One of a system administrator’s nightmares might be related to operating system (OS) patch management, as this activity has become crucial to keeping an IT environment secure and protected against attacks. Applying the patch itself is not the big issue. The problem is all the things that come together, like validating that the patch will not corrupt the OS or applications, or integration with IT and business processes.
Having a well-defined and standardized process is the key success factor for patching management. And this is what IBM does on IBM SmartCloud Enterprise+ (SCE+). It uses processes, tools and decades of experience to give customers the required flexibility to keep their virtual machines (VMs) equipped with the latest security patch updates. In this blog post, I will go through the main things you need to know about this process on SCE+.
A customer’s choices begin during the onboarding process to SCE+, when they choose one of the following options related to patch management:
• Should patches be deployed automatically or semi-automatically? In the first option, patches will always be applied without needing customer approval, while in the second option, customers will always be asked in advance to approve patches on the SCE+ web portal, and the patches would be set up to install in the next patch window.
• What day should the patch window be deployed in the environment? Each customer has different needs and their business will not always utilize or want the same maintenance window time. On the other side, a cloud computing managed offering such as SCE+ needs to have some level of standardization. For this reason, IBM gives customers some flexibility to choose the day patches will be applied to their VMs. The options are Tuesday, Wednesday, Thursday and Saturdays, always beginning at 10 p.m. and going up to 6 a.m.
The way patch management policy is defined in SCE+ allows customers to validate that a given patch will not cause any damage to their production VMs. During the request of a new VM on SCE+ web portal, customers can choose one of the patching windows below for each of their servers: development, test, production 1 or production 2.
By adding each server category to each respective window above, a patch will always be tested on “development” and “test” windows before it is applied to production. If anything goes wrong on development and test servers, customers can request that IBM hold the patch deployment on production using the SCE+ web portal. Besides, as two different patching window options exist for production, customers can have their application running on two or more VMs and split them accordingly, so services will not be unavailable during patch deployment.
SCE+ also provides a manual patching option for each VM, which means customers can choose a specific time (within the patching window) for a VM to have patches applied. That requires manual labor to manage and deploy the patches and for that reason, there is an additional fee. Customers can also choose “no patches” options for a VM and IBM will not apply patches to the VM and will not guarantee service level agreements (SLAs) for that VM.
Now that you know more about patch management on SCE+, look for me on Twitter so we can chat more about this and other cloud topics!