SearchSecurity.

com
Know why patch management tools are required in the IT infrastructure

By Earl Follis

Updating software is a tried and true activity. Patch management tools enable the automation of updates, helping
to protect IT infrastructure and end-user computers from possible security threats, while also supporting the
installation of ongoing software bug fixes and feature enhancements.

Most software is updated by the software vendor either on a regularly scheduled basis -- think Microsoft's so-
called Patch Tuesday -- or on an ad hoc basis as the need for software patching arises. A company has the choice
between manually patching infrastructure servers and end-user computers or purchasing automated patch
management services to reduce the time IT personnel spend keeping OSes and software applications up to date.

Whether or not to patch is not the dilemma -- companies must keep their computer software up to date with the
appropriate patches. There are governmental, legal, financial, healthcare and corporate regulations in most
countries around the world, so patch management should be a priority for every company, regardless of location.

That said, the decision to deploy patch management tools can be influenced by a number of factors, some
specific to the company as a whole and some related to the function of IT within the company.

The patching process

Depending on the size of an organization and the duties expected of or assigned to IT, patch management is
likely considered a prime area of focus for IT infrastructure pros. In most companies, IT owns the computing
infrastructure, which includes servers, load balancers, storage arrays, appliances, network gear and more.
Obviously, IT must always take responsibility for the timely patching of those infrastructure servers and devices.

One popular approach is to create an environment where new patch releases can be tested with other installed
hardware and software prior to deployment to servers and other infrastructure devices.

In addition to keeping infrastructure computers patched and up to date, IT must also devise and implement a
process for keeping end-user computers patched. The two possible processes for implementing patch
management for end users are to define and distribute a manual process or to deploy an automated desktop patch
management system.

If an organization trusts its employees to keep their own computer patching up to date, it might also be wise to
regularly inventory a representative sample of user computers to make sure they are complying with corporate
patch management policies. Be aware, though, that trusting employees to manage their own OS and application
patching can expose a company to liability if it is subject to governmental or corporate compliance regulations.

In an organization's analysis of whether to use self-compliance or patch management tools, the business should
be sure to factor in the potential financial implications of running afoul of governance and compliance
regulations should its manual patching efforts come up short of those rules and regulations.

For example, if a company owns software inventory tools, such as Microsoft's System Center Configuration
Manager or Symantec Endpoint Management, then the underlying inventory infrastructure is already in place to
conduct regular audits of software license and patch levels. If or when software inventory audits indicate that
end-user application patches are out of date, patch management software can then be used to ensure compliance
with patching guidelines or requirements.
Although there can obviously be substantial costs to implementing a comprehensive patch management
infrastructure, for enterprise-scale companies in tightly regulated industries, the benefits of automated patch
management likely far outweigh those costs.

Let's take a look at a couple of scenarios that will help amplify the possible business cases for patch
management tools.

Scenario 1: Patching servers becomes labor-intensive

The first business case scenario for the automated patch management process usually comes to bear when the
total number of employees plus the total number of servers reaches approximately 50. At that point, IT can no
longer risk relying on employees to keep their OS and locally installed applications up to date with manual
patching.

In addition, manually patching servers can become a very labor-intensive, time-consuming process. A
quick cost-benefit analysis (see sidebar) should reveal that IT can't afford to take the time to manually install
patches on servers and other infrastructure devices once they have more than 10 to 15 servers or other patchable
devices in their infrastructure environment.

Patch management software: A cost-benefit analysis

Deciding whether or not patch management tools are right for your company should involve a series of
questions about the various seen and unseen costs of implementing patching software, balanced by the real or
perceived benefits of those costs.

Here are a few important considerations for the patch management cost-benefit analysis:

How much does the patching software itself cost for the initial licenses and ongoing product maintenance
and support?
What are the costs of the underlying IT infrastructure required to run the patching software? Will the
patching software run locally in a company data center or on a cloud-based platform?
What are the personnel requirements, including man hours and training, required to implement and
administer patching software? Do those requirements change if the software is cloud-based versus locally
hosted within an existing company infrastructure?
Will automated patch management conserve personnel commitments and time compared to a manual
patching strategy?
Are there any other financial considerations unique to the company that could also affect the true costs?
For instance, if a company is subject to governance and compliance regulations that expose it to civil
liability for not keeping patches up to date, a cost-benefit analysis should include that financial risk.

A similar cost-benefit analysis should be performed for patching end-user computers; although automated
patching of end-user computers and -- if necessary -- mobile devices is almost always the best approach to
keeping those devices secure and up to date. Many companies utilize inventory software that can produce
reports showing which OSes and applications are installed on end-user computers and servers, as well as the
version and patching level of all the installed software. These reports can also help smaller IT shops with manual
patching processes in place to monitor how well end users are maintaining their patch levels.

In addition to larger enterprises, automated patch management tools are an excellent option in smaller
companies where manual end-user patching consistently falls short, leaving the company vulnerable to malware,
intrusions, and possible legal or regulatory ramifications.

Scenario 2: Mitigating risk

The second business case scenario for automated patch management -- and this one is a strong one -- is of
particular interest to publicly traded companies subject to federal rules and regulations, such as the Sarbanes-
Oxley Act, the Financial Industry Regulatory Authority, the Federal Rules of Civil Procedure and the Health
Insurance Portability and Accountability Act. In these cases, ongoing patch management may be a statutory
requirement, with significant criminal and civil penalties possible for the CEO and CFO if these regulations are
violated.

In addition to meeting regulatory requirements, patching may be a required process in order to protect the
organization from potential lawsuits from customers, suppliers and others who may be financially damaged by
patch-related issues in the corporate network. For instance, if malware is introduced to an organization's IT
infrastructure via a bug for which a fix has already been distributed, and should that malware lead to the
accidental or purposeful release of personally identifiable information that damages others, the ensuing civil
liabilities can be substantial and ongoing.

Consider this business case to be based on mitigating the risk of financial and legal consequences for not
keeping an organization's infrastructure and end-user computers patched. Regardless of the cost of automated
patch management tools, it is important to bear in mind what's at stake for publicly held companies that don't
have a verifiable, repeatable, automated patch management process. Depending on a company's specific
operating environment and governance compliance guidelines, a great deal of time, money and customer
goodwill is at stake should a patch-related incident cause harm to the corporate stakeholders. The cost to
implement patch management tools is typically relatively minor compared to the cost of defending the company
from legal or regulatory actions spurred by a lack of automated patch management.

Don't overlook patch management

Patch management is a frequently overlooked aspect of digital asset management for many companies, but
regulatory requirements make patch management a mandatory IT activity for many organizations today.
Keeping application software and OSes up to date with the most recent patches also protects a company from
malware attacks due to unseen bugs and other vulnerabilities. In addition, patch management tools assure that
deployed software includes the latest features, functionality, security and capabilities offered by the application
or OS vendor.

Although it is strongly recommended that all companies employ automated patch management, those strict
government regulations applying to publicly traded companies take patch management from the recommended
category to the mandatory category.

12 Jun 2017

All Rights Reserved, Copyright 2000 - 2017, TechTarget | Read our Privacy Statement