Product Group Tests
Patch management (2010)
Shavlik NetChk Protect 7.2 is our Best Buy for its fantastic feature set, excellent documentation and support offerings.
A solid solution that scales well, ZENworks Patch Management is our Recommended product.
Full Group Summary
We review five software approaches to dealing with the bane of IT stakeholders. By Nathan Ouellette.
As we venture into 2010, one thing remains unchanged: keeping up with the latest patches from multiple vendors is the bane for many IT stakeholders. Many organisations have to deal with legacy environments, heterogeneous server farms and disparate builds. The flow of security bulletins, hot-fixes and service packs seems never-ending, and applying them non-intrusively is a science in itself.
Organisations that need to seek relief from the quagmire of patching may notice a few key changes in the technology these days. The staples of patching still remain in most of the products we reviewed; however, several are now helping organisations defend against client-side attacks.
Some still provide a basic subscription to update Windows-based operating systems; others include application patches as well. Popular client-side victims such as Adobe, MS Office and even various browsers have also been introduced and automated. Organisations struggling to protect and update these often overlooked components may be intrigued by such additional features.
Overall, the patch management market feels similar to years past, but at the same time has not been immune to convergence either. In many of the products we tested, patch management is simply just another module or licence within an overall suite. Standalones remain, but buyers will have to make decisions regarding whether or not to invest in an additional agent and server component or attempt to integrate a technology into an overall long-term strategy.
In this issue
For this review, none of the suppliers submitted an appliance-based solution, and since they are all software products, they required at least a backend server and a database capable of scaling. For buyers, this ironically represents yet another host that needs to be patched, so our server host also doubled as a guinea pig for patching.
The patch management domain can easily spill over into any other IT operations area and have the word 'management' appended to it. These include, but are not limited to, asset, configuration, vulnerability, compliance, policy and other management endeavours. Canny buyers will do well to look for products that include several of these features under one licence.
Many of the products we reviewed have interesting modular and licence models that might be confusing with regards to which features may be needed. Be prepared to ask questions of any vendor if your needs exceed pure patch management and carry over into other areas.
All of the products in this group under review performed well at the patch management basics. These include some form of asset discovery (although certain products require the initialisation of an agent deployment task in order to discover hosts), patch level querying, deployment of patches and, finally, reporting.
The actual distinction between vendors is in the cost per node for that perpetual subscription or maintenance cost. Vendors that manage to provide value above and beyond simply aggregating patches for you to download represent an exponential ROI.
How we tested
All server software was installed within a virtual farm in our lab. Our server machines consist of Windows 2003 RC2 images managed with Hyper-V within Windows 2008. All of our server products either recommended or mandated installing on Windows 2003. We did not encounter any that mandated an installation on Windows 2008. Microsoft SQL Server (or variations) was used for all backend database repositories. All client software agents were deployed to virtual instances of Windows XP SP2.
As always, the areas we focused on were product installation, ease of administration, usability in an enterprise environment, user experience, support, price and overall value for the money. Although performance of patching was touted by some vendors, we felt that control over how endpoints are patched was more important than measuring how fast they could be patched.
Considerations such as order of patching, types of software vendor patches available and ancillary features of the product were reviewed as well.
Both our Best Buy and our Recommended awards were given to vendors that went the extra mile: additional features beyond basic patching that were included in the licence, easy-to-understand product licensing and capabilities and useful minutiae that many administrators appreciate when making buying decisions.