July 26, 2022

Why Patching is Important

Configuration Management
How to & Use Cases

Let's face it: no one likes patching. It's common to put off patching until is absolutely necessary. Until a business need – such as updating an application version or support ending for a version – arose, you may not choose to patch because "If it ain't broke, don't fix it." We all know this is a bad practice; let's remind ourselves why.

Table of Contents:

Why Patching Is Important

Patching is important because the longer a system goes without being patched, the more changes will accumulate. This exposes the machine to well-known vulnerabilities and prevents taking advantage of updates to functionality.

Inconsistent patching leads to challenges in supporting a diverse environment, problems rolling out application updates, and difficulties in proving compliance during audits.

The bad news is that the longer you put off patching, the more difficult patching becomes and the more brittle the process is. The good news is the reverse is also true. The more routine patching is, the more of a non-event patching becomes. And Puppet can help!

The Patching Problem

Most modern organizations have a mix of operating systems and varying versions within those OSes. This can lead to bespoke patching practices for each, using the default package manager for the OS. This is challenging at any size, but it truly becomes a huge burden at scale.

The multitude of patching practices leads to poor visibility. Out-of-the-box package managers really aren't designed for reporting. Collecting data on what resources are patched and what aren't, even on a single OS, is a manual process. Reporting across operating systems and versions is nearly impossible.

Similarly, fine-grained control over scheduling is difficult and generally requires multiple orchestrators for the multiple package managers. Along with that, reporting on patching success, and current patching levels, just isn't easy. It's hard to assess which servers have and haven't been patched, even within a single OS, without a lot of manual data-gathering.

An illustration of patching with Puppet.

 

Automating Patch Management

The best way to enforce cyber hygiene and solve the patching problem is to automate your patch management process. 

Automated patch management can help solve many of the core reasons that you might put off patching in the first place: the time-consuming, complicated nature of the task itself. Your IT team benefits because they have one less task to worry about, but end users also benefit: they don't have to deal with the starts-and-stops of an unpatched company network or device. 

Most importantly, automated patch management can keep your organization secure and compliant when your IT team is handling other priorities. 

The Puppet Patch Management Solution

Puppet Patch Management is used to orchestrate patching and report on success and patching levels across your entire IT estate. Puppet allows you the flexibility to manually trigger patching, schedule it with the built-in orchestrator, or trigger patching run via the Puppet API. Patching also allows you to differentiate between updates designated as security-related and non-security (when supported by the package manager), and apply one or both sets of updates. But the real value Patch Management brings is in the fine-grained control of patch groups.

Patch Groups

Patch groups are exactly what you'd think; they're groups of servers that make sense in your environment that will be patched together. In a simple setup, those groups might be “Development,” “Test” and “Production.” Patch groups not only facilitate patching like servers as a unit, but the group allows you to customize blackout windows and many configuration and runtime parameters for the group. Patch groups give you the ability to accommodate different schedules, additional flexibility such as when to check for new patches, powerful post-patching options, and many other possibilities.

The Puppet scheduler allows for unattended execution of patching, running patches on a regular schedule, and integrating patching with other regular maintenance via Puppet Tasks. The scheduler also allows you to assign the execution of patches to service desk personnel via RBAC.

The Risks of Putting off Patching

As any environment grows and diversifies, it becomes more challenging and time-consuming to ensure that it is kept up-to-date and current with the latest software releases. This is inconvenient at best, and dangerous at worst, so having a strategy that incorporates continuous updates is essential to a healthy IT environment.

Patch management helps you stay ahead of the challenges of managing diverse infrastructure at scale, and is part of the overall self-healing infrastructure offered by Puppet. There’s no better way to get started with Puppet-automated infrastructure than to leverage our patch management capabilities to stop putting off patching for good.

Learn More About the Importance of Patching:

Patch Automation With Puppet