What is patch management (and automation)?

Patch management is an administrator’s control over operating system (OS), platform, or application updates. It involves identifying system features that can be improved or fixed, creating that improvement or fix, releasing the update package, and validating the installation of those updates. Patching—along with software updates and system reconfiguration—is an important part of IT system lifecycle management and vulnerability management.

Patches are new or updated lines of code that determine how an operating system, platform, or application behaves. Patches are usually released as-needed to fix mistakes in code, improve the performance of existing features, or add new features to software. Patches are not newly compiled OSs, platforms, or applications—patches are always released as updates to existing software.

Patches can also impact hardware—like when we released patches that altered memory management, created load fences, and trained branch predictor hardware in response to the Meltdown and Spectre attacks of 2018 that targeted microchips. 

Because modifications like these are usually quicker to distribute than minor or major software releases, patches are regularly used as network security tools against cyber attacks, security breaches, and malware—vulnerabilities that are caused by emerging threats, outdated or missing patches, and system misconfigurations.

Because patching without a clearly defined patch management process can get messy. 

Enterprise IT environments can contain hundreds of systems operated by large teams—requiring thousands of security patches, bug fixes, and configuration changes. Even with a scanning tool, manually sifting through data files to identify systems, updates, and patches can be onerous. 

Patch management tools help generate clear reports on which systems are patched, which need patching, and which are noncompliant.

Unpatched and out-of-date systems can be a source of compliance issues and security vulnerabilities. In fact, most vulnerabilities exploited are ones already known by security and IT teams when a breach occurs.

Patching strategy should also account for cloud and containerized resources, which are deployed from base images. Ensure that base images are compliant with organization-wide security baselines. As with physical and virtualized systems, scan and patch base images regularly. When patching a base image, rebuild and redeploy all containers and cloud resources based on that image.

Implementing a vigilant patch management policy takes planning, but patch management solutions can be paired with automation software to improve configuration and patch accuracy, reduce human error, and limit downtime.

Automation can drastically reduce the time IT teams spend on repetitive tasks, like identifying security risks, testing systems, and deploying patches across thousands of endpoints. Managing these time-consuming processes with reduced manual input frees up resources and enables teams to prioritize more proactive projects.

For example, a handful of Red Hat® Ansible® Automation Platform modules can automate portions of patching processes, including invoking HTTP patch methods, applying patches using the GNU patch tool, and applying (or reverting) all available system patches. 

For many organizations, multiple servers work together for one customer, and these servers—since their functions are intertwined—must be rebooted in a specific order when patches are deployed. With Ansible Automation Platform, the Ansible Playbook ensures this happens correctly and consistently, so IT teams don’t have to.