As we venture into 2010, one thing has remained unchanged: Keeping up with the latest patches from multiple vendors seems to persist as the bane for many IT stakeholders. Several organizations have to deal with legacy environments, heterogeneous server farms and disparate builds through the enterprise. The continuous flow of security bulletins, hot fixes and service packs may seem never-ending to some, and applying them in a non-intrusive fashion is a science in itself.
Organizations that need to seek relief from the quagmire of patching may notice a few key changes in the technology and patch subscriptions these days. The staples of patching still remain in most of the products we reviewed in this issue. However, several of them are now helping organizations defend against client-side attacks. Although some products still provide users with a basic subscription to update Windows-based operating systems, others are including application patches as well. Popular client-side victims, such as Adobe, Microsoft Office and even various browsers, have been introduced and automated as well.
Organizations that struggle with protecting and updating these often-overlooked components may be intrigued by these additional features.
Overall, the patch management market feels similar to years past, but at the same time hasn't been immune to convergence either. In many of the products we tested, patch management is simply another module or license within an overall suite of operational technologies. Standalone products remain, but buyers will have to make decisions regarding whether or not to invest in an additional agent and server component, or attempt to include the technology into an overall long-term strategy.
For our 2010 patch management review, none of the applicants submitted an appliance-based solution, and since they are all software products, they required at least a backend server and a database capable of scaling in a relative nature given any particular enterprise. For buyers, this ironically represents yet another host that needs to be patched, so our server host doubled as a guinea pig for patching as well.
The patch management domain can easily overlap into any other IT operations area and have the word "management" appended to it. This includes, but is not limited to, asset, configuration, vulnerability, compliance, policy and other management endeavors. Buyers will undoubtedly do well to look for products that include several of these features together under one license. Many of the products we reviewed have interesting modular and license models that may be confusing with regards to which features may be needed. Be prepared to dig under the hood and ask questions of any vendor if your needs exceed pure patch management and carry over into other areas as well.
All of the products in this group performed well at the fundamental patch management basics. This includes some form of asset discovery (although some products require the initialization of an agent deployment task in order to 'discover' hosts), patch level querying, deployment of patches, and, finally, reporting. The actual distinction between vendors is in the cost per node for that perpetual subscription or maintenance cost. Vendors that provide value above and beyond simply aggregating patches for you to download represent exponential returns on investment. For example, Novell's ZENworks provides pre-testing and patch dependency information to help minimize impact and reboots within the enterprise.
How we tested
All server software was installed within a virtual farm in our lab. Our lab server machines consist of Windows 2003 RC2 images managed with Hyper-V within Windows 2008. All of our server products either recommended or mandated installing on Windows 2003. We did not encounter any products that mandated an installation on Windows 2008. Microsoft SQL Server (or a variation) was used for all backend database repositories. All client software agents were deployed to virtual instances of Windows XP SP2.
As always, the areas we focused on were product installation, ease of administration, usability in an enterprise environment, user experience, support, price and overall value for the money. Although performance of patching was touted by some vendors, we felt that control over how endpoints are patched was more important than measuring how fast they could be patched. Considerations such as order of patching, types of software vendor patches available, and ancillary features of the product were reviewed as well. Our Best Buy and Recommended designations were delegated to vendors that offered a few critical tenets: additional features beyond basic patching that were included in the license, easy to understand product licensing and capabilities, as well as minutiae that many administrators may appreciate when making buying decisions. Overall, most purchasers will decide how well the solution fits into the existing enterprise and weigh business decisions against long-term configuration, patch and asset management strategies.