Mathivanan V, director of product management, ManageEngine
Mathivanan V, director of product management, ManageEngine

Protecting a business by managing all the software patches it needs is a critical task, especially with the rapid growth of cyber-crime. That's why patch management is a major component of any organisation's IT strategy. Yet without advanced automated solutions, patch management can be very time-consuming for administrators. It can also irritate end-users when systems suddenly slow down or become unavailable. 

In large part, this problem is one of complexity. Today, most businesses are run on Linux servers and many designers prefer Mac to Windows. Every enterprise dreams of securing all its computers from vulnerabilities and keeping them up to date, but when multiple operating systems are in constant operation, it all becomes very complicated. 

A patch manager's idea of heaven probably involves an almost entirely self-sufficient tool that keeps applicable systems up to date, without troublesome, time-consuming daily intervention from the hard-pressed IT admin. 

Receiving, distributing, and installing routine monthly Microsoft operating system and application patches on Patch Tuesday, for example, certainly benefits from automation. 

Yet patching third-party applications on a desktop remains a significant challenge for many organisations because of the fragility of many server environments. When virtualisation is added, admins can face even greater complexity. This is true especially when resources are limited, as is the case in many medium and large-sized businesses. For example, Java, Adobe Reader, Flash, and Firefox, along with many other business-specific applications, are often patched considerably later than Windows and Office. 

Hundreds of patches are released each month, many in a direct response to the rise of cyber-crime, heaping even more pressure on the IT department. The IT department has to decide which patches to install and which to ignore, and figure out the best order to install patches. Delaying patch deployment could expose the business to a devastating ransomware or zero-day attack—and we all know who receives the blame when that happens. 

However, with so many different business-critical platforms and configurations in play, the best course of action may be for an administrator to wait a while before installing newly-released patches. 

Testing patches before implementation, although necessary, can complicate matters further. While it is important to test patches to ensure their stability, this can be difficult to do when an organisation does not have the hardware, software, or personnel readily available to create a testing environment. 

Insufficient software inventory management makes patching even more challenging, because administrators need a current and complete inventory of installed software to patch every device in their network. 

Even when the IT department has an accurate inventory of systems, a list of controls, a system for collecting and analysing vulnerability alerts, and a risk classification system, it still has to deploy patches without disrupting normal operations. 

Nevertheless, automation is already overcoming many of these hurdles, using a single interface to make the whole process of patch management much easier. Automation of the entire patch management life cycle makes it possible to detect missing patches without staff intervention. Patches are downloaded from the respective vendors' websites and tested, as required, in relation to the business's own assessment of its risk and business priorities. 

However, when opting for automation it is important to ensure that every one of an organisation's current IT infrastructure platforms, including operating systems and applications, is addressed and that remote offices and roaming devices are always included. Where necessary, administrators should be able to exclude patches for specific groups of devices or departments. 

Automation also makes it possible to minimise the burden on end-users by installing patches during non-business hours, or at least when applications are not in use. Devices are woken up before patches are deployed and then rebooted after installation. The word “automation” can sometimes suggest an undesirable level of rigidity, but in reality, it gives admins all the flexibility they need. For example, administrators can postpone a patch if an end- user is on a slow network link at a remote office or sales conference. 

Automation also resolves the lack of access to detailed reports, a common problem with potentially serious consequences. It is worth remembering that incomplete patching reports can place devices and applications at risk. If a business has to meet specific industry compliance standards, these risks are never worth taking because they can place an organisation's entire IT infrastructure in jeopardy. 

Although IT departments continue to face many challenges when it comes to patches, they no longer need to spend so much time grinding through manual processes. Well-designed patch management solutions go far beyond cutting out the drudgery. They also let organisations know how well they're doing in terms of patching, reassuring enterprises that they can secure their network without compromising business performance. 

Contributed by Mathivanan V, director of product management, ManageEngine

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.