Updating software is a tried and true activity. Patch management tools enable the automation of updates, helping to protect IT infrastructure and end-user computers from possible security threats, while also supporting the installation of ongoing software bug fixes and feature enhancements.
Most software is updated by the software vendor either on a regularly scheduled basis -- think Microsoft's so-called Patch Tuesday -- or on an ad hoc basis as the need for software patching arises. A company has the choice between manually patching infrastructure servers and end-user computers or purchasing automated patch management services to reduce the time IT personnel spend keeping OSes and software applications up to date.
Whether or not to patch is not the dilemma -- companies must keep their computer software up to date with the appropriate patches. There are governmental, legal, financial, healthcare and corporate regulations in most countries around the world, so patch management should be a priority for every company, regardless of location.
That said, the decision to deploy patch management tools can be influenced by a number of factors, some specific to the company as a whole and some related to the function of IT within the company.
The patching process
Depending on the size of an organization and the duties expected of or assigned to IT, patch management is likely considered a prime area of focus for IT infrastructure pros. In most companies, IT owns the computing infrastructure, which includes servers, load balancers, storage arrays, appliances, network gear and more. Obviously, IT must always take responsibility for the timely patching of those infrastructure servers and devices.
One popular approach is to create an environment where new patch releases can be tested with other installed hardware and software prior to deployment to servers and other infrastructure devices.
In addition to keeping infrastructure computers patched and up to date, IT must also devise and implement a process for keeping end-user computers patched. The two possible processes for implementing patch management for end users are to define and distribute a manual process or to deploy an automated desktop patch management system.
If an organization trusts its employees to keep their own computer patching up to date, it might also be wise to regularly inventory a representative sample of user computers to make sure they are complying with corporate patch management policies. Be aware, though, that trusting employees to manage their own OS and application patching can expose a company to liability if it is subject to governmental or corporate compliance regulations.
In an organization's analysis of whether to use self-compliance or patch management tools, the business should be sure to factor in the potential financial implications of running afoul of governance and compliance regulations should its manual patching efforts come up short of those rules and regulations.
For example, if a company owns software inventory tools, such as Microsoft's System Center Configuration Manager or Symantec Endpoint Management, then the underlying inventory infrastructure is already in place to conduct regular audits of software license and patch levels. If or when software inventory audits indicate that end-user application patches are out of date, patch management software can then be used to ensure compliance with patching guidelines or requirements.
Although there can obviously be substantial costs to implementing a comprehensive patch management infrastructure, for enterprise-scale companies in tightly regulated industries, the benefits of automated patch management likely far outweigh those costs.
Let's take a look at a couple of scenarios that will help amplify the possible business cases for patch management tools.
Scenario 1: Patching servers becomes labor-intensive
The first business case scenario for the automated patch management process usually comes to bear when the total number of employees plus the total number of servers reaches approximately 50. At that point, IT can no longer risk relying on employees to keep their OS and locally installed applications up to date with manual patching.
In addition, manually patching servers can become a very labor-intensive, time-consuming process. A quick cost-benefit analysis (see sidebar) should reveal that IT can't afford to take the time to manually install patches on servers and other infrastructure devices once they have more than 10 to 15 servers or other patchable devices in their infrastructure environment.
Patch management software: A cost-benefit analysis
Deciding whether or not patch management tools are right for your company should involve a series of questions about the various seen and unseen costs of implementing patching software, balanced by the real or perceived benefits of those costs.
Here are a few important considerations for the patch management cost-benefit analysis:
- How much does the patching software itself cost for the initial licenses and ongoing product maintenance and support?
- What are the costs of the underlying IT infrastructure required to run the patching software? Will the patching software run locally in a company data center or on a cloud-based platform?
- What are the personnel requirements, including man hours and training, required to implement and administer patching software? Do those requirements change if the software is cloud-based versus locally hosted within an existing company infrastructure?
- Will automated patch management conserve personnel commitments and time compared to a manual patching strategy?
- Are there any other financial considerations unique to the company that could also affect the true costs? For instance, if a company is subject to governance and compliance regulations that expose it to civil liability for not keeping patches up to date, a cost-benefit analysis should include that financial risk.
A similar cost-benefit analysis should be performed for patching end-user computers; although automated patching of end-user computers and -- if necessary -- mobile devices is almost always the best approach to keeping those devices secure and up to date. Many companies utilize inventory software that can produce reports showing which OSes and applications are installed on end-user computers and servers, as well as the version and patching level of all the installed software. These reports can also help smaller IT shops with manual patching processes in place to monitor how well end users are maintaining their patch levels.
In addition to larger enterprises, automated patch management tools are an excellent option in smaller companies where manual end-user patching consistently falls short, leaving the company vulnerable to malware, intrusions, and possible legal or regulatory ramifications.
Scenario 2: Mitigating risk
The second business case scenario for automated patch management -- and this one is a strong one -- is of particular interest to publicly traded companies subject to federal rules and regulations, such as the Sarbanes-Oxley Act, the Financial Industry Regulatory Authority, the Federal Rules of Civil Procedure and the Health Insurance Portability and Accountability Act. In these cases, ongoing patch management may be a statutory requirement, with significant criminal and civil penalties possible for the CEO and CFO if these regulations are violated.
In addition to meeting regulatory requirements, patching may be a required process in order to protect the organization from potential lawsuits from customers, suppliers and others who may be financially damaged by patch-related issues in the corporate network. For instance, if malware is introduced to an organization's IT infrastructure via a bug for which a fix has already been distributed, and should that malware lead to the accidental or purposeful release of personally identifiable information that damages others, the ensuing civil liabilities can be substantial and ongoing.
Consider this business case to be based on mitigating the risk of financial and legal consequences for not keeping an organization's infrastructure and end-user computers patched. Regardless of the cost of automated patch management tools, it is important to bear in mind what's at stake for publicly held companies that don't have a verifiable, repeatable, automated patch management process. Depending on a company's specific operating environment and governance compliance guidelines, a great deal of time, money and customer goodwill is at stake should a patch-related incident cause harm to the corporate stakeholders. The cost to implement patch management tools is typically relatively minor compared to the cost of defending the company from legal or regulatory actions spurred by a lack of automated patch management.
Don't overlook patch management
Patch management is a frequently overlooked aspect of digital asset management for many companies, but regulatory requirements make patch management a mandatory IT activity for many organizations today. Keeping application software and OSes up to date with the most recent patches also protects a company from malware attacks due to unseen bugs and other vulnerabilities. In addition, patch management tools assure that deployed software includes the latest features, functionality, security and capabilities offered by the application or OS vendor.
Although it is strongly recommended that all companies employ automated patch management, those strict government regulations applying to publicly traded companies take patch management from the recommended category to the mandatory category.
Busting the software patching myths
Learn how to assess patch management tools
Check out these tips for managing a large volume of software updates