This content is part of the Buyer's Guide: Select the best patch management software for your company

Buyer's Guide

Browse Sections

Introduction to automated enterprise patch management software

Patch management software keeps enterprises better protected by automating the delivery of operating systems and application updates. See how it can help your business.

Even as the economy recovers, budget pressures on IT organizations continue to squeeze headcount and Opex. These pressures reinforce the ongoing importance of automating routine tasks, considering that IT budgets tend to lag behind economic recovery for many companies.

Enterprise patch management software is a prime example of a formerly tedious manual task that can benefit greatly from automation, ensuring that all computers remain up to date with the latest patch releases from OS and application software vendors. 

There are motivations above and beyond economic pressures that underscore the importance of automating patch management processes. Keeping computers up to date with the latest patches is no longer just a recommended best practice for corporate IT. The Sarbanes-Oxley Act and internal corporate guidelines have codified the requirement for consistent, up-to-date patching of all computers in a given IT infrastructure. As a result, patch management software offers companies the ability to abide by industry best practices, while also complying with any regulatory or internal requirements for the securing of IT systems against possible malware or unauthorized intrusions.

Why patch management software?

Rather than relying on industry best practice recommendations for manually keeping all OSes and applications up to date with patches, enterprise patch management software enables IT pros to delegate that task to sophisticated software that can seamlessly handle the distribution process. Patch management software can also provide automated compliance reports that document which computers are -- and are not -- up to date, as well as sending notifications to admins based on successful or unsuccessful patch activities.

One need only refer to recent, well-publicized outbreaks of malware that were specifically designed to attack vulnerabilities in popular software, such as Microsoft SQL Server, to see that patching isn't just a good idea; keeping patches up to date is a mandatory component of the IT software management lifecycle.

How does automated patching work?

Most enterprise patch management software requires the installation of an intelligent agent on target computers. This agent provides a connection between the patch management server and the computers to be patched. Agents can also handle patching tasks such as sending alerts, caching patches locally on the target computer prior to installation and automatically retrying failed patch installations until they are successful.

Many admins are understandably reluctant to install an agent on hundreds or thousands of computers just to handle patch management. This is one of the reasons that stand-alone patch management software is frequently included in an integrated bundle with other monitoring and management software that also requires an agent.

Installing one agent that, for example, facilitates patch management, performance monitoring and server health statistics is usually a better strategy than installing three separate agents that each address different aspects of managing a target computer. Any modern patch management software will include agents that run on all recent versions of Windows, Linux/UNIX and will frequently include agents that run on mobile platforms, such as Android or iOS.

Patch management caveats

The practical challenges of enterprise patch management are not usually in the distribution of the patches themselves. Pushing patches across a modern network with patch management software is a relatively simple process, though virtualized and cloud-based platforms may present unique circumstances. Once all the target computers have an appropriate agent installed, the hard part is mostly complete. The trick then comes not in how to push patches, but rather in which patches should be pushed to targets and when.

Even though software vendors regularly release patches -- and experts usually recommend installing these immediately -- there is a patch management best practice that all patches should be installed and tested in a development or sandbox test environment before they are pushed to all pertinent computers requiring the patch. While it's a logical assumption that software vendors would never release a patch that might break their existing software, it's not difficult to find examples of patches that addressed one or more existing issues, while also breaking other features or functionality.

Patch admins must also be mindful of the fact that not every software vendor tests its patches against every possible other piece of software running in IT. The only thing worse than not applying a patch that could leave software vulnerable is to install a patch that breaks other pieces of software in the process.

The cost of automating patch management

The cost of purchasing automated patch management software is as varied as the many patch management products on the market. There are freeware versions of patch management products; there are stand-alone products for those with a budget, but who are also on a budget; and there is patch management software that is integrated within an all-encompassing monitoring and management software suite.

Even automated patch management products require trained personnel with the expertise to configure and maintain the product and process.

There is no one right answer for which type of enterprise patch management software is the best fit for a specific situation. Each method of patch management software licensing represents a different price point and feature set that will help guide organizations to the best product within their budget. 

Part of the patch management product comparison process is to examine the tradeoffs between price, features and overhead, and then settle on a short list of the software that most closely aligns with the organization's requirements and budget.

Although patch management automates a previously manual process, organizations must still include costs for administration of their chosen patch management product. Even automated patch management products require trained personnel with the expertise to configure and maintain the product and process.

To patch or not to patch

Automating a patch distribution process is a best practice that must not be ignored or allowed to fall by the wayside. Keeping patches up to date can protect companies from exposure to malware or intruders, but considering the requirements of maintaining Sarbanes-Oxley compliance, patch management software can also keep company CEOs or CISOs out of hot water with government regulators, internal auditors or shareholders.

IT must always weigh the benefits of automating a task with the possible downside that automation software doesn't always behave as automatically or as appropriately as expected. This is where the testing of all the patches prior to pushing those patches to target computers becomes key. It's critical that organizations test all the patches with their specific mix of hardware and software to ensure that they cause no adverse effects when deployed to the computing population at large.

A comprehensive enterprise patch management strategy keeps software vulnerabilities at bay, while also protecting the company, its employees and its leadership from regulatory or internal compliance issues. No company can afford to ignore these risks in the modern world of patch management compliance.

Next Steps

What should enterprises look for in patch management tools?

Address the huge volume of software updates that face your company

Updating your software and OSes is just one way to prevent malware attacks 

This was last published in June 2017

Dig Deeper on Application and platform security