Call us

General Enquiries

00 11 44 845 838 2050

Patch management and IT transformation

Patching remains a challenge for many organisations, despite the abundance of automated patch management tools. It is not uncommon for organisations to be uncomfortably behind their patching schedule, sometimes hindered by the lack of appropriate skills, or the challenge of diverting otherwise deployed resources. Un-patched systems remain one of the major sources of cyber risk, exposing known vulnerabilities that can be exploited with increasing ease. So as NCSC points out “It is better to start small and make progress than feel overwhelmed by the task and do nothing”[i].

For many organisations, improving patching effectiveness is a key driver for cloud transformation programmes. Aligning cloud migration with patching priorities can:

    • support investment decisions;
    • chip away at the backlog of legacy patching; and,
    • reduce corporate risk.

Appropriately adopting cloud technologies presents clear opportunities for patch management reduction of server environments, whether consuming PaaS, SaaS, or even server-less computing. However, one often overlooked opportunity is to simplify workstation or endpoint patching. Where organisations can identify user communities that are using or moving to online services, be that public or private cloud, the opportunity exists to accelerate patch management improvement.

The challenge

Patching environments that have multiple interdependencies between software and hardware platforms can risk breaking something and impacting business critical processes in a way that cannot be easily anticipated. However, appropriately managing risks through integration testing away from production environments can take time, incur costs and require skilled resources.

While patch management may be essential to stay on top of the latest features and functionality of software applications, cyber-related risk remains the key driver for effective patch management. The software we all regularly use inevitably contains vulnerabilities, and exploitation of known vulnerabilities remains the greatest cause of security incidents, particularly on end point devices which are often the front-line of cyber defence.

Vulnerability and patch management helps protect sensitive information and avoid business disruption, whether required for regulation or protecting corporate reputation. For this reason, patch management should effectively support an organisation’s vulnerability management processes, allowing executive staff to be as aware of the major risks associated with their IT environment as they are of their broader corporate and financial risks.

Patching Strategy

It goes without saying, that you can’t have a comprehensive patch management programme if you don’t have a full inventory of IT assets. For most organisations, software and hardware environments are dynamic, requiring constant inventory maintenance. Software asset management can help automate the process, but their limitations for vulnerability identification should be understood, as they do not always check for vulnerable software libraries or software configuration.

Vulnerability assessments should ideally be carried out on a monthly basis, and testing against non-production systems is important. This applies not just to the patches themselves, but any tools used to help automate the process. Vulnerability assessment scanning tools can sometimes themselves impact a monitored environment, as well as potentially expose privileged credentials to any attackers already within the estate.

Vulnerability prioritisation may be informed by severity scoring (e.g. CVSS), but should also include consideration of the ease with which a vulnerability may be exploited, and the resulting impact. Both factors require technical skill and knowledge of the system at hand. But for risk to then be assessed within a business context, an appropriate summary and justification of prioritisations should be provided to support a business decision aligned with corporate risk appetite.

Extending Patch Management Automation

As outlined above, effective patch management can be a time consuming and complex process even with the assistance of patch automation tools, typically requiring both extensive technical skills, as well as wider business support. However, leveraging cloud IT transformation programmes can provide an opportunity for significant reduction in patch and vulnerability management overhead.

Various cloud models exist to effectively delegate either large parts or all of the responsibility and overhead of server-side patching and vulnerability management. However, the same is now true for client-side, including user device operating system and application patching.

Paradox is an integrated operating system and application environment that allows the burden of desktop patch management to be entirely met via the Paradox Management platform, backed by Becrypt’s vulnerability assessment and patch testing programme.

Paradox provides a secure and resilient browser-based platform primarily for accessing cloud and online services, but also supports a range of client applications. Unlike other desktop platforms, Paradox’s entire client software image is transparently downloaded and installed as one continuous file containing all selected operating system and application components. This controlled system and application environment allows Becrypt to perform extensive interoperability testing of application patches. A targeted vulnerability management programme run by Becrypt’s security specialists, ensures Paradox customers automatically benefit from up-to-date patches, and patch reporting.

Paradox was designed in collaboration with UK Government, and uses a defence in depth security architecture that ensures devices remain in a known healthy state. Accredited for use within government classified environments, Paradox is also used with corporate environments, typically where organisations need greater security than standard PCs or Thin Clients, but always where customers value the cost benefits of truly automated patching.

[i] Vulnerability Management, National Cyber Security Centre,

Find out how Becrypt are helping customers reduce patch management overhead and risks

First name*

Last name*

Email address*

Phone number*

How can we help?*

By submitting your details you are agreeing that we may communicate with you about Becrypt.
I agree to receive marketing updates regarding relevant products and services from Becrypt. Please refer to our Privacy Policy for more information. You can unsubscribe at any time.