#6 Be agentless in the data center
Servers are quite a bit different as far as patch management needs go. Often server admins don’t like to add additional agents to their systems, and there’s a need to support portions of the virtual infrastructure that an agent cannot operate on, such as templates and offline virtual machines (VMs). What’s more, installing an agent on every VM can stress the network resources, which can result in network degeneration. What’s needed is a blend between the two. Having a flexible architecture that allows both agentless and agent support for servers is ideal.
#7 Mitigate after exceptions
Regardless of agent or agentless support, you often need to make exceptions while patching. But for today’s security environment, you can’t stop at an exception; you need to include mitigation in that exception. For instance, a patch to a core component could break something and result in making an exception to not update Java 7 past update 63. In this case, you can make an exception for Java to remain on an old version, while locking down user permissions on the system, removing direct Internet access and applying whitelisting to the system to stop unknown/untrusted payloads from executing as mitigation to reduce the risk. Remember that exceptions are not the end of the patching process.
Patch management is vital to cybersecurity, but rarely generates enough attention. With these seven fairly simple practices in mind, you can stay on top of patch updates and ultimately safeguard your virtual data environments from the slew of security threats banging on the door.
Ivanti is IT evolved. By integrating and automating critical IT tasks, Ivanti is modernizing IT and helping IT organizations successfully navigate digital workplace transformation. Ivanti is headquartered in Salt Lake City, Utah, and has offices all over the world. For more information, visit http://www.ivanti.com/.
Sign up for CIO Asia eNewsletters.