Features

For Associated Food Stores, a cooperatively owned wholesale grocery distributor, what began last year as a search for a suitable answer for network patching has evolved into a full network inventory solution and improved control over renegade software. For Jeff Ladle, the firm's IS server manager, the move toward centralized management actually began several years ago with the need to automate software patch management.

In 2000, the company was not hit hard by the "I love you" virus, but reading about how the occurrence had affected other organizations made Ladle realize that if it had happened once, it could happen again. The company found a reasonable and inexpensive solution to patching through Microsoft Software Update Services (SUS). Before long, however, the process of keeping current Microsoft patches on all Associated Foods computers was taking up as much as 50 staff hours a month.

Organized in 1940, Associated Food Stores of Salt Lake City is a distributor to more than 600 independently owned supermarkets in eight states. Today, Associated Food Stores employs more than 1,400 people and ships more than 750 truckloads of groceries each week.

The company's corporate network consists of 500 Dell desktops, approximately 50 Dell servers (several of which are being migrated to VMware and IBM), and 60 remote users with Dell laptops.

Ladle's search for a solution was thorough. The company spent nearly a year investigating and trying different products. At the end of its evaluation, the company selected Altiris Client Management Suite and Altiris Server Management Suite, both of which include Altiris Patch Management Solution (which is available as a point product, as well. The search was arduous, he says, but the implementation, by comparison, was easy–the software was up and running in a little more than a month.

One of the first considerations for using Microsoft SUS was the fact that it is a free service from Microsoft.

"We found SUS to be suitable for a fairly long period of time," Ladle notes. "It worked about as well as you would expect, for the price. But ultimately, the amount of time we were spending to apply patches was very costly in terms of the human resource involved. We also came to the point that as we saw stronger viruses appearing, we were concerned that the amount of time it was taking us to get to each PC and administer each new patch would leave our systems unprotected for an unacceptable period of time."

Better solution needed
Associated Foods used Microsoft SUS for approximately three years. For awhile, the consensus of the department was that the SUS solution was "good enough," but after witnessing the increasing incidence of new viruses and the damage they were causing other organizations, the group concluded that it needed to find a better solution. Ladle notes that Microsoft has since released Windows Server Update Services (WSUS), which is a newer version of SUS that Associated Foods has not tested and is reportedly much stronger than SUS. The company, however, had long since moved beyond its testing phase at the time the WSUS version was released.

As the evaluations continued, difficulty in implementation quickly ruled out one alternative. Another contender had to be ruled out due to an issue that turned out to be a major consideration: the ability to push patches out transparently in the middle of the day. The staff concluded that Altiris had stronger integration with Dell and IBM hardware than a third option, a consideration that ultimately proved to be essential.

In the final analysis, the patching decision boiled down most heavily to a question of flexibility.

"With a lot of the options we looked at, we couldn't make the update process seamless enough to safely administer our patches midday," Ladle explains. "Most options required us to either re-do our Active Directory or schedule our updates for times such as Saturday at 4 a.m."

Ladle cites the fact that the Altiris software provides the flexibility to push patches out in the middle of any business day, and that end-users remain completely unaware.

"Flexibility is especially key," he reports. "I can't just ask people to stop what they're doing and reboot their computers at noon. With Altiris, I can suppress the reboot. Even if I'm pushing out multiple patches, the software handles the queue chaining and then, when it's convenient, requires the end-user to reboot only once. With the majority of the other alternatives, we weren't able to control the software to the level we felt we would need."

Another consideration for Ladle was the fact that the Altiris solution includes Wise Package Studio, a software product Altiris acquired and bundled with its patch-management solution in 2004. The Wise software automatically analyzes and tests patches before they deploy to ensure that they will work as intended.

Ladle is careful to note that the software implementation, while easy, was not instant. In fact, the company hired Altiris consulting services for the first week of the implementation to assist his team. Although the outside help was not an absolute necessity, it was a decision that he does not regret.

Today, the patching process is seamless. Ladle hesitates to venture a guess as to how many patches the software has pushed. On a typical "Patch Tuesday," there may be 10 patches, three patches or, occasionally, none. On the average, Associated Foods pushes five to six patches per month.

assistance with spyware
With the problem of patch management under control, Ladle's department recognized the opportunity to use the Altiris suites to centrally manage other IT problems, as well. Next on the list was software metering. Like all companies, Associated Foods had noticed an increasing occurrence of spyware on its corporate machines.

"Spyware hasn't been a terrible problem for us, but every machine has at least some spyware on it," Ladle reports.

With the metering capability already available, Ladle's department has been able to identify several types of rogue software and set in place an automated policy that will simply not allow them to run. While it is not billed as a spyware remedy and is not the most traditional use of metering software, this implementation has been effective in helping Associated Foods effectively manage its spyware vulnerabilities.

From that point, Associated Foods has moved to implementing the inventory and asset-management components of the Altiris suites.

"Before, we didn't know how many machines we had," says Ladle. "We had a pretty good idea, but it was difficult to be sure. Now I can go into a budget meeting and be confident in precisely what hardware and software we have."

Ladle also mentions the importance of his company's partnering and integration of technologies with IBM and with Dell. "We don't want to have to re-invent the industry," he says. "Working with Dell has been a natural decision. In fact, we've been standardized on Dell almost exclusively until recently when we also added IBM and VMware servers for efficiency's sake."

As for management software, Associated Foods has relied heavily on IBM and especially on Dell for advice. "People seem to be familiar with Microsoft's SMS management suite," Ladle says, "but from what we've gathered, the learning curve on SMS is huge. We wanted some central control on the network, but we didn't want to have to employ a complete network overhaul when what was really pushing our decision was primarily patch."

Ladle notes that he ran into one major hurdle with the Altiris software in the midst of the company's upgrade from Patch Management Solution 6.0 to 6.1. "We had a problem with the 6.1 upgrade in that some of the patches were spontaneously re-installing themselves," Ladle says. "Our access to the Altiris developers was critical. It took a little time, but the developers were able to get with us and see why the ‘flag,' as they called it, wasn't appearing. It took them a couple of weeks, but we got it resolved."

In the meantime, Ladle is enjoying the company's new patch-management strategy to the fullest. "The bandwidth throttling feature is awesome," he says. "I love the fact that I can push patches out in the middle of the day and not have anyone know. And the remote users can get their patches in a timely manner without interrupting their schedules."

Most importantly, Associated Food Stores has found an efficient means of increasing its immunity to virus or security attacks.