Managing Patch Pain

The best medicine for application flaws is automated patch management. To kick off our latest Rolling Review, we'll size up key trends and vendors.

Michael Biddick, CEO, Fusion PPT

November 21, 2007

6 Min Read
InformationWeek logo in a gray background | InformationWeek

SOFTWARE VENDORS TO THE RESCUE?
In general, there are four classes of patch management products, based on what they patch and how they use agents: Windows desktops and servers with optional agents, Windows desktops and servers with required agents, multiplatform systems with required agents, and multiplatform systems with required agents and a virtualization support/data center focus. Here's a preview of some products we hope to test.

Windows desktops and servers with optional agents:
Many organizations are willing to devote specialized resources to patching their hundreds or thousands of Windows desktops and servers before a virus or malicious code spreads throughout the network, resulting in substantial downtime. Shavlik Technologies' NetChk Protect combines patch and spyware management with the option of using an agent-based or agentless architecture; it can patch nearly 700 applications as well as Windows operating systems. Many vendors, including BMC, Microsoft, and Symantec, use Shavlik products within their patch management suites.

Like NetChk Protect, Ecora Software's Patch Manager gives IT administrators the option to use agents or run without them. With a concentration on discovery, patch assessment, and patch installation on both Windows workstations and servers, Ecora uses bandwidth throttling to limit the network resources dedicated to patching. Critical functions such as patch rollback, wake on LAN, and the ability to designate a test environment for patching before production deployment are all promised in Ecora, and a variety of reports are included that will aid in auditing and compliance.

Top 7 Patching Mistakes

1. Not testing the patch prior to rollout.
Some patches will be incompatible with, or even totally break, other applications.

2. Not having a rollback version.
If the patch fails, you need the ability to retreat gracefully.

3. Killing the network.
Deploying multiple patches at the same time across the network will grind other applications to a halt and raise the ire of users.

4. "Reboot required" during production hours.
Many patches require users to restart systems. When possible, deploy these after hours.

5. Missed patches.
Often a user call or virus initiates a frantic search for a missing patch. Stay on top of releases to minimize downtime.

6. No patch audit trail.
If you patch regularly, you need to keep track of what fixes were applied, and when, for auditing and reporting.

7. No formalized patch process.
A defined policy that specifies who may approve patches and the procedure to deploy them is critical to patch management success.

Windows desktops and servers with required agents:
Agents are typically used in environments where IT may not have dedicated access to managed devices, such as laptops that connect sporadically to the corporate network. Agents may also come in handy when you need to distribute network traffic related to patching, and they tend to provide tighter control over devices.

Kaseya's Patch Management software automatically discovers missing patches and updates, and it can automate deployment and installation of patches on a defined schedule. Once initial scans are completed, IT can review results for each machine and decide if, when, and how each missing patch or update will be applied. IT administrators also can track and approve patches for auditing and reporting.

Novell's Zenworks Configuration Management focuses on notifying IT when a new security update exists and ensuring that the update has been staged for distribution. Novell provides a team of security experts to track software vendor support sites and update feeds to organizations.

IBM's Configuration Manager provides Microsoft client and server software patch automation capabilities in distributed environments. Configuration Manager also can scan clients for missing patches, build patch plans, and distribute required patches to clients. Like IBM, CA Unicenter's Patch Management is focused on Windows--in its case, desktop environments. CA monitors for newly available patches and validates available patches.

Multiplatform with required agents:
If your environment includes Unix, Linux, and/or Mac OS, you'll turn to vendors that support cross-platform applications and operating systems. In addition to offering a broader suite of policy management products, BigFix provides patch management and security update delivery for major operating systems as well as common applications, and it can handle more than 50,000 devices. You will need to run the BigFix Server on Windows and deploy an agent on every managed node.

LANDesk's Patch Manager includes a subscription service that will collect and analyze patches for heterogeneous environments. Like other suites, it scans managed devices to identify application and operating system vulnerabilities; when it discovers an issue, you can download the associated patch and research requirements, dependencies, interactions, and known issues. LANDesk monitors the status of each installation and provides bandwidth throttling, staging, and detailed policy and compliance reporting.

BMC Patch Manager, formerly Marimba, provides testing capabilities that allow administrators to minimize risk by analyzing the impact a patch will have on an endpoint. The BMC Patch Manager Policy Engine facilitates the initial patch installation and continually monitors patches to ensure that they stay installed. Lumension's PatchLink Patch Management suite automates the collection, analysis, and delivery of software patches to a wide range of operating systems. It also focuses on reporting.

Other vendors deploy configuration management databases to manage and control patches. Configuresoft's Enterprise Configuration Manager automatically discovers new systems and tracks configuration changes at scheduled intervals to ensure that the latest patch information is available. It groups machines by function or role and supports patch testing across different configurations. The software continually updates the patch status of all machines and maintains an audit history of patch deployment, extremely useful for compliance reporting. Similarly, Symantec's Altiris Patch Management is focused on a central, extensible repository.

Multiplatform with required agents, virtualization support/data center focus:
As organizations move toward data center consolidation and virtual machines for cost reduction and improved efficiency, ensuring that IT can maintain those consolidated servers is key. Patch management is critical, and care must be taken to work with vendors that can support complex, heterogeneous operating system environments that include servers running Windows, Linux, and Unix on VMware. HP's Opsware/SAS and BladeLogic fit well here.

BladeLogic is focused more on the data center server environment than the desktop world and supports operating systems, server components such as middleware, utilities, system software, and multitier apps in virtualized environments. BladeLogic Configuration Manager uses a policy-based approach where changes are applied to a policy, then synchronized with target servers. The company says this bidirectional method significantly lowers the costs and errors associated with managing servers. Configuration Manager also features a cross-platform command line interface that supports single sign-on using a range of authentication protocols. All communication is encrypted, and all user actions are logged and can be authorized based on role, which is key for highly secure environments and something that may not be available in midmarket products.

Opsware SAS will automatically discover server hardware, configurations, and software. With broad configuration and provisioning capabilities, SAS can identify and patch a large number of servers as well as create and enforce patch policies. SAS also uses best practices in audit and remediation definitions to enable fast response to security or compliance vulnerabilities that require patches.

Illustration by Michael Sloan

About the Author

Michael Biddick

CEO, Fusion PPT

As CEO of Fusion PPT, Michael Biddick is responsible for overall quality and innovation. Over the past 15 years, Michael has worked with hundreds of government and international commercial organizations, leveraging his unique blend of deep technology experience coupled with business and information management acumen to help clients reduce costs, increase transparency and speed efficient decision making while maintaining quality. Prior to joining Fusion PPT, Michael spent 10 years with a boutique-consulting firm and Booz Allen Hamilton, developing enterprise management solutions. He previously served on the academic staff of the University of Wisconsin Law School as the Director of Information Technology. Michael earned a Master's of Science from Johns Hopkins University and a dual Bachelor's degree in Political Science and History from the University of Wisconsin-Madison. Michael is also a contributing editor at InformationWeek Magazine and Network Computing Magazine and has published over 50 recent articles on Cloud Computing, Federal CIO Strategy, PMOs and Application Performance Optimization. He holds multiple vendor technical certifications and is a certified ITIL v3 Expert.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights