Although nobodys crystal ball is clear on the impact that the change in the daylight-saving time rules will have on enterprise IT systems and applications, the problems could be bigger than most people realize.
Thats because IT shops have had less notice in dealing with the time change than they did for Y2K, and because the issue doesnt have visibility at the highest levels of an organization as it did for Y2K.
"We are likely to see more issues than we did with Y2K because there is no visibility at the board and the CEO level, yet its a similar risk to the business," said Tim Howes, CTO at data center provisioning provider Opsware in Sunnyvale, CA.
"Only server administrators and application support teams know what could happen if time stamps get misaligned. A lot of these administrators are sweating bullets right now," said Swapnil Shah, co-founder and Chief Strategy Officer at mValent, a configuration and change management provider in Burlington, Mass.
Although both Howes and Shah have a vested interest in that perspective—both are hawking tools or services that can help automate the process of deploying patches and discovering which systems have been addressed—industry analysts believe that IT shops using such tools are ahead of the game.
"Those using configuration management, application lifecycle methodologies and automated testing tools are ahead of the game," said Ray Wang, principal analyst with Forrester Research in Foster City, Calif.
Those without such tools, as they scramble to deploy patches and remediate operating systems, network devices and applications prior to the second Sunday in March, are finding theres "no systematic way to understand if the fixes have been applied exhaustively," said Swapnil Shah, CEO at mValent in Burlington, Mass.
It doesnt help that some vendors have been slow to release patches for their systems. In fact, Wang is aware of some vendors that only released their patches just two weeks ago.
Microsoft for its part has released three patches for daylight-saving time issues with its systems since November, according to Sudhaman Gopalan, LANdesk administrator in IT management at the Chicago Tribune in Chicago.
"On Nov. 14, they came out with the first and said it would cover everything. Then in December they found more [issues]. And they came out with one more in February," he said.
Most of the 1,000 or so IT employees at the Chicago Tribune are involved in some manner in the effort to patch IT infrastructure. Thanks to the automated LANdesk patch management system in place there, his effort was minimal.
"There was a patch available with LANdesk, so I automated my servers to update it everyday from the LANdesk registry for Windows-based machines.
"I download all the patches, and I have a local repository here thats in sync with the LANdesk Patch Manager. I wrote a script [to automate the installation]. It took me a half-hour," he said.
That may work well for the Windows-based systems Gopalan is responsible for, but both Forrester Research and Opswares Howes recommend taking a holistic, well-coordinated approach to the problem.
"You can end up with inconsistencies if there is no coordination. You have to cover all your bases to solve the problem. As a result of inconsistencies, you may see an application works most of the time except for a couple of instances," said Howes.
And large IT shops are likely to have multiple solutions from different vendors that could in some cases conflict with each other, according to Forrester Research.
"For example, one vendor may tell you to upgrade the [Java Virtual Machine], while another may tell you to change the Java time zone database, and the third may suggest that you change the OS time zone manually," according to a Forrester Research paper released earlier this month on the DST issue.
Forrester recommends that enterprises start patching server operating systems in the data center first and working outward, although Java Virtual Machines because of their operating system independence will also need to be updated at the same time.
In fact most current distributed applications get their time stamp from either the operating system they run on or from the Java Development Kit, making it unnecessary to patch the applications themselves.
But in the case of some older, legacy applications, that may not be the case. And for those applications—if they have a time-dependency—thats where the biggest problems could occur, said Scott Chudy, senior solutions architect in the security practice at IT consulting company Dimension Data in Reston, Va.
"Theres a great example of a government agency that had a mission-critical financial management system [that generated paycheck information] that was hardly allowed any downtime. They were adverse to patch it because they were terrified to break it. So there are organizations with legacy systems that will have a real issue with it," he said.
With 12 days left, IT shops will have to scramble to complete the process of identifying which systems need to be patched, deploying the patches, testing them to ensure they were applied properly and reporting on the effort.
To help, mValent for its part recently released a module for existing customers to allow them to rapidly test and remediate systems. For non-mValent customers, the company is offering a quick DST compliance audit service.
"We go out there, discover all their servers and verify that the appropriate patch level is applied on all those servers by inspecting configuration parameters against a DST template. Then we inspect all the servers, identify all the JDKs on their servers and test each of them for the DST patch and report on that. We generate a comprehensive report for all their servers that tells them whether the DST patch has been applied, and whether the DST patch has been applied to each server or not," said Shah.
Opsware for its part on Feb. 28 will release five recommendations for preparing for the DST change. Those include: understand what you have, understand the business impact, plan and execute the remediation process, conduct a post-remediation audit and report and analyze compliance.
With 12 days left, that might be a tall order, but Forresters Wang had some quick suggestions.
"People should be thinking about making sure all their patches have been applied. Begin by testing the patches, try to find any area where you have custom applications that might call time. Make sure you have extra people on hand to address extra support requirements. And now is the time to make the business case for these kind of tools, especially since Congress at its own whim can make changes," he said.