Introduction
Patching vulnerabilities is one of the basic measures to secure your IT assets. With good reason, as many IT security incidents are caused by unpatched vulnerabilities. Unfortunately, many organizations do not have effective patch management. Traditional patch management approaches are often slow, incomplete, complex and expensive. The use of cloud patch management solutions promises to address this by providing better coverage and greater automation. In this article, I will discuss the difficulties of traditional patch management and present the advantages of some selected cloud-based patch management solutions.
What is patch management and how is it traditionally done?
Patch management includes the following basic steps:
- Obtaining (security) updates for operating systems and software (patches)
- Testing and releasing the patches
- Deployment of the patches
- Control and monitoring of the installed patches
Companies have several options for tackling the challenge of patch management. In some cases, the approach is very manual, which is like fighting a losing battle given the large number of vulnerabilities published each year. Using on-premise patch management solutions allows organizations to automate the detection and distribution of patches. However, with an on-premise solution comes a significant operating expense. For small and medium-sized companies, one option is, therefore, to outsource patch management entirely to a managed service provider.
Patch management challenges
Patch management is an ongoing process that involves some difficulties:
- In larger networks, it is not trivial to keep track of the current inventory of all the company’s IT assets. This requires a complete vulnerability management solution
- Patches carry risks since they can impair the functionality of the software and operating system if they are installed incorrectly
- Manual patching is time-consuming, error-prone and expensive
- Often the devices on which patches have to be installed are not available
Advantages of cloud-based patch management solutions
Cloud-based patch management solutions provide the same level of automation as on-premise solutions, but are less expensive, require less operational overhead and are centrally managed from a dashboard in the cloud. In addition to lower operational overhead and costs, you benefit from the ability to distribute patches to all endpoints, wherever they are located. This means that even devices located outside the corporate network can be patched in a timely manner. In addition, cloud-based patch management solutions also support hybrid environments and allow you to patch cloud resources in an automated manner. With the enhanced capabilities of cloud-based patch management solutions, your patch management becomes more effective and your organization is more secure.
Presentation of selected cloud patch management solutions
In the following I have summarized the most important features of three popular cloud patch management solutions:
Zoho Patch Manager Plus
- Supports Windows and Mac operating systems
- Supports AWS and Azure
- Extensive support for third-party applications (patches for 350+ applications)
For more information go to https://www.zoho.com/patchmanagerplus/
Quality’s VMDR
- Qualys VMDR is a comprehensive solution for vulnerability and patch management
- Very good correlation of discovered vulnerabilities and necessary patches
- Very good prioritization of the necessary remediation tasks
- Currently supports Windows only. macOS and Linux will follow shortly
- Support for 300+ third-party applications
- Patches can be deployed through the Qualys Cloud Agent Gateway service, saving bandwidth usage
For more information go to https://www.qualys.com/apps/patch-management/
Automox
- A modern solution that goes beyond pure patch management
- Enforces secure configuration and desired actions can be performed automatically on endpoints via Automox Worklet Tasks
- Supports Windows, macOS, and Linux
- An API for integration into existing infrastructure is available
- Little influence by Lightweight-Agent installed on the endpoints
For more information go to https://www.automox.com/features