February 2021
Patch management is a system of tools and protocols used to acquire, test, and install changes to software or ancillary data that are designed to update, fix, or improve the software or ancillary data—the “patch.” Patches are typically released to address known issues in software or data, such as a software bug or a security vulnerability.
Applying available patches against known vulnerabilities is fundamental to securing networks and data and mitigating the legal risks associated with data breaches. Some of the largest data breach enforcement actions in the world cite a lack of appropriate patching against known vulnerabilities as a contributing factor to the record fines levied against companies that experienced data breaches. This is true even though the data breach was the direct result of a malicious actor exploiting the vulnerabilities, and not the mere presence of the unpatched vulnerabilities.
Patch management is an integral part of reasonable security measures for protecting personal data. And although not all patches are necessary to secure the privacy of data, a patch management system is considered a standard feature of a reasonable security program . The patch management system provides a systematic and scalable means of evaluating individual risks associated with a given bug or vulnerability. Failure to implement a published patch against a known vulnerability can considerably limit an enterprise’s ability to defend against data breach lawsuits.
Patch management can also be a key driver of digital transformation efforts. Enterprises can take advantage of shared responsibility models that delegate hardware and infrastructure patch management to cloud service providers. NetApp customers using Cloud Volume Services on AWS or Google Cloud, or customers using Azure NetApp Files can contract with Amazon, Google, or Microsoft to patch the underlying hardware and firmware as part of their cloud services agreements. This frees up enterprise resources to manage applications and data rather than patch management infrastructure.
Effective patch management requires a healthy and well-maintained program to handle vulnerabilities. NetApp participates in security communities that track published vulnerabilities and maintains a program whereby customers and researchers outside of these communities submit information about potential vulnerabilities. We also score and track security vulnerabilities according to our vulnerability and response handling policy, which prioritizes responses according to industry standards, and we release patches in the form of Security Advisories.
