Why Some Data Centers Don't Patch—and Why Yours Should

By: Blair Felter on September 4, 2020

While they may not garner as many headlines as the latest cybersecurity solutions, software security patches are an incredibly important aspect of risk mitigation. Organizations that neglect patching their software leave themselves exposed to known threats that almost any attacker could learn to exploit after a simple internet search. In a complex environment like a data center, security patch management is a vital aspect of operations, although there are some factors that make it difficult for them to keep pace with the latest updates.

What are Security Patches?

As the name suggests, the primary purpose of a patch is to cover up a hole or gap of some kind. In the context of software, it is an adjustment made to the underlying code to eliminate bugs, errors, and potential vulnerabilities that could be exploited by hackers. Given the complexity of modern software coding, it’s practically inevitable that some exploit can be found if someone looks hard and long enough.

Why Patching Security Vulnerabilities is Essential

There are a few reasons why security patches have become a necessary component of IT management.

Combat Insecure Coding Practices

The push for faster development cycles and minimum viable products has forced many programmers to do whatever is necessary to write functional code for software applications very quickly. Unfortunately, this often means cutting corners when it comes to security and vulnerability testing. According to one study, as many as 30 percent of companies don’t even conduct vulnerability scanning during code development. Even worse, the shortcomings of many automated scanning tools means that up to 80 percent of vulnerabilities are being overlooked when scanning is conducting.

Given that the typical software application can range between several thousand to several million lines of code, insecure coding practices can leave companies exposed to a broad range of threats. Security patches can address many of these vulnerabilities, especially if developers are quick to respond to problems once they’ve been identified.

Evolving Cyberattack Threats and Tactics

Hackers and other cybercriminals are constantly exploring new strategies for gaining access to secure data. Even if software developers comply with existing best practices and use the latest security precautions, malicious actors may develop new tactics and exploits that no one could have anticipated after the software actually launches. Just because a program is considered secure when it launches doesn’t mean it won’t be vulnerable in the future. Cybersecurity is not a static, one-time solution. It requires constant assessment and refinement in order to counter new attack strategies and previously unknown weaknesses.

By releasing regular security patches, developers can ensure that their software is continually adapting to new threats as they emerge. Security awareness needs to be woven into both the development process and the operational mindset of IT professionals and data center operators.

Reuse of Vulnerable Code

Due to the prevalence of cloud-based and open source development tools, many applications utilize shared codebase to get software up and running faster. After all, there’s no compelling reason to create custom code when pre-built components can simply be plugged in and adapted to a new program. As third-party code becomes more commonplace, however, there is a growing risk that even small vulnerabilities will be far more widespread, impacting every system that uses the code in some fashion.

Both security and IT professionals need to stay aware of the latest patches available for commonly used code-bases. Documentation could be critical here as it can help them find where potential risks may exist within the software.

Why Some Data Center Operators Overlook Security Patches

Unfortunately, many organizations, including some data centers, don’t take a very proactive approach to patch management. A 2019 study by the Ponemon Institute found that 60 percent of breaches that occurred between 2016 and 2018 could have been avoided if a security patch had been installed. The troubling implication about this statistic is that even when a patch for critical vulnerabilities was known to exist, only 40 percent of organizations took the time to implement it.

When it comes to data centers, there are two primary reasons why operators may not keep their patches up-to-date.

Reason 1: Shared Responsibility for Infrastructure

If a data center does not provide direct, hands-on managed services, its control over a customer’s infrastructure is relatively limited. The data center operator can make decisions regarding the facility’s infrastructure and systems, but their ability to handle maintenance and configurations stops at their customers’ cabinet doors. Because customers retain total control over their colocated assets, they also bear the responsibility for installing security patches to protect their network. If they don’t stay on top of this important task, a data center environment could potentially have multiple deployments that are exposed to a variety of security threats even though the underlying infrastructure is patched and secure.

Reason 2: Downtime Concerns

Many organizations turn to colocation data centers because they need continuous system uptime. Facilities that offer a 100% uptime SLA (like vXchnge data centers) guarantee to their customers that they’ll always be able to access their data and essential applications. Installing a security patch isn’t always a seamless process. Key systems may need to be rebooted, or the update may cause some configuration problem that causes essential programs to crash unexpectedly. Concern over the potential impact of patches can cause data center operators to delay installing them, which then creates a backlog that will take even longer to implement.

What to Look for in a Data Center Partner's Patch Management

Understanding how a colocation data center handles patch management is a key consideration before migrating into a facility. A good place to begin is by asking how the data center handles the two primary reasons why facilities often neglect patching.

Do they talk to their customers about patching?

While a colocation facility may not install patches for their customers, they can certainly take a proactive approach by notifying them about critical updates and providing them with the information and support they need to address security vulnerabilities on their own. vXchnge’s in\site intelligent monitoring platform, for instance, keeps colocation customers notified of updates and patches made to their data center’s infrastructure to keep them aware of potential vulnerabilities that may need to be addressed in their deployment. This level of transparency is critical to ensuring good, up-to-date patch management.

Do they maintain a backup environment?

For data centers that cannot tolerate any downtime, backup environments offer the best means of installing critical security patches. The data center can switch its systems over to a backup or swing environment while the patch is installed, which both maintains uptime and allows the data center operations team to address any potential problems with the patch. Separate development environments can also be used to patch applications ahead of time to identify any configuration issues that might cause downtime.

Talk to Your Data Center About Security Patches

By communicating regularly with their colocation provider, organizations can ensure that every step is being taken to safeguard their infrastructure from known security threats. That’s why vXchnge uses in\site as a direct link between our data center personnel and our customers. With customizable alerts and full visibility into data floor deployments, in\site provides an unparalleled level of transparency and control. To experience the power of intelligent monitoring first hand, sign up today for an in\site demo.

Speak to an Expert About Your Company's Specific Data Center Needs