Why Patch Management is Not Asset Management

Share on linkedin
Share on facebook
Share on twitter

In this era of heightened focus on cyber security, patch management is an increasingly popular and urgent subject of discussion among IT leaders and their teams. In fact, some argue that patch management is most if not all of the asset management their organizations need.

This is not the case. At all.

Patch Management: Essential, But Not Sufficient

Patch management is an essential element of any comprehensive, effective IT management strategy. But it is only a part of the set of challenges referred to as IT asset management (ITAM).

Patch management addresses the need for software to receive timely updates as new protections are released in response to new threats. And patch management is certainly its own set of significant challenges. IT and cyber security leaders must keep track of update releases, and get timely access to them. And that’s just the beginning. Each update must then be tested to make sure installing it doesn’t break anything. If it does, that must be addressed before the update can be deployed in production. And of course, it’s also necessary to make sure the deployment can be rolled back as non-disruptively as possible, in case issues arise that testing didn’t discover.

The vast majority of successful cyber security breaches exploit vulnerabilities for which patches and updates were available at the time of the exploit. In some cases, patches for exploited vulnerabilities have been available for months or years, yet have gone uninstalled. This is not an indictment of IT or cyber security leaders. Instead, it’s a solid indicator of how challenging effective patch management is at many enterprises.

ITAM: Patch Management, Plus a Lot More

Clearly, patch management should be a critical component of every ITAM program. But true ITAM intends to provide complete management of every critical IT asset across its entire life cycle, from deployment through retirement and disposal.

Comprehensive ITAM must therefore focus more broadly than software updates and patches alone. Management of a critical IT asset must, at minimum, include acquisition and management of every important piece of information about that asset. That information should, at minimum, include the applications that depend upon and affect that asset, who’s responsible for its oversight, and details about what users and applications are authorized to access it. It should also include information about each asset’s operating system and application software, including an accurate history of applied patches and updates.

For maximum business value, ITAM efforts should also map and maintain detailed information about the relationships and interconnections that link assets to each other, and to specific business applications, services, and users. This information can improve both ITAM and cyber security efforts, by highlighting unexpected interdependency shifts that may indicate new or emerging vulnerabilities.

Better Patch Management and ITAM: Things To Do Now

Implement a patch management system if you have not already done so. This is an immediate necessity to protect your business. If nothing else, make sure someone on your team subscribes to the security updates provided at least monthly by leading software vendors. (Microsoft and other vendors often release new patches on the first Tuesday of every month, which many IT and cyber security folks refer to as “Patch Tuesday.”) Then, get those updates for your most critical IT assets tested and deployed as quickly as possible.

Implement solid patch management processes. Make sure your IT and cyber security management teams know which assets are most critical to your business. Then, make sure those teams have documented, repeatable processes in place for being notified when patches are available, and for testing and deploying those patches in as timely a manner as possible.

Implement solid ITAM processes. Ensure that your team has the tools and processes necessary to discover, map, and manage all the information your business needs about every critical asset in your IT estate. Whether those assets are owned or leased, on your premises or in the cloud, you need to know all you can about them, including when they’ve been patched and when they need to be, to achieve effective, comprehensive ITAM. Wherever possible, make sure your ITAM solutions and processes include automated checks and alerts to ensure that your critical IT assets are patched in a timely manner.

Implement a comprehensive ITAM solution with a configuration management database (CMDB). To succeed with ITAM, your business needs a central repository of accurate, complete, and timely asset information. A CMDB provides that repository and can be tailored and extended to include all the asset information your business needs to make the best possible decisions about all of its critical IT assets, today and tomorrow.

Regarding patch management specifically, your ITAM/CMDB solution should include automated processes to check regularly for new assets, hardware configurations, software versions, and operating system patches and updates. These will provide assurances that your patch management efforts are as effective as possible, and can help bridge any coverage gaps.  The best ITAM solutions can also automate the process of remediating patch management system issues, such as missing agents on endpoints.

Virima: Your Partner for Comprehensive ITAM

Virima’s solutions for discovery, ITAM, ITSM, and IT operations management (ITOM) can help your business improve management and security of your critical IT assets. Virima solutions can automatically discover and map those critical IT resources and the interconnections that link them to one another, your applications and services, and your users. Virima solutions are easy to use and configure, and designed to work well with each other. They also produce useful, actionable reports about your IT environment, reports that can help you identify and resolve challenges before they become disruptive problems.

These features can help your IT and cyber security management teams be more effective, efficient, and proactive, maximizing the business value, reliability, and security of your IT estate. Learn more about Virima’s solutions online, or contact Virima today.

Summary:

Patch Management

Patch management is an essential element of any comprehensive, effective IT management strategy. But it is only a part of the set of challenges referred to as IT asset management (ITAM). Patch management addresses the need for software to receive timely updates as new protections are released in response to new threats. And patch management is certainly its own set of significant challenges. IT and cyber security leaders must keep track of update releases, and get timely access to them. The vast majority of successful cyber security breaches exploit vulnerabilities for which patches and updates were available at the time of the exploit. In some cases, patches for exploited vulnerabilities have been available for months or years, yet have gone uninstalled. Clearly, patch management should be a critical component of every ITAM program. But true ITAM intends to provide complete management of every critical IT asset across its entire life cycle, from deployment through retirement and disposal. Comprehensive ITAM must therefore focus more broadly than software updates and patches alone. Management of a critical IT asset must, at minimum, include acquisition and management of every important piece of information about that asset.

Share on linkedin
Share on facebook
Share on twitter

Subscribe to Our Newsletter

More to Explore

To understand the business value of service mapping, it’s important to shift to a service delivery mindset, rather than thinking about delivering infrastructure, equipment, software, and applications. Defining services is relatively simple if thought of as the commoditization of what’s…

Service mapping - the area of configuration management that perplexes so many IT professionals, yet that which provides the highest value in Configuration Management Database (CMDB) projects. There are several major reasons IT gets stopped when it comes to service…

The world of service management has changed as technology has shifted from providing tools for administrative support to being fully embedded in the delivery of the business’ core function. There’s a world of difference between using an accounts payable system…

The Configuration Management Database (CMDB) provides a single database that contains information about the enterprise’s assets, both logical and physical. In modern service management platforms, it provides core functionality that is referenced by all of the service management practices, including…

The importance of discovery comes from what it provides to the users of the Configuration Management Data Base (CMDB): trustworthy data and greater speed to value. Without discovery, the CMDB is built by feeds and data entry, which can lead…

There is an old saying that you can’t manage something unless you can measure it. Asset discovery can provide you with accurate and up-to-date data and information about everything you use in IT. You can then develop metrics using the…

Atlanta, Mar 19, 2020 (Issuewire.com)  - Virima Technologies Inc, a provider of CMDB, Discovery, IT Asset Management and IT Service Management (ITAM & ITSM) solutions, today announced that it has recently completed its Service Organization Controls 2 (SOC 2) examination under the Statement…

The most significant ServiceNow CMDB best practice is having a system with data you can trust.  ServiceNow will tell you that your stakeholders will tell you that and IT service management (ITSM) professionals will tell you that.  Achieving high-quality configuration…

CMDB - configuration management database - value potential is undisputed, you need to be careful and not blindly jump into implementation without having a clear plan in place about how this powerful tool will be used within your organization.  Here…

The past decade has introduced a tremendous change in the IT industry.  If you were to compare your IT ecosystem today with how it was ten years ago, you would likely find it hard even to recognize that you’re looking…