Key Criteria for Evaluating Patch Managementv1.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. Patch Management Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Ron Williams

1. Summary

Software is rarely immutable. It often needs to be modified—patched—to fix a bug or vulnerability, add security, or update a feature. In today’s systems, patch management is critical for ensuring that the appropriate patches are acquired and installed for all applications and tools.

Good patch management practices in the current global environment require mitigation of the root causes responsible for many recent cyber events. Patch management also requires the proper tools, processes, and methods to minimize security risks, and should support the functionality of the underlying hardware or software. Patch prioritization, testing, implementation tracking, and verification are all part of robust patch management.

Processes for the patch management of servers in data centers and clouds differ from those for a server at a remote location. End-user systems also need patch management. Some tools cover all of these. Mobile devices are generally managed via a mobile device management (MDM) solution.

Patch management of firmware and hardware operating systems are usually the most straightforward, as the vendor supplies the methods and means for patching these systems. Patch management of desktops and laptops can be the most complicated to execute. Applications, especially in desktop environments, present additional issues.

On desktops and laptops, extra steps are required to patch firmware, BIOS, CMOS, and some OS updates on systems with crypto locks on the motherboard. This is especially true of systems outfitted with Unified Extensible Firmware Interface (UEFI) and Trusted Platform Module (TPM) chips, both of which are required for Windows Hello on Windows 10 and all Windows 11 PCs. Security requirements for PCI and SOX compliance likewise require these protections, which must be enabled on all relevant systems. While servers have TPM modules, the lack of end-user physical access restrictions or biometric keys makes patching servers with TPM less complicated than with client systems.

The management of patches is not without challenges. Organizations unable to overcome these challenges may suffer from vulnerabilities, leading to what should be easily preventable compromises.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective patch management platform. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading patch management offerings, and help decision makers evaluate these platforms so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

Full content available to GigaOm Subscribers.

Sign Up For Free