Victoria - Fotolia


5 enterprise patch management best practices

It might not be the most exciting of responsibilities, but the value of enterprise patch management cannot be denied. Review these best practices to build a smooth patching process.

Enterprise patch management requires the right balance of preparation and speed. Without the proper processes and tools at the ready, patch updates can quickly fall behind. And failing to regularly stay on top of patching could result in unnecessary exposure to security breaches or inoperable systems, applications and services.

While patch management isn't known to be the most fun or interesting of an IT admin's responsibilities, if done right the results can prove invaluable. Learning enterprise patch management best practices is well worth your time and effort.

Here are five tips to ensure your patch management processes flow smoothly and with fewer unforeseen hazards.

1. Always know what you're responsible for patching

Identify what your targets are and where they're located. The endpoints, servers, apps and services your IT department is responsible for patching are in constant flux. They also may reside on premises, in the cloud or on the internet. Those responsible for creating an organization-wide patch strategy must always be aware of changes. While it may be possible to manually track IT resources, most find it beneficial to use various device, network and application monitoring tools for continuous monitoring and inventorying purposes. Patch management inventory and scanning tools can also detect and track devices that are missing critical updates, ensuring nothing falls through the cracks.

2. Create standard and emergency patching procedures

An enterprise patching strategy should consist of two procedures: standard and emergency. Standard patching procedures detail what happens during normal, regularly scheduled patching. This includes specific calendar dates and maintenance windows when various infrastructure components will receive patching updates. The standard schedule is useful as it creates a timetable for administrators to work on, so patching does not fall behind. Also, the scheduling is great to inform department managers and end users well in advance when a work-affecting maintenance window will occur.

Emergency patch procedures are for when a patch must be installed outside the standard patching window. These emergency patching windows should be used as sparingly as possible. Great care should be taken to determine what thresholds must be met for an emergency patch maintenance window to be approved. Additionally, emergency processes must include the necessary communications steps and channels to properly notify all affected departments, end users and customers.

3. Understand each vendor's patch release schedule

Once a patch is released, you can't simply apply it and assume it will work without side effects.

The number and types of operating systems, applications and end device firmware vary widely from one organization to the next -- so too will the manufacturers' patch release schedules. For example, Microsoft uses a monthly patch schedule -- known as Patch Tuesday -- to release its software patches. Other vendors have their own software update release schedules. IT admins must understand when regularly scheduled patches are released, as well as how vendors notify and release emergency patches when necessary.

4. Design and maintain a realistic patch testing environment

Once a patch is released, you can't simply apply it and assume it will work without side effects. It's inevitable that some patches will break a feature, process or other interaction your business depends on. The purpose of a patch testing environment is to see what impact a patch has in an environment that closely matches your production environment. Designing and maintaining this environment, however, is easier said than done. The key is to ensure the test environment is updated right along with production. Any architecture changes made to production that could be affected by software patches must be mimicked in a test environment. Fortunately, server virtualization has made it much easier and cheaper to create a test environment that closely matches the production environment.

It should also be noted that administrators need ample time to test newly released patches prior to rolling them out into production. Patch management timelines can fall off the rails when a patch breaks something in production and must be rolled back. Allocate ample time to properly test patches for adverse effects before putting them into your live environment.

5. Review patch process and results

Once a patch has been successfully applied, look back to see where improvements in the entire enterprise patching process can be made. Patching processes and procedures should always be evolving to achieve greater efficiencies.

One way to do this is to use automated patching tools. These tools -- which are becoming increasingly sophisticated and useful by the day -- can automate repetitive, tedious tasks to speed up the time patching takes from a patch's time of release to implementation.

Next Steps

Zscaler: Exposed servers, open ports jeopardizing enterprises

This was last published in August 2019

Dig Deeper on Application and platform security