Cloud Components that need to be Patched:
- Virtual Machines
- Virtual Appliances
- Networking Components
- Storage Components
Production – Development – Quality Assurance
- A rolling update is a patching strategy that staggers deployment across multiple phases.
- Helps reduce downtime and issues from the update.
- Patches on server at a time.
Blue/Green Deployment Patching (two identical environments) – New patch and old version are flipped via the router. Test environment becomes Production environment when flipped.
Designed to fix serious or critical security flaws and usually need to be deployed quickly.
Failover Cluster Patching
- Plan regular outages to perform patching.
- You may only want to patch severe security vulnerabilities.
- Cluster-Aware Updating (CAU) is a feature in Windows servers that updates all servers in a failover cluster so that it does not impact the availability of the cluster.
Steps to Follow for Patching
- Do an inventory of all components in the environment including version, IP address, location, and function.
- Try to standardize components (software/firmware).
- Inventory the security controls in place and configurations (routers, firewalls, anti-malware, firewall rules, etc.).
- Compare any vulnerabilities that are reported to inventory.
- Determine how critical a reported vulnerability is to components and affects.
- Deploy patches without disrupting uptime or production.
- Monitor patched systems after deployment for any issues and be prepared to rollback patches.
Automation and Orchestration Patching in the Cloud
Automation and Orchestration can aid patch maintenance efforts by allowing to automate the installation of patches, creating test environments, rebooting systems, etc.
Types of Updates
- Hardware Checks
- Backup and Restore
- Software Updates and Licensing
- Event Logs and Services
- Disk Management
- Active Directory
- Microsoft Exchange Server
- Network Performance
Maintenance Activities to Automate in the Cloud
- Snapshot VMs
- Cloning VMs
- Patching Systems
- Restarting/Shutdown VMs
- Enabling/Disabling Alerts
- Compressing Drives
- Removing Inactive Accounts
- Removing Stale DNS Entries
- Removing Outdated Rules for Firewall and Security
- Maintain ACLs for Target Object
Schedule maintenance tasks on a regular basis using automation and orchestration with the tools available through the CSP (Cloud Service Provider).