Why Ring Deployment Reduces Risks for Smoother Software Patch Updates

As the digital world becomes more inhospitable and cyber-attacks constantly threaten every organisation’s security, patching any software vulnerabilities quickly is vital. Fortunately, technology companies, and the cyber security community, are usually quick to communicate any vulnerabilities, issue updates, and urge organisations to take action to protect themselves when vulnerabilities are discovered

That said, tens of thousands of software patches are now issued every year, making it challenging to keep on top of. Updates are required for operating systems, web browsers, enterprise applications, firmware, and a range of other areas. While some organisations run these updates like a well-oiled machine, many are slower to keep up with the pace, with some organisations taking months to patch. Some don’t even update their software at all or continue to use software that’s no longer supported.

While automated patch management tools and vulnerability assessment systems have become invaluable to help manage this huge volume and ensure patches are applied in a timely manner, things can still go wrong. The recent and unprecedented global IT outage, caused by a faulty CrowdStrike software update, caused widespread disruption and economic damage.

So, are organisations caught between a rock and a hard place? Running patch updates is crucial for security, but what can companies do to ensure they’re secure while reducing the chances of one piece of faulty software doing more harm than good?

Deploying software smartly

One approach is ring deployment. This is a strategy used in software development and IT operations for rolling out updates or new features in a controlled and phased manner. Overall, it helps ensure that updates and new features are delivered with higher quality and reliability.

With ring deployment, changes are deployed to a small subset of users or systems first – the ‘inner rings’. Gradually, based on feedback and evidence of the update’s stability, the deployment is expanded to a larger audience – the ‘outer rings’. This approach helps mitigate risk by allowing issues to be identified and addressed early before they affect a broader user base.

“If organisations had used ring deployment for rolling out updates, the disruption and damage caused by the CrowdStrike update could be minimised and even prevented,” says Jason Lau, Senior Security Consultant at Quorum Cyber.

Many of the world’s largest technology and software vendors use ring deployment extensively to roll out updates to their huge user bases. This approach works well when large numbers of employees or organisations can be impacted if something goes wrong.

The benefits and challenges of ring deployment

Like any strategy, ring deployment has its pros and cons. Benefits include mitigating risk by catching and fixing issues early, having more control, better quality and more timely feedback, and being able to allocate team members’ time more effectively. However, the whole process is more complicated so it takes more coordination, and it can be difficult to decide the optimum time to move from ring to ring and check updates have run successfully.

Ring deployment is typically rolled out to four different groups:

Inner ring – canary deployment to a small, select group of users or systems
Second ring – early adopters to gain more feedback
Third ring – broader audience for a more diverse set of environments and use cases
Outer (final) ring – general availability to the entire user base or all systems.

Support with ring deployment

Organisations can create and modify a rings policy with Microsoft Intune. It enables them to set the time and manner with which any feature and quality updates are applied to the enrolled Windows 10/11 devices.

The following rollout options can be selected in a feature updates policy:

Make update available as soon as possible – this is the default behaviour and allows no delay in making the update available to devices
Make update available on a specific date – with this option, the update is not available to devices until the configured date is reached
Make update available gradually – this helps to distribute the availability of the update across the range of time configured while making an update available to a different subset of devices targeted by the policy.

To help prepare for the update deployment, Microsoft Intune also offers two built-in reports to help administrators understand the compatibility risks that might impact devices both during and after an update:

Windows feature update devices readiness report – this provides information on each device about its compatibility risks that are associated with an update to a chosen version of Windows
Windows feature update compatibility risks report – this report provides a summary view of the top compatibility risks across an organisation for a chosen version of Windows.

Apart from the compatibility report, there are several Windows update reports to help administrators to monitor and troubleshoot update deployment. The report options include Windows 10 update rings, Windows 10 feature updates, Windows Driver updates and Windows update distribution. Each of them has one to three in-built reports.