Tips for Speedy and Safe Patch Deployment

Computerworld - Chances are good that the patch that will stop the next big Internet worm will have been made available before the worm creates havoc. So why are so many organizations not applying patches?
Some people suggest that software vendors provide insufficient information regarding patch availability and importance. Others say the problem is simply laziness on the part of IT. While possibly responsible for worm propagation among home users and smaller, less-skilled IT shops, these reasons don't sufficiently account for companies' struggle with patch management.
The fact is that awareness isn't enough. The decision to quickly deploy an untested patch is based on a complex set of criteria that varies by case and from one organization to another. Companies must measure the benefits of immediate deployment compared with potential costs -- disruption to the environment caused by the introduction of untested software patches.
Even though Microsoft has done a lot of work to improve the quality of patches, companies must still anticipate that a patch will break an application that is mission-critical -- and often, one that's not a Microsoft product. The sheer number of patches that are released makes such a disruption a possibility that can't be disregarded.
As a result, many organizations conclude that the costs of immediate deployment outweigh the benefits. An off-line machine is an off-line machine, whether it was rendered off-line by a malicious worm or a well-intentioned security patch.
The bottom line: Patches must be tested.
Testing Smarter
The best way for a company to reduce its exposure to vulnerabilities is to minimize the length of time from patch release to patch deployment. For large enterprises, the testing process occupies most of this time frame.
The success of testing patches is largely based on the existence of a managed environment. Three best practices for accomplishing a managed environment are standardization, virtualization and centralization.
Standardize. The single most important action that can ease testing (and eventual deployment) of patches is limiting the number of hardware platforms, operating systems and installed software. Limiting the number of configurations -- in other words, standardizing -- is a hallmark of a well-managed IT environment and reduces the extent of testing required. And it makes maintenance easier.
Take a large enterprise consisting of 50,000 clients. If these desktops are highly standardized and consist of three hardware configurations running one operating system and five core software applications, it may be possible to reduce the number of testable configurations to just three.
Each hardware platform, operating system and software application adds a great