB.  Not surprisingly, the “cloud” debate seems to be taking a path of a different sort.  – Starting with those SMB’s who are choosing to skip virtualization although and head straight for the cloud.

I was reading some articles recently, and came across an article on Redmondmag.com entitled “Survey: Cloud Benefits Not Clearly Defined” written by Keith Ward (10/14/2010:http://redmondmag.com/articles/2010/10/14/cloud-benefits-not-clearly-defined.aspx) which discussed the value proposition of Clouding and a specific survey cited as Hubspan which found a shockingly large number of business still trying to rationalize the cloud.  As he stated, the blog entry from Hubspan went on to say that perhaps the problem is we are supplying too much information around the cloud that, “it’s sometimes hard to break through the noise.” — A great observation.  Keith Ward, continues on to describe the fact that those companies that provide their software via the cloud need to do a better job of explaining why the cloud makes sense.  Again, a point I agree with whole-heartedly.

So now, let’s talk about why the cloud makes sense.  There are a few reasons that we’ve heard loud and clear from our loyal base of a few thousand IT administrators.  There are really two main scenarios that I hear time and time again:

  • I’m a SMB that hasn’t done much with virtualization, but we need to find a way to roll more applications out.  At the same time, the amount of infrastructure we manage is over-whelming.  We need to not have to manage so much.
  • I’m a bigger company that has an IT department serving many departments that require different applications and levels of lifecycle management.  To manage them through my department would be the end of me.

Sure, there are countless other examples of scenarios that are more specific, but when you look at it objectively, I’m seeing lot’s of SMB’s leap-frogging virtualization and going straight to the cloud, and the bigger organizations are doing it to manage diverging requests where virtualization will equate to massive amounts of VM-sprawl across their organization. – Thereby, it’s easier to do it in the clouds.  If one of these two scenarios fits your mold, perhaps it’s time you give it a look.

Even with these two value scenarios, I have to tell you the author of this article is dead-on.  Those of us that offer cloud applications or onboarding to the cloud need to be more explicit in delivering our value-proposition.  The cloud isn’t the panacea of IT. – It’s merely a distribution mechanism of computing that allows us to have to manage our equipment and processes less by virtue of attaching to someone elses world-class systems.