Patch Management Best Practices
Recently I had the great pleasure to interview Logically’s chief expert in all things managed IT services and cloud, their CTO Jeremy Kurth. We talked about a wide range of topics, but one of the surprising things that jumped out for me was the glaring problems IT organizations are having with patch management best practices.
Patch management just isn’t a sexy topic at cocktail parties, and tends to be relegated even within IT to that endless and thankless bucket of jobs that only get done when there is nothing else to do (thus almost never “on time”) or when something is about to break in a big way (or just broke!). It just gets put off most of the time, leaving vulnerabilities and functional gaps all over the place. So what is a patch and why must they be managed? According to Wikipedia, “A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs”.
Interestingly, it’s the fear of getting hacked - security risk concerns - that are often a bigger driver for patch management than getting access to the latest and greatest functionality. It seems most people conservatively think that “if it ain’t broke, don’t fix it”. Sometimes patching can be disruptive, which leads many to say “don’t touch that knob!”
Unfortunately, this can lead over time to a severe technical deficit. If you’ve ever audited even a small production shop that’s been around for more than five years, I’d bet you’ve found operating systems on the verge of complete obsolescence in front-line production. Having done such surveys myself (in past performance consulting gigs), I’ve readily discovered both systems and applications that no one currently on staff could immediately define or explain, much less upgrade and update. Things just slip out of sight when they are working. But the danger builds as systems age.
With decades of experience managing hundreds of IT environments across organizations in many different industries, Jeremy has a unique perspective on patch management best practices. Here are the top five best practices for patch management:
- Successful patch management starts with knowing exactly what you have. If you don’t know a device exists on your network you will never succeed to know the vulnerabilities that exist. Ensuring you properly patch your environment requires a concerted focus in asset identification and management.
- Patch management success depends on punctuality. One of the key reasons for patching systems is to reduce risk. So if you aren’t addressing patches in a timely manner it may be too late.
- Tolerance reports and exception management are crucial to a high performing patch management service. Problems always exist in managing patches properly, that’s why its important to design and implement a management process and platform that is capable of being executed. It’s nearly impossible to manage the high volume of information available in a manual way, instead, build the systems to raise the issues to the top based on sensible, practice approaches.
- Do not treat patches with a set it and forget it mentality. Too often patch management systems or services depend on the functionality or execution of software only. There is a reason 100’s of patch management products exist, and that’s because none of them work perfect. Patch management should leverage system efficiencies but include decision making of skilled and experienced engineers in the patch approval, rollout and upgrade process.
- Rollback capabilities to remediate issues. Even when the approval and dependency processes are followed there are ill effects that can occur when deploying patches. Capabilities and experience to identify the root cause and execute a rollback is super important to keeping a business functional. Patch management is critical, but not at the cost of uptime to a business.
Jeremy told me that asset management is actually a key cornerstone and foundation of what Logically provides to their clients. Keeping your whole environment current, and ensuring end-to-end coverage is a big part of the value a great managed IT service provider brings to the table. Logically takes pride in knowing about all the assets a client has, and within those what needs patching, patching when it needs doing, and doing it right with their highly leveraged deep subject matter experts.
In fact this end-to-end total assets “managed” approach is so important to their service success that Jeremy has spent over 12 years helping build out Logically’s core MSP service delivery system, Oplogic. Jeremy says that “Oplogic is an intelligent managed IT software platform that we have written and developed specifically for managed services. It integrates, automates and really orchestrates our entire IT management and delivery to the customers.”
When asked how such coverage and automation helps their clients he said “…it increases the performance of the services that we deliver to them. OpLogic is key to how we deliver patch management best practices across hundreds of customers. It drastically reduces their risk whether it be security related or asset management related…it really ensures that the services that we're delivering to them are done well, timely at a very high level.”
While patch management might not get be top of mind for most, it ends up being fundamental to ensuring a safe, secure and highly operational IT. environment. And since tracking assets and patch management is a baseline process for every IT shop, yet requires only episodic and at the same time deep expertise when it’s needed, it makes sense to leverage a managed IT service provider that has built their core service delivery architecture around the promise to keep you fully covered and always current.