The patching of software is a tried and true activity that helps to protect IT infrastructure and end-user computers from possible security threats, while also supporting the installation of ongoing software bug fixes and feature enhancements.
Most software is updated by the software vendor either on a regular schedule -- think Microsoft's so-called Patch Tuesday -- or on an ad hoc basis as the need for software patching arises. In this article we will discuss whether a company should manually patch infrastructure servers and end users, or whether it makes more sense to purchase an automated patch management tool to reduce the time IT personnel spends keeping operating systems (OSes) and software applications up to date?
As the description above makes clear, whether or not to patch is not the dilemma -- companies must keep their computer software up to date with the appropriate patches. In fact, in the case of publicly traded companies, regular patching of software may actually be required by federal regulations such as The Sarbanes-Oxley Act (SOX), Federal Rules of Civil Procedure (FRCP) and Health Insurance Portability and Accountability Act (HIPAA). Many of these government regulations provide for substantial financial penalties and even possible criminal charges for CEOs and CFOs of publicly traded companies that do not abide by regulatory requirements.
There are similar financial, healthcare and corporate regulations in most countries around the world, so patch management should be a priority for every company. The decision to deploy automated patch management is influenced by a number of factors, some specific to an organization and some related to the function of IT as a whole within it.
The patching process
Depending on the size of an organization, and the duties expected of or assigned to IT, patch management is likely considered a prime area of focus for information technology professionals. In most companies, IT owns the computing infrastructure that includes servers, load balancers, storage arrays, appliances, network gear and more. Obviously, IT must always take responsibility for the timely patching of those infrastructure servers and devices. It should be sure to create a sandbox environment, however, where new patch releases can be tested before distribution to servers and other devices.
In addition to keeping infrastructure computers patched and up to date, IT must devise and distribute a process for keeping end-user computers patched as well. There are two possible processes for implementing patch management for end users:
- Define and distribute a written process for all employees to follow in order to keep their desktop or laptop OS up to date, as well as their locally installed applications.
- Deploy an automated patch management system that lets IT tightly control what and when patches are distributed.
If an organization trusts its employees to keep their own computer patching up to date, it might also be wise to occasionally inventory a representative sample of users to make sure they are complying with corporate patch management policy. Be aware, though, that trusting employees to manage their own OS and applications patching can expose a company to liability if it is subject to governmental or corporate compliance regulations. In an organization's analysis of whether to use self-compliance or an automated tool for patch management, it should be sure to factor in the potential financial implications of running afoul of governance and compliance regulations should its patching efforts come up short of those regulations.
If a company owns software inventorying tools such as Microsoft System Center Configuration Manager or Symantec Endpoint Management (formerly known as Altiris), then the underlying inventory infrastructure is already in place to conduct regular audits of software license and patch levels. When inventory audits indicate that end-user applications are out of date, patch management software can then be used to ensure compliance with patching guidelines or requirements.
Though there can obviously be substantial costs to implementing a comprehensive patch management infrastructure, for enterprise-scale companies in tightly regulated industries the benefits of automated patch management likely far outweigh those costs. Let's take a look at a couple of scenarios that will help amplify the possible business cases for automated patch management.
Automated patch management: Scenario #1
The first business-case scenario for the automated patch management process will usually come to bear when the total number of employees plus the total number of servers reaches approximately 50. At that point, IT can no longer risk relying on employees to keep their OS and locally installed applications up to date with manual patching performed by IT and end users.
In addition, manually patching servers starts to become a very time-consuming process. A quick cost-benefit analysis (see sidebar) reveals that IT can no longer afford to take the time to manually install patches on servers and other infrastructure devices once they have more than 10 to 15 servers or other patchable devices in their infrastructure environment.
A similar cost-benefit analysis should be performed for patching end-user computers. Many companies utilize inventory software that can produce reports showing which OSes and applications are installed on end-user computers and servers, and the version and patching level of all installed software. These reports can also help smaller IT shops monitor how well end-users are maintaining their patch levels.
In addition to larger enterprises, automated patch management tools are an excellent option in smaller companies where end-user patching falls short, leaving the company vulnerable to malware and possible legal ramifications.
Automated patch management: Scenario #2
The second business case scenario for automated patch management -- and this one is a strong one -- is of particular interest for a publicly-traded company subject to federal rules and regulations such as SOX, FRCP and HIPAA. In these cases, ongoing patch management may be a statutory requirement, with significant criminal and civil penalties possible for the CEO and CFO if these regulations are violated.
In addition to meeting regulatory requirements, patching may be a required process in order to protect the organization from potential lawsuits from customers, suppliers and others who may be financially damaged by patch-related issues in the corporate network. If a company fails to keep its computers and other devices up to date with the recommended patch distributions, it can be exposed to lawsuits from customers, partners and other related parties. For instance, if malware is introduced to an organization's IT infrastructure via a bug for which a fix has already been distributed, and should that malware lead to the accidental or purposeful release of personally identifiable information (PII) that damages others, the ensuing civil liabilities can be substantial and ongoing.
Consider this business case to be based on mitigating the risk of financial and legal consequences for not keeping an organization's infrastructure and end-user computers patched. Regardless of the cost of automated patch management tools, it is important to bear in mind what's at stake for publicly held companies that don't have a verifiable, repeatable automated patch management process. Depending on a company's specific operating environment and governance compliance guidelines, a great deal of time, money and customer goodwill is at stake should a patch-related incident cause harm to your corporate stakeholders. The cost to implement automated patch management tools is typically relatively minor compared to the cost of defending the company from legal or regulatory actions spurred by lack of patch management.
Patch management software: a cost-benefit analysis
Deciding whether or not a patch management product is right for your company involves a series of questions about the various seen and unseen costs of implementing patching software, balanced by the perceived benefits of those costs. Here are a few important considerations for a patch management cost/benefit analysis:
- How much does the patching software itself cost for the initial licenses and ongoing product maintenance and support?
- What are the costs of the underlying infrastructure required to run patching software? Will the patching software run locally in a company data center or on a cloud-based platform?
- What are the personnel requirements, including man hours and training, required to implement and administer patching software? Do those requirements change if the software is cloud-based versus locally hosted within an existing company infrastructure?
- Will automated patch management conserve personnel commitments and time compared to a manual patching strategy?
- Are there any other financial considerations unique to your company that could also affect the true costs of manual patching versus automated patching? For instance, if your company is subject to governance and compliance regulations that expose your company to civil liability for not keeping patches up to date, be sure to include that in your analysis.
Best practices for automated patch management
The following are a number or practical best practices and tips to take into account while researching, evaluating, procuring and deploying automated patch management tools to protect an organization's digital assets:
Know your infrastructure and end-user device patching status at all times, either via manual inventory of a representative sample of devices, or via an automated software inventorying tool that can detect and track software versions and patch levels for OSes and applications.
Perform a cost/benefit analysis to determine whether or not the company can justify deploying an automated patch management process. For example, for a small software development startup that hasn't yet begun to sell its product publicly -- and has only a handful of employees -- the risk of a patch-related incident causing damage to customers or employees is relatively low. Conversely, a software development company that has a publicly released product that collects and stores customer credit card information is highly susceptible to a patch-related incident causing the exposure of PII, which could be devastating to the company's established customer goodwill and bottom line.
Be sure to test any prospective patch management product live in the organization's environment to ensure it is compatible with existing computers and devices. That testing needs to include some subset of the company's production computers to ensure compatibility in its environment. Most patch management vendors offer a 30-day trial of their software running live in an environment.
Consider a cloud-based patch management product such as Kaseya or Panarama9, where the patch management vendor is responsible for keeping the patch management cloud infrastructure running at peak performance. Cloud-based patch management products also ensure the patch management software running in the cloud is always up to date.
Enterprise-scale companies with existing software suites with patch management capabilities can leverage that existing infrastructure to support locally installed and managed patch management software, recognizing that managing locally installed patching software must be administered on a regular basis.
Mobile device access to corporate networks, including both corporate-provided mobile devices as well as BYOD, is now allowed by a wide proliferation of companies. Be sure the organization's patch management policy also includes a methodology and capability for patching mobile devices, such as tablets and smartphones that connect to the corporate network.
Always test patches in a sandbox environment to ensure compatibility with OSes and applications once a patch management product has been chosen. If an organization does not have the available infrastructure to host such a sandbox environment, it should be aware that many of the large cloud-hosting companies such as Amazon Web Services and Microsoft Azure offer free or very low-cost virtual server hosting options that are perfect for small-scale testbeds and sandboxes.
To patch or not to patch
Patch management is a frequently overlooked aspect of digital asset management for many companies, but regulatory requirements make patch management a mandatory IT activity for many organizations today. Keeping application software and OSes up to date with the most recent patches also protects a company from malware attacks due to unseen bugs and other vulnerabilities. In addition, automated patch management assures that deployed software includes the latest features, functionality and capabilities offered by the application or OS vendor.
Though we strongly recommend automated patch management for all companies, those strict government regulations applying to publicly traded companies take patch management from the recommended category to the mandatory category.
In part one of this series, learn the basics of automated patch management products in the enterprise
Learn about the differences between Microsoft Patch Tuesday and Windows Update for Business