Navigating cloud patch management: Benefits, best practices

What is cloud patch management?

Simply defined, cloud patch management is the managing of patches, or updates, intended to fix bugs and security leaks or add new features to operating systems, software applications and firmware that run in the cloud as opposed to on premises.

Hacker tactics continuously evolve, so software vendors offer frequent patch updates to close points of exposure and protect assets from attack. But it is up to enterprises to make sure the latest patches are distributed to their software that runs in the cloud.

At the most basic level, this requires knowing all the software the enterprise is running in the cloud. To do that, IT departments conduct software discovery and keep a catalog of all the applications running on their IT estate. This step is particularly important for cloud software, which tends to change and proliferate more frequently than on-premises software.

Organizations therefore need tools that can automatically scan for vulnerabilities in each version of every application used in the enterprise -- regardless of deployment location -- so they can spot potential gaps. IT administrators must be aware of upgrades, patches and other steps they can take to fix exposed software. The IT organization also needs to understand the interdependencies across different applications that might require patching other software. Ultimately, organizations must also be able to deliver these patch updates as efficiently and effectively as possible.

Why cloud patch management is important

Enterprises run more critical applications in the cloud than they did in the past. In a study on cloud security conducted by security vendor Thales, 75% of 3,000 IT professionals surveyed said that more than 40% of their applications that run in the cloud are critical to their business, a fact not lost on threat actors. The same Thales study found that 39% of organizations were hit with an attack on their cloud assets in 2023, a 35% jump from the prior year.

The message is abundantly clear: The cloud is a prime target for hackers, and it is critical for organizations to incorporate it in their patch management plans.

With cloud, liability equals responsibility

In traditional self-managed on-premises environments, who was responsible for IT security was clear: the enterprise. But the shift outward to the cloud muddied the waters with terms like shared risk and shared responsibility. The reality is enterprises are still responsible for the security and integrity of their data and need to have clarity on any risks that could compromise it.

Enterprises have a range of options in how much trust to place in third-party cloud providers with respect to security in general and patch management specifically.

They can opt to take responsibility for patch management internally using either software or a service administered by a third party. Or they can seek out patch management support from cloud providers.

The top three hyperscalers -- AWS, Google Cloud and Microsoft Azure -- all offer patch management services that can remove some of the security burden from their customers.

AWS Patch Manager distributes patches for applications and operating systems, though there are some limitations. For example, patch support for applications running on Windows Server is only available for applications released by Microsoft. Administrators can patch wide swaths of Amazon EC2 instances, on-premises servers, VMs and edge devices. AWS Patch Manager provides a report that shows which devices are not in compliance.

Microsoft Azure Update Manager provides software and security updates for all assets running in Azure and third-party clouds, and on premises. The service provides a central console to track compliance and verify that updates are made on time, as well as offering a mechanism to schedule updates outside of prime operating hours.

Google Cloud offers Patch, a service that applies operating system patches to Google Compute Engine Virtual Machine instances. The service reports on compliance, notifying administrators of any issues when a VM is not meeting the required standard, and then offers recommendations on the steps needed to meet regulatory requirements. Google Patch automates patch update distributions for operating system and application software. It can schedule patch jobs in real time and at times outside of normal operating hours.

Organizations that are considering using third-party patch management software or services should also know the limitations. For example, AWS admits explicitly that it doesn't run patches through a testing process before it lets customers access them.

The differences between cloud and on-premises patch management

Traditionally, on-premises patch management depended on manual labor used in conjunction with network servers to distribute software security patches and upgrades. Organizations often used multiple tools to administer patches for different operating systems and applications. The process was expensive, error-prone, and difficult, particularly when it came to delivering patches to remote machines. The largely manual nature of on-premises patch distribution sometimes led to missed updates, which put systems at greater risk of being breached.

However, in recent years, centralized networked patch management tools from the likes of Automox, GFI, Kaseya, ManageEngine and SolarWinds have enabled much greater automation of patch management. Many vendors also offer cloud-based patch management for software running both in the cloud and on premises. This typically SaaS-based approach is even more automated and typically more effective and less expensive than older tools that run on premises.

As for how patching cloud software differs from patching on-premises software, the main issues involve the discovery challenges of inventorying the greater number of cloud systems, and mastering the patch management processes of public cloud platforms, such as AWS and Azure. Patching is also less likely to be used to add new features to cloud software, since cloud vendors typically deliver new features to everyone on their own schedule.

Benefits of cloud patch management

Effective patch management delivers several important benefits beyond ensuring cloud software is bug-free and has the most recent security updates to reduce the risk of a breach. A well-executed patch management process can provide a full inventory of software assets and improve its accuracy. Patch management also delivers insights into what areas of the network have exposure points that could put them at risk.

Cloud patch management best practices

The first step to effective cloud patch management is choosing an automated system that can discover software and deploy patches to assets in an efficient manner. Administrators also need to prioritize patches based on the importance of the asset and the security risks posed by potential threats, which can improve the efficiency of the patching process. IT staff should maintain reports to monitor patch management and track the efficiency of the process. It is also important to have efficient mechanisms in place that support a regular patching plan, and to practice continuous patch management to stay ahead of ever-increasing threats.

Finally, it is important to create a patch management policy to foster adherence to organization-wide procedures and best practices. Be sure to include cloud-specific elements in the policy, such as who is responsible for the different categories of cloud.

Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As principal analyst at GlobalData, she covers managed security and cloud services.