Lessons learned: NASA patch management

In little more than a year, NASA managed to deploy an automated patch management system that now covers more than 80,000 devices, about 94 percent of the space agency’s computers.The result is what IT security officer Michael Castagna calls “a rather robust defense,” that has reduced after-hours security alerts to systems administrators from a daily occurrence to once or twice a year. Along the way, Castagna and company learned a few lessons.“First, understand your infrastructure,” he advised. That does not mean you have to be familiar with every device on the network, but you need to understand which systems are critical and what the vulnerabilities are.Next, have sound policies in place—both for internal organizations and external organizations that connect with you—for how security patching is to be done. Then develop procedures to monitor and enforce those policies.“Only after you’ve done those things should you begin evaluating tools,” Castagna said.Once you’ve selected your tools, Mark Page, the enterprise architecture lead at Kennedy Space Center who spearheaded the NASA program, lists four things necessary for successful deployment.First, get management support, at the CIO level if possible. “I could not have done the project if I did not have upper management support,” he said.Next, be flexible and willing to compromise. Some mission-critical systems might not fit neatly into your patch management plans.Also, understand contracts. “We sold the [patch management] product to our administrators as a monitoring tool,” Page said, because existing IT contracts allowed monitoring of systems without contract modifications.And finally, don’t forget training. “Something I didn’t think about was turnover,” Page said. The average NASA employee “life span” is only about 18 months in many areas, and a lot of retraining was necessary.“If you are going to do a project of this kind, you are going to have to build training into the budget on an ongoing basis,” Page said.