As a security consultant, one complaint I hear frequently from my customers is that patching is a pain. The amount of time many companies spend on patching, the problems they have deploying patches, the perception that patching causes problems, and a general lack of understanding about what it takes to patch, all combine to make patching such a major issue. This generally means patching is not carried out for months and security is put at risk. However with proper planning and a patch management strategy, patch management is not such an issue after all. I have helped numerous customers implement patch management and there are seven tips that I adopt:
- Have senior management make patching a priority
If admins are allowed to patch (or not) as they see fit, and if you are expected to “do the best you can” with patching, you’re doomed to fail. Senior management must set the expectation that patching is critically important, mandatory, and they will need to support that.
- Implement a patch management solution
Part of that support from senior management will include implementing a patch management solution. The free ones are worth every penny you pay for them, which is not to say that they are not useful, but they typically focus on the operating system, and leave the applications out in the cold. A patch management solution is the best way to automate the testing, patching, auditing, and reporting steps that manual patching makes so painful.
- Include third party applications
Your patch management system must be able to deploy patches for your third party applications. Media players and readers, line of business applications, and the various utilities that are found on practically every workstation, and many servers, must also be patched.
- Testing is not optional
It’s better to deploy an untested patch than to not patch at all, but you roll the dice every time you do. Designate a sampling of key users and servers, and deploy patches to them early so that you can be sure that the patches play nicely in your environment before you patch all the systems.
- Create a patching window that is inviolate
Set a regular patching window that takes priority. Publish it so that other business units can plan around your patching activities, and make sure that the senior management support includes supporting the patching window so that you can get workstations and servers updated quickly.
- Ensure 100% compliance
Never assume a patch is deployed successfully to every system. Your patch management solution should be able to report on the status of all systems, that patches are deployed successfully, and you should spot audit systems to be absolutely certain you’ve covered everything.
- Ensure you can roll back
Even with testing, there’s a chance you will deploy a patch only to later find out that it causes a problem. Choose a patch management application that can roll back or uninstall patches that it pushes out, just in case a problem is discovered late in the game.
If you take these seven tips to heart and implement them in your environment, you will find patching to be an easy, straightforward, and enjoyable part of systems management.
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.
All product and company names herein may be trademarks of their respective owners.