In IT, there’s a lot of frustrating repetition. It’s your goal to standardise as much as possible, across hardware and software, but that inevitably means repeating the same tasks on numerous identical machines. It’s time-consuming, expensive, and boring.
So, in a large organisation, it makes sense to use a single image of your standard Microsoft Windows install – a ‘golden image’ that represents the most up-to-date Windows version with all the drivers, patches, and applications your users will need. Then, you can deploy that image to new machines as soon as they come online.
But while this is great for efficiency and standardisation, it’s not ideal for security. Typically, you would change that golden image quarterly, or when significant changes occur in your organisation.
And the threat of application vulnerabilities moves a whole lot faster than that.
According to the Flexera Vulnerability Review, 17,147 vulnerabilities were disclosed in 2016. While those vulnerabilities didn’t pace themselves evenly through the year, it’s not unreasonable to think you could be looking at as many as 4,000 vulnerabilities per quarter.
Of course, you won’t be using every application that’s affected – but it only takes a single vulnerability to let an attacker in. And if you think you could avoid every vulnerable application, the numbers aren’t on your side.
Third-party application versions don’t last long, but your golden image probably isn’t updated every time an application needs an incremental patch. At worst, that leaves new machines exposed to known vulnerabilities. At best, it means you need to spend time updating applications from the golden image as part of your on-boarding process.
Which flies in the face of everything a golden image is supposed to do for you.
You could create a new golden image more often – but it’s not a very practical approach. That’s because:
A golden image can help you deploy new machines quickly and efficiently. But your standard Windows tools need some extra support to keep your image secure.