Has IT licked patch management?

Patch and vulnerability management tools can take on detecting and protecting vulnerable machines in a mostly static, controlled environment.(Compare Patch and Vulnerability Management products.) The technology area is considered a priority among IT managers, who most likely have spent many years perfecting their vulnerability scanning, patch testing and software distribution processes.

According to an Enterprise Management Associates (EMA) survey, more than three-quarters (76 percent) of 250 IT managers surveyed had some sort of patch management product in house and said patching is an important to very important process. VanDyke Software's fifth annual enterprise security survey of 300 network administrators showed that 30 percent still worry about patching, a number that has declined over the years. Some industry watchers speculate that the lessening concern reflects a maturity in patch management products and in IT managers' processes.

"We really don't have anything that changes what needs to be patched, with the exception of remote access users, who are constantly a difficulty for us to keep patched," says Craig Bush, network administrator at Exactech in Gainesville, Fla. "Currently, we have to wait until the client connects to our VPN to make the updates happen, which isn't always regular."

Bush says his patching processes are mature, but vendors could ease the process by building in time for users to properly test patches before rolling them out across distributed machines.

"Vendors should make sure they are testing patches extensively before pushing them out the door," he says. "This is much easier for open source technologies than it is for closed source companies like Microsoft, which tends to have longer lead times on patches and fixes."

Yet industry watchers say the problems with patching today and going forward will have more to do with user environments than with vendor updates. They warn that while patch management technology can be considered mature, as environments evolve to include more virtualization and complex application infrastructures, patching will need to grow up. And in turn, vendors such as Altiris (now part of Symantec), BigFix, CA, St. Bernard Software, PatchLink and Shavlik Technologies will need to bring support for virtualization and other technologies into their tools to adequately patch customer environments.

"It is a relatively mature technology, but that doesn't mean it's under control. Patching in areas such as virtualization remains considerably immature at this point; server and desktop virtualization are throwing the old rules for patching out the window," says Andi Mann, research director at EMA.

According to Mann, virtualization introduces complexity as well as exponentially more machines to be patched in the same amount of time. This could cause IT managers to hasten the patch testing process, which would ultimately cause configuration conflicts on production machines. "Testing is a critical element of patching, and with immediate threats like zero-day attacks and the proliferation of virtual machines being certain all the updates will work together and protect the environment is more difficult," Mann says.

Add to that dependency patching, says Jasmine Noel, principal analyst at Ptak, Noel & Associates, and patching could become a new challenge for IT managers. As environments get more complex and the number of vendors distributing patches grows, she says, the layers of testing and distribution of updates will break the old approach to patching for many IT managers.

"What still needs work is sequencing patches from multiple vendors because of all the infrastructure layers — hardware, operating system on the physical box, virtualization software and the virtual machines (operating system and application stack) — so what is the right sequence to install your HP, Microsoft and Oracle patches that all came out last Tuesday?" she asks.