As companies continue to struggle with budget pressures in a tight economy, the importance of automating routine tasks remains a prominent consideration in the allocation of IT budgets. Enterprise patch management software is a prime example of a tedious manual task that benefits greatly from automation, ensuring that all computers remain up to date with the latest patch releases from operating system (OS) and application software vendors.
Keeping computers up to date with the latest patches is no longer just a recommended best practice for corporate IT. The Sarbanes-Oxley Act (SOX) and internal corporate guidelines have codified the requirement for consistent, up-to-date patching of all computers in a given IT infrastructure.
Patch management software offers companies the ability to abide by industry best practices while also complying with any applicable regulatory requirements for the securing of IT systems against possible malware or unauthorized intrusions.
Why patch operating systems and software?
Rather than relying on industry best practice recommendations for manually keeping all OS and applications up to date with patches, enterprise patch management software enables IT pros to delegate that task to sophisticated software that can seamlessly handle the distribution process. Patch management software can also provide automated compliance reports that document which computers are -- and are not -- up to date, as well as sending notifications to admins based on successful or unsuccessful patch activities.
One need only refer to recent, well-publicized outbreaks of malware that were specifically designed to attack vulnerabilities in popular software such as Microsoft SQL Server to see that patching isn't just a good idea; keeping patches up to date is a mandatory component of the IT software management process.
How does automated patching work?
Most enterprise patch management software requires the installation of an agent on target computers. This agent provides a connection between the patch management server and the computers to be patched. Agents can also handle patching tasks such as sending alerts, caching patches locally on the target computer prior to installation, and retrying failed patch installations.
Many admins are understandably reluctant to install an agent on hundreds or thousands of computers just to handle patch management. This is one of the reasons that standalone patch management software is frequently included in an integrated bundle with other monitoring and management software that also requires an agent.
Installing one agent that, for example, facilitates patch management, performance monitoring and server health statistics is usually a better strategy than installing three separate agents that each address different aspects of managing a target computer. Any modern patch management software will include agents that run on all recent versions of Windows, Linux/UNIX and, in a nod to the BYOD movement currently afoot, will frequently include agents that run on mobile platforms such as Android or iOS.
Patch management caveats
As it turns out, the practical challenges of enterprise patch management are not usually in the distribution of the patches themselves. Pushing patches across a modern network with patch management software is a relatively simple process, once all of the target computers have an appropriate agent installed. The trick comes not in how to push patches but rather in which patches should be pushed to targets and when.
Even though software vendors regularly release patches -- and experts usually recommend installing these immediately -- there is also a patch management best practice that all patches should be installed and tested in a development or test environment before those patches are pushed to all pertinent computers requiring the patch. Why? Because, while it's a logical assumption that software vendors would never release a patch that might break existing software, it's not difficult to find examples of patches that addressed one or more existing issues while also breaking other features or functionality.
Patch admins must also be mindful of the fact that not every software vendor tests its patches against every possible other piece of software running in IT. The only thing worse than not applying a patch that could leave software vulnerable, is to install a patch that breaks other pieces of software in the process.
The cost of automating patch management
The cost of purchasing automated patch management software is as varied as the many patch management products on the market. There are freeware versions of patch management products, there are standalone products for those with a budget but also on a budget, and there is patch management software that is integrated within an all-encompassing monitoring and management software suite.
There is no one right answer for which type of enterprise patch management software is the best fit for a specific situation. Each method of patch management software licensing represents a different price point and feature set that will help guide organizations to the best product within their budget.
Part of the patch management product comparison process is to examine the tradeoffs between price and features, then settling on a short list of the software that most closely aligns with your requirements and budget. Although patch management automates a previously manual process, organizations must still include costs for administration of their chosen patch management product. Even automated patch management products require trained expertise to configure and maintain the product.
To patch or not to patch
Automating a patch distribution process is a best practice that must not be ignored or allowed to fall by the wayside. Keeping patches up to date can protect companies from exposure to malware or intruders, but considering the requirements of maintaining SOX compliance, patch management software can also keep company CEOs and/or CIOs out of hot water with government regulators, internal auditors or shareholders.
That said, IT must always weigh the benefits of automating a task with the possible downside that automation software doesn't always behave as automatically or as appropriately as expected. This is where testing of all patches prior to pushing those patches to target computers becomes key.
A comprehensive enterprise patch management strategy keeps vulnerabilities at bay while also protecting the company and its leadership from regulatory trouble. No company can afford to ignore either risk in the modern world of patch management compliance.
The next article in this series will present various real-world scenarios and use cases for patch management software to consider when making the decision to purchase an automated patching product. It will compare standalone patch management products versus patch management software as part of a comprehensive monitoring framework. It'll also provide IT professionals with the tools and techniques to make a solid business case to executive management for the appropriate patch management products.
Part two of this series discusses the business case for automated patch management tools.
Take a walk through the six steps for security patch management best practices
Read about the cure for patch management headaches