Six Considerations for Better Patch Management

Patch Management

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Tom Bridge of JumpCloud proposes IT teams consider these six principles for better patch management.

Premium ContentIT and system admins know well the challenge they face when dealing with patch management. Whether dealing with enterprises like Apple or Microsoft that offer a regular schedule of updates, organizations that have a less-regular approach to patches, or the urgent updates that require immediate installation, admins have to prioritize patching amidst a workforce that is largely unaware of its importance, or unconcerned by its execution.

There’s no question that patching is becoming more complex and difficult to manage. In part, this is due to the sheer proliferation of vulnerabilities. On average, the National Vulnerability Database logged more than 50 common vulnerability exploits (CVEs) daily last year. In addition to the explosion of vulnerabilities in the wild, patching is plagued by the issue of implementation. The threat is rising: one recent SAP and Onapsis study found that critical SAP vulnerabilities were weaponized within 72 hours of a patch release. And the challenge is real: Ponemon Institute research reveals that 65 percent of businesses report that patch management is difficult to prioritize, and 74 percent say they can’t patch fast enough. Over half of IT admins report that they do not have adequate staff resources to meet the patching workload.

Teams are dealing with an increasing number of patches and rising pressure to deploy within a time-consuming and complicated device environment. Many workforces now include a mix of macOS, Windows, and Linux devices. While this offers employees flexibility, this adds cycles to admins responsible for patching updates across different systems. For macOS environments, admins need to have acute visibility into user access, as the end-users are ultimately responsible for updating individual devices. In Windows, there’s more flexibility, and admins have more control over when and how those patches are deployed. In Linux systems, patching is generally done by users, via the terminal, via a command such as sudo apt-get update. With permanent hybrid and remote workforces in mixed device environments, admins need to manage the patching process to secure users distributed around the country, across time zones, and across OSes, all while accounting for a growing number of applications.

Unfortunately, with all of the various tasks and responsibilities that fall onto IT teams, patch management can fall out of focus. That’s a mistake that leads to unnecessary risk. Here are a few considerations to ensure patch management has the attention it should at your organization.

Six Considerations for Better Patch Management


Maximize IT efficiency by Centralizing Device Management

IT should consider the best use of resources – especially regarding how admins spend time. Instead of streamlining operations, organizations often have discrete processes and tools in place for each platform. Such varied focus makes it difficult to measure efficiency and efficacy. By consolidating and covering all platforms centrally, you can reduce the labor costs, ease admin frustrations, and more quickly surface where problem spots exist.

Make Use of Staggered Patching

Organizations should put a staggered approach to patch delivery in place. Staggering rollouts allows you to confirm a patch works within your organization’s specifications by rolling out to a sample set of users based on specific application needs, then collecting their feedback. This allows you to have functional testers of patch effectiveness, compatibility, and stability. After this stage, an organization-wide rollout is possible.

While there’s no way to eliminate the effort and complication this involves, the smaller staggered rollout will have provided necessary analytics and data to focus the wider rollout on clear communication and anticipatory trouble-shooting.

Separate by Machines

Another option for optimizing the patching process is to separate out the machines for which you are responsible. Unattended devices used in shared environments such as point-of-sale machines or kiosks may require more effort to support. Stricter security, compliance requirements, and application compatibility often mean more complexity for these machines. By separating them as a separate group for deployment, you can implement targeted patching based on dynamic needs.

Remain Flexible

Developing a process for scheduling patches can offer order even amid chaotic, urgent updates. Routine patching with small, planned updates may just require a quick evaluation to determine compatibility before determining whether it can be pushed to users immediately or additional testing or limited rollout is required. For higher priority patches, built-in flexibility to account for reprioritizing updates based on urgency will help in more efficiently understanding downstream impacts. Have a system in place to adjust as priority level rises or falls, and communicate those changes and resulting best practices to users.

Distribute and Seek Out Information

After the testing stage or a full rollout, it’s critical for admins to both communicate user directions and responsibilities – and also capture necessary data from the update. Admins need to have device monitoring in place that can determine how widely updates have been deployed and the impact of those updates. If necessary, review where communication weaknesses may have led to lower adoption and draft best practices that are easy for users to follow.

Migrate to Modern Applications

Knowing your application landscape can help with patching over time. Newer services may have patches pushed automatically through the browser or use more modern application delivery. Review your application history to see whether there’s an opportunity to migrate to modern apps that require less support.


Conclusion

A smart and effective approach to patching means treating it as a process, not a task. With intention and visibility, patch management doesn’t have to be a disparate, time-consuming process that risks operations. By focusing on creating a system for long-term support and success, IT teams of any size can prevent vulnerability exploits while delivering operational performance.

Tom Bridge
Follow Tom
Latest posts by Tom Bridge (see all)