What is a patch manager?

A patch manager helps organizations and managed service providers (MSPs) automate and manage the deployment of security and general OS and application patches. A cloud patch manager can assist IT to patch by centralizing and automating the distribution of patches throughout the environment, regardless of device type or operating system. A patch manager assists with cataloging required patches and managing the workflow associated with them through deployment. A good patch manager also automatically creates work orders for systems or applications that need to be patched or where automated patch deployment has failed, requiring human intervention.

Why do I need a patch manager?

Patch management is a key component of the software, and operating system lifecycle for computing equipment as vendors develop fixes for known operating errors and security vulnerabilities and distribute them to customers. This results in hundreds of fixes that must be reviewed, tested, and deployed to all of the affected endpoints in the environment. This is a critical component of ensuring the effective operation of these systems.

IT organizations and MSPs need a patch manager because of the complexity of maintaining software and OS levels and ensuring all critical security patches and vulnerability repairs have effectively gone through the process and have been documented, tested, approved, and deployed promptly. The complexity of the computing environment and the increased level of cyber attacks have made it necessary for organizations to adopt rigid and robust patch management policies. With hundreds of patches being released almost daily, it’s the automation and workflow capabilities of patch managers that make it possible to keep up with the volume and deploy patches promptly.

Patch managers enable policies to be scripted and applied as new patches are received from vendors and the security operations practice. By enabling prioritization and using established workflows, the IT patch management process can be performed effectively. Business drivers addressed by patch managers include:

  • Patches and fixes for security vulnerabilities are needed to prevent cyber attacks. 

  • Software version maintenance:

    • ensures end users have the latest features, and functionality available for the software they use, and

    • lowers the impact of known errors by the prompt installation of bug fixes.

  • Ensuring device operating software versions are up to date.

As the system footprint grows, performing these functions manually without encountering significant delays that endanger the organization’s digital operation is far more challenging.

In addition to patch management at the infrastructure level, as the number of digital devices (computers, laptops, and other endpoints) grows, the exposure to cyber-attack and the need to maintain software levels also grows. This makes it increasingly more difficult to manage computing environments without automating as many day-to-day operations as possible. Given the volume of patches being released, patch management has become a day-to-day function in every operations department.

Features of a patch manager

Patch managers must provide the abilities mentioned while making it easy for IT personnel to manage the patch lifecycle. 

They must enable each patch released by a vendor through the following activities:

  • Identification and cataloging (logging)

  • Prioritization, based on urgency and devices impacted

  • Testing

  • Approval, including automated approvals based on risk levels

  • Automated deployment

  • Exception management 

The ability to log patches and document progress through these activities is critical for audit and reporting, proving that an organization is operating in a compliant manner. Part of this documentation includes tracking exceptions, those situations where a patch cannot be deployed to a specific environment because of software conflicts or other operating errors caused by the patch. In these situations, risk must be assessed, accepted, and documented for audit purposes. Another aspect of exception management that patch managers must be able to perform in situations where the automated deployment fails on certain devices or is skipped for any reason. Patch managers should open and assign work orders to the appropriate IT personnel to address this.