Automate your way out of patching hell

IT departments are often criticised for their remoteness from the business. One cause could be highlighted by recent research numbers from IDC, which found that as much as 70 per cent of IT time is spent on maintenance and administration, leaving only 30 per cent available to focus on innovation for the business. Internal Dell research has this even higher at 80 per cent of time being spent on updates.

As IT has become more complex and distributed, the overheads involved in keeping systems running have significantly increased. IT managers cite the time spent on updating, maintaining, and patching systems as one of their greatest overheads.

Security patching, in particular, can be a burden. Microsoft alone can release more than a dozen critical patches during its monthly “Patch Tuesday” bulletins. Then there are additional, out-of-band patches, patches from other software vendors, and updates for hardware, firmware and development systems.

Patching is a priority
Patching is critical as unpatched systems continue to represent a real security flaw in many business’ networks. A study by NIST, the U.S. technology standards body, revealed that 90 per cent of successful attacks against companies exploited known vulnerabilities that could have been prevented if the systems had been correctly patched.

Patch management that is not centralised, gives rise to other issues, aside from the security risks and the time it takes up. Without the appropriate policies in place, companies run the risk of deploying untested patches that can cause problems for other applications or other areas of the IT infrastructure.

For example, an IT department that allows users to manage their own patch updates runs the risk of disrupting or breaking critical business processes with an untested patch. This is most common with highly customised applications or software written in house, however, off the shelf software is by no means immune to exposure.

Companies that do not centralise their patch management can also find that they have unnecessarily high energy bills. One of the most common reasons for not running desktop power management technology, or not instructing staff to switch off their PCs overnight is the need to install patches out of hours.

The case for patch management
As a result of these challenges, more businesses are looking at centralised systems for patch management. Patching desktop computers and servers, smartphones and tablets, and their applications – is too large a task to be carried out manually. Even if IT had the time to patch systems manually, automated patch management has been shown to be more reliable and more secure.

Automatic patching, for example, is designed to manage exposure to the growing number of exploits that are specifically built to take advantage of systems before they are patched or upgraded.

Although the IT security industry, rightly, focuses on “zero day” exploits that aim to make use of vulnerabilities before vendors issue a patch, in too many cases hackers and cyber-criminals are able to gain entry to unpatched systems long after the patches have been released.

Companies can cause downtime and disruption through an uncoordinated approach to patching, especially where patches are applied without testing and the necessary compatibility checks.

To minimise the risk posed by patches, companies should look at testing patches or using a patch supplier that handles testing, and quarantining the use of unpatched computers until the patches are tested.

Automating patching: a business case
Although there is a cost associated with the deployment of any patch management solution, the benefits far outweigh the investment in terms of product and/or time to implement a tool. Automating patch management reduces security risks, reduces downtime through untested updates and conserves valuable IT resources. It also helps employees to remain productive: rather than installing patches during work hours, updates can be implemented outside of this core working time automatically.

Not only does this mean that users can have their apps and machines kept up to date, the IT team does not have to be on site during those installs either. By “waking up” machines during the evening and then applying the necessary patches, IT can keep machines up to date while ensuring that desktops are powered down when not in use.

The automation of patch management provides the following quantifiable business benefits that can be used to build a business case; higher speed and capacity when it comes to managing patches; removing the patch workload from production IT systems and granular control over the application of patches to end-user systems. In addition, good patch management systems give detailed reports and alerts. As a result, IT administrators have an instant view of the health of their systems.

As every company’s IT installation differs, there cannot be a single approach to patching or a single patch management system that meets all their needs. Instead, a good patch management system will pay for itself if it can be customised to fit the organisation’s needs, but also makes it easy for IT administrators to create templates for common and frequent processes, as well as providing a robust patch testing regime.

Industry analysts point out that centralised patch management can reduce the time it takes to deploy patches, or update security software by up to 80 per cent. This represents a significant time and cost saving for IT. The real benefit lies less in cost and time savings, or even in improved employee productivity.

That comes from the knowledge that by automating patching systems are as secure as they can be – and that the company’s systems are not exposed to attacks that could, and should, have been avoided.