Patch management is an administrator’s control over operating system (OS), platform, or application updates. It involves identifying system features that can be improved or fixed, creating that improvement or fix, releasing the update package, and validating the installation of those updates. Patching—along with software updates and system reconfiguration—is an important part of IT system lifecycle management and vulnerability management.
What are patches?
Patches are new or updated lines of code that determine how an operating system, platform, or application behaves. Patches are usually released as-needed to fix mistakes in code, improve the performance of existing features, or add new features to software. Patches are not newly compiled OSs, platforms, or applications—patches are always released as updates to existing software.
Patches can also impact hardware—like when we released patches that altered memory management, created load fences, and trained branch predictor hardware in response to the Meltdown and Spectre attacks of 2018 that targeted microchips.
Because modifications like these are usually quicker to distribute than minor or major software releases, patches are regularly used as network security tools against cyber attacks, security breaches, and malware—vulnerabilities that are caused by emerging threats, outdated or missing patches, and system misconfigurations.
Why manage patches?
Because patching without a clearly defined patch management process can get messy.
Enterprise IT environments can contain hundreds of systems operated by large teams—requiring thousands of security patches, bug fixes, and configuration changes. Even with a scanning tool, manually sifting through data files to identify systems, updates, and patches can be onerous.
Patch management tools help generate clear reports on which systems are patched, which need patching, and which are noncompliant.
Learn about Red Hat’s approach to security and compliance.
Patch management best practices
Unpatched and out-of-date systems can be a source of compliance issues and security vulnerabilities. In fact, most vulnerabilities exploited are ones already known by security and IT teams when a breach occurs.
Identify systems that are noncompliant, vulnerable, or unpatched. Scan systems daily.
Prioritize patches based on the potential impact. Calculate risk, performance, and time considerations.
Patch often. Patches are usually shipped once a month or sooner.
Test patches before placing them into production.
Patching strategy should also account for cloud and containerized resources, which are deployed from base images. Ensure that base images are compliant with organization-wide security baselines. As with physical and virtualized systems, scan and patch base images regularly. When patching a base image, rebuild and redeploy all containers and cloud resources based on that image.
Automating patch management
Implementing a vigilant patch management policy takes planning, but patch management solutions can be paired with automation software to improve configuration and patch accuracy, reduce human error, and limit downtime.
Automation can drastically reduce the time IT teams spend on repetitive tasks, like identifying security risks, testing systems, and deploying patches across thousands of endpoints. Managing these time-consuming processes with reduced manual input frees up resources and enables teams to prioritize more proactive projects.
For example, a handful of Red Hat® Ansible® Automation Platform modules can automate portions of patching processes, including invoking HTTP patch methods, applying patches using the GNU patch tool, and applying (or reverting) all available system patches.
For many organizations, multiple servers work together for one customer, and these servers—since their functions are intertwined—must be rebooted in a specific order when patches are deployed. With Ansible Automation Platform, the Ansible Playbook ensures this happens correctly and consistently, so IT teams don’t have to.
Patch management automation in action
With more than 500 servers using Red Hat Enterprise Linux under their charge, Emory’s IT team knew they had a difficult road ahead if they had to install the patch manually, which would expose the university’s infrastructure to cybersecurity threats. The solution was to use an Ansible Playbook to apply the patches automatically to each server. While patch deployment and remediation across all servers would have taken up to two weeks, it took only four hours.
Asian Development Bank (ADB)
ADB has significantly reduced the time needed to complete provisioning, patching, and other infrastructure management tasks with Ansible Automation Platform. The organization saves around 20 work days per month with automated patching processes and around 2 hours per incident with automated data recovery.