What is patch management? Lifecycle, benefits and best practices
Patch management is the subset of systems management that involves identifying, acquiring, testing and installing patches, or code changes, that are intended to fix bugs, close security holes or add features.
Patch management requires staying current on available patches, deciding which patches are needed for specific software and devices, testing them, making sure they have been properly installed and documenting the process.
This comprehensive guide explains the entire patch management process and its role in IT administration and security. Click on the hyperlinks for detailed articles on patch management processes, tools and best practices.
Why is patch management important?
The number and variety of endpoint devices in need of patching is exploding as 5G networks come online, mobile apps proliferate and more companies deploy IoT technology. Furthermore, the rise of AI is providing hackers with new tools for penetrating networks. All of this is making patch management simultaneously more complex and essential.
Patch management helps keep computers and networks secure, reliable and up to date with features and functionality the organization considers important. It is an essential process for ensuring and documenting compliance with security and privacy regulations. It can also improve performance and is sometimes used to update software to work with the latest hardware.
How does patch management work?
Patch management works differently depending on whether a patch is being applied to a standalone system or systems on a corporate network. On a standalone system, the operating system and applications will periodically perform automatic checks to see if patches are available. New patches will often be downloaded and installed automatically.
In networked environments, organizations generally try to maintain software version consistency across computers and usually perform centralized patch management rather than allowing each computer to download its own patches. Centralized patch management uses a server software application that checks network hardware for missing patches, downloads the missing patches and distributes them to computers and other devices on the network.
A centralized patch management server does more than just automate patch management; it also gives the organization more control over the patch management process. For example, if a particular patch is found to be problematic, the organization can configure its patch management software to prevent the patch from being deployed.
Another advantage of centralized patch management is that it helps conserve internet bandwidth. It makes little sense from a bandwidth perspective to allow every computer in an organization to download the exact same patch. Instead, the patch management server can download the patch once and distribute it to all the computers designated to receive it.
Although many organizations handle patch management on their own, some managed service providers (MSPs) perform patch management in conjunction with the other network management services they provide to clients, which can minimize the administrative hassles of doing the work in-house.
What are the benefits of patch management?
Most major software companies periodically release patches, which can serve any of three primary purposes:
- Patches are often used to address security vulnerabilities. If a software vendor discovers a new security risk in one of its products -- such as a zero-day vulnerability -- typically it will quickly issue a patch to address the risk. It is important for organizations to apply security patches as soon as possible because hackers and malware authors know about the security vulnerabilities a patch is designed to correct and will actively look for unpatched systems.
- Patches can fix bugs, improving the software's stability and eliminating annoying problems.
- Vendors also release patches to introduce new software features. Feature updates are becoming more common because of the growth of subscription-based cloud software.
What are the challenges of patch management?
Buggy patches are the most common problem in patch management. Sometimes a patch will introduce problems that didn't exist before. They might show up in the product that is being patched or in other software that has a dependency relationship with the patched software. A patch might also have to be removed if the vendor releases a patch that can't be put in place while the previous patch remains on the system. Because patches can sometimes cause issues in a system that was previously working correctly, it is important for administrators to test certain patches before deploying them.
Another common problem is that disconnected systems might not receive patches in a timely manner. For example, if a mobile user rarely connects to the corporate network, their device might go for long periods without being patched. In such cases, it could be better to configure the device for standalone patch management rather than relying on centralized patch management.
The sharp increase in remote work brought about by the COVID-19 pandemic added a new problem: managing patches on a wider range of endpoints that connect to the network through various security mechanisms. While some users might connect to applications on a highly secure VPN, others might use single sign-on from the public internet, log into some applications individually or use unsecure Wi-Fi networks. In doing so, they're exposing more places for hackers to enter the corporate network, which can mean more patches to deploy.
Remote patch management best practices, including remote access controls and rollback provisions to keep systems running when connections are lost, can keep systems up to date regardless of their location.
Patch management lifecycle
The main stages of the patch management process -- identifying, acquiring, testing, deploying and documenting patches -- are supported by the following important steps:
- Inventorying devices, operating systems and applications.
- Deciding which software versions to standardize on.
- Categorizing IT assets and patches by risk and priority.
- Testing patches in a representative lab or sandbox environment.
- Running a pilot on a sample of devices (an optional step).
- Planning the rollout, including identifying who is responsible for it and which patches should be installed on which devices.
- Verifying that patches have been installed.
- Continuously monitoring systems for missing patches.
- Documenting patches, vulnerabilities, test results and deployments, which helps in analyzing and improving the process.
Patch management best practices
System management software vendors, MSPs and consultants have expertise in making patch deployment smooth and effective. Among their oft-mentioned patch management best practices are the following 10 recommendations:
- Know what you're responsible for patching. This entails clearly identifying patch targets and their locations. In addition, building or acquiring a patch catalog helps keep patches organized.
- Create standard and emergency patching procedures. Emergency patches have to be installed outside the windows established for regularly scheduled patching. There should be clear procedures for both.
- Understand vendor patch release schedules. The number and types of operating systems, applications and endpoint firmware installations vary significantly, as does the timing of the patches available for them.
- Design and maintain a realistic test environment. It should closely match the production environment, including workload fluctuations, and will need to be updated when the production environment is changed. A test environment can be expensive and hard to scale, so a representative sample of assets is often used instead. Another option is a virtual test environment designed to replicate the production environment on a single computer or cloud service such as AWS or Microsoft Azure. There are also online services that handle the replication process.
- Review the patch process and results. Analyzing patch management KPIs can also help identify potential improvements.
- Prioritize patches by risk level. Assign assets a criticality level according to their importance to business processes, optimal downtime and vulnerability risk. Test, schedule and apply patches for the most critical assets before less essential ones.
- Stay abreast of security vulnerabilities. For commercial software, subscribe to reputable sources, such as the Common Vulnerabilities and Exposures catalog of the U.S. government. For internally developed applications, use a software composition analysis tool to track their open source and third-party components.
- Deploy patches as quickly as possible. Users might complain about being inconvenienced, but the longer you wait, the greater the chance that hackers will find a way in.
- Execute production rollouts in stages. Dedicate the initial rollout to less critical systems. If the patches perform as expected, continue the rollout until every system is updated.
- Create a contingency and rollback plan. In the event something goes wrong, have a backup or image snapshot of systems before starting patch deployment so they can be restored to their previous state.
Examples of patch management
Microsoft often provides patches to its Windows operating systems and applications such as Office. The patches are normally released on a scheduled monthly basis, often on a day that has come to be known as Patch Tuesday.
Standalone systems rely on Windows Update to automatically download and deploy available patches. In business environments, it is much more common to use Windows Server Update Services (WSUS), which is included with Windows Server and specifically designed to centralize patch management. There are also numerous third-party WSUS alternatives for managing, downloading and deploying Microsoft patches.
Many IT departments also maintain systems that run the open source Linux operating system. Linux patch management is similar to Windows patching, but there are more Linux distributions, which means becoming familiar with the different patching procedures of several vendors instead of just one. Apple macOS also has built-in software update tools.
An organization can have several versions of an operating system, which makes it challenging to keep every system up to date without using centralized patch management. Many third-party patch management tools support macOS, along with Windows and Linux.
Patch management in cybersecurity and vulnerability management
The increase in cyberattacks in recent years makes cybersecurity the most compelling reason for deploying patches. Patch management is an important part of vulnerability management, a much broader strategy for discovering, prioritizing and remediating the security vulnerabilities of network assets. Patch management remediates the risks identified in a vulnerability assessment by upgrading software to the most recent version or by temporarily patching it to remove a vulnerability until the software vendor releases an upgrade that contains the fix.
Given this emphasis on cybersecurity, software patch testing also includes documenting the test process for security compliance purposes, as well as developing alternative vulnerability management plans in case security patches can't be installed on the required devices.
Vulnerability management includes the following steps:
- Network scanning to identify users and devices on the network, the same technique hackers use to search for vulnerable targets.
- Penetration testing, which mimics the tactics of hackers to identify vulnerable parts of the network.
- Verification to confirm that a vulnerability identified during scanning and testing can, in fact, be exploited.
- Mitigation, such as taking a vulnerable system offline to prevent vulnerabilities from being exploited before a patch is available.
- Reporting that uses data management, predictive analytics and visualization tools for evaluating the organization's vulnerability management process and complying with regulations.
In recent years, IT and security teams have begun to apply more risk management methods to improve the efficiency and effectiveness of their patching and vulnerability management strategies. Risk-based vulnerability management makes a priority of addressing the issues that pose the greatest risk to the most critical systems. It involves identifying an organization's specific needs and security posture instead of wasting resources chasing after generic threats. Risks are scored using tools such as the Common Vulnerability Scoring System.
The same kind of risk analysis is increasingly applied to the process of designating patches for deployment. In risk-based patch management, organizations assess the risk presented by the issue a patch is meant to fix, then start by deploying the patches that affect critical systems or address other priorities, such as regulatory compliance.
A distinct category of vulnerability management tools is used for scheduling and documenting these processes and partly automating them. Some vulnerability management tools have patch management as a component.
How to choose the right patch management software
Patch management tools are available on premises or in the cloud, and many vendors offer both deployment options, though SaaS is starting to take over.
Besides delivering patch management from the cloud, the newer tools expressly tackle the specific patching needs of cloud systems, which have grown in importance as organizations move more applications to the cloud. These cloud patch management tools help cut through confusion over who is responsible for the different cloud platforms and databases provided by different vendors to ensure that every important vulnerability can be discovered and patched. The patch management services provided by cloud platforms like AWS and Azure go a long way to covering most needs, but each has certain limitations. You'll usually need third-party tools to fill the gaps.
While some vendors specialize in patch management, most include it in a broader collection of IT systems management, endpoint management or security and compliance tools. Prominent players include Atera, Automox, GFI LanGuard, Kaseya VSA, ManageEngine Patch Manager Plus and SolarWinds Patch Manager.
Before organizations investigate products, it's important they create a complete patch management policy. By ranking their reasons for deploying patches and specifying who needs to be involved, how patches will be tested, implemented and monitored, and what kind of reporting is required, organizations will be more successful at finding the software that meets their exact needs.
Buying teams should look for dashboards that are easy to set up, understand and use and can display the information they need. Reporting and documentation features should also be user-friendly and able to handle the required information on vulnerabilities, test results and patching history. The software should support patching for every operating system and major application used in the organization. Most vendors name the OSes and commercial applications their products can patch.
Other important patch management features include the following:
- Real-time visibility into network devices and software.
- The ability to prioritize patches by criticality.
- Administrative controls for approving patches.
- Automated patch management -- often through the use of generative AI chatbots -- with fine-tuning that makes it easy to exclude certain patches and endpoints.
- Timely receipt of software updates and patches from the vendor.
- The ability to program patch management policies into the system.
- Patch validation to identify and test applicable patches and verification to confirm that deployed patches have taken effect.
Organizations that take the time to develop a patch management policy, establish a comprehensive patch management process and use the software tools that best support those efforts will likely be successful at making their IT systems reliable, secure and current with the latest technology.
David Essex is an industry editor who covers enterprise applications, emerging technology and market trends, and creates in-depth content for several TechTarget websites.
Brien Posey is a 22-time Microsoft MVP and a commercial astronaut candidate. In his over 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and as a network administrator for some of the largest insurance companies in America.