Home Articles Virtual patching: a way out of the patch maelstrom

Virtual patching: a way out of the patch maelstrom


By Tim Ayling, Director for Channels and Marketing, Trend Micro

One of the biggest problems data centre owners have today is patching.

It’s a burdensome, costly, and time-consuming affair that’s often done manually and, given the current threat landscape, can leave mission critical systems open to new threats for dangerously long periods. Typical datacentres today may be running systems from a hotch potch of vendors that need patching, all with different schedules and different levels of criticality. Oracle’s patch load is legendary, while Microsoft’s Patch Tuesday is written on the calendar of most system administrators in double thick red pen.

Add to this complexity the fact that many systems are going out of support and no longer have patches issued you get another headache for the IT department. Then try multiplying this a thousand fold in the environment of a cloud service provider, tasked with keeping secure a data centre servicing hundreds of thousands of users.

These businesses are increasingly differentiating on the security and stability of their services – in this context a missed patch could lead to a serious outage or security incident, bad headlines and an exit of customers.

Today’s patch managers have an unenviable task, not least because of zero day threats. As soon as a vulnerability has been discovered or publicly announced the clock is ticking. Make no mistake; the bad guys have their own SLAs to produce an exploit before the vendor gets there first with a patch of their own. It’s then the job of the overworked system administrator to make sure their systems aren’t exposed, and in virtual environments it can be even more challenging.

The most important thing to remember is that security teams can’t shoe-horn their tried and tested physical security tools and techniques into virtual environments.

It needs to be virtual patching. If organisations simply don’t have the resources to patch more often than every 3-6 months, virtual patching can provide a sticking plaster to fix the issue and protect the relevant systems from vulnerabilities until those patches are applied. It should be an agentless virtual patching system which protects at a hypervisor level, because inserting agents onto each VM will degrade performance.

The benefits are obvious. It’s all about performance, cost and security. If automated, virtual patching can save valuable man hours, as well as extend the lifespan of legacy applications which are no longer supported, and reduce the business disruption caused by emergency patches.

More importantly, for the cloud provider it means peace of mind and knowing your customers are safe.