Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
What does your patch management process look like? Are you proactive and on top of everything, or holding onto a life raft trying to ride out the waves? In this blog, we’ll break down a few of our top tips to help improve your patch management process and ensure that your org is staying secure, staying up-to-date, and not drowning.
Table of Contents
A patch management process includes all the different steps you will need to identify, install, and verify software updates to prevent bugs, security risks, and other vulnerabilities.
We’re including the word “process” here because patching is more than just one task or one step — keeping up with patches and ensuring that all the different parts of your org’s environment are updated is a bulky part of IT’s work.
A patch management process includes:
🤔 Is patching really that important? Yes! Review the reasons why here.
Even if it’s a hassle, and it can be, patching is one of the best ways to prevent your system from vulnerabilities by limiting the attack surface. It keeps your users safe, it keeps your software functioning, and makes sure that future patching efforts run smoothly.
Here's a real-life example to provide context around the importance of patching. In the mid 2010s, a major retailer had a data breach that exposed personal data for millions of their customers. Their brand reputation was at stake — to say nothing about the security impact for the customers that used and trusted their service.
The good news is that because they had a robust patch management plan in place, the vulnerability was patched within days of the breach. This prevented further, widespread data loss. When patches are implemented quickly and regularly, vulnerabilities can be managed, even if the organization is not fully aware of the damage that has taken place.
What does your patch management process look like today? Is it reactive or proactive? How many people support the process, and where are there gaps? Improving patch management starts with an assessment of the people, inventory, and policies that you currently have in place. Here are four steps that can help you get started:
Don’t wait for new devices and users to surprise you when a patch needs to take place — make sure you are keeping an accurate inventory of all the software you have on your network, and when they will need to be patched.
But what exactly is the risk if you don’t ensure that your inventory is up to date? You need to know what software you have so you know to watch for updates. If someone is running an app and you don’t know about it or don’t update it, a patch for a critical vulnerability could go unnoticed.
Your patching policy should be established before any patching takes place. It will include the schedule for patching, how you test, how you react to issues that arise, and the way that you communicate updates to your users. Enforcement is key — standardizing the way that you patch will help smooth the process for everyone involved.
Regularly reviewing your existing policy is also critical. Patch management is an evolving process and 'exceptions' should be reviewed to ensure the process works for them too.
The final, and perhaps most critical, part of patch management is monitoring for new patches to ensure you are current with the latest versions of everything you use. You can do this manually by keeping track of information shared by software vendors, or you can do this the easy way: use a tool like Puppet’s patch management to automate your patching updates.
Puppet’s Patch Management solution gives you flexibility to manually trigger patches, schedule patches, or trigger patches using Puppet API. This can help reduce the time it takes to handle patching and prevent the long term issues that can happen if you avoid regular patching.
👀 Want to learn more about compliance as code and Puppet Comply? Automated patching is only the beginning >>
You should always complement monitoring with reporting. External tools like Puppet Comply can demonstrate risk factors of outdated patches with supporting data, making the patching process easier.
Customers will always express concern over downtime and failures. Record and publish that data. If the data shows your patching is not effective, understand why and fix it. Patching can be difficult, especially if the delta from current version to installed version is high. That data in itself is valuable as it demonstrates to the customer that the longer you leave it, the higher the risks.
As a bonus, here are a few additional considerations for your patch management process:
Are you ensuring that planned patches will run as expected on your systems? End users and application owners should be actively taking part in patch testing. All patching should have a failover process and decision matrix so the correct process is always followed. This can be automated with Puppet Enterprise tasks and plans to make sure that the set process is followed without manual intervention.
What communication channels are you using to let users know about patching — and potential changes — that they might experience? It’s also important not to use system references for customer communication. You may know the owner of the server, but the customer may have no idea what “ddt87app3303pd” server actually is. Instead, help them identify which machine you need to patch.
Automation and patching are an ideal fit — the volume of patches required for the many types of software used within a single organization can eat up IT’s valuable time. Adding automation into your patching process can reduce errors, save time, and help scale.
If you haven’t tried automation as part of your patch management process, you can test it for free with a trial of Puppet Enterprise. Puppet Enterprise comes built with a solution that provides a single view of all systems to manage patching. This orchestrator includes an inspection process that can be run to automate the data required to support patch management.
As mentioned in the testing section, Puppet Entreprises's tasks and plans can also inspect and inform to complement the patch list and provide more information on the servers in question. For example, you can receive data on the potential impact of patching ten servers before you start the patching process.
See how Puppet Enterprise can simplify and strengthen your patch management process — try it for free:
👉TRY PUPPET FOR PATCH MANAGEMENT
Professional Services Engineer, Puppet by Perforce
Andrew Jones is a Professional Services Engineer at Puppet.