1. Field of the Invention
The invention disclosed and claimed herein is generally directed to a method for determining the order or priority in which a patch is to be installed into different servers or other patch recipients of a network, wherein the patch cannot be installed simultaneously into all servers that need it. More particularly, the invention pertains to a method of the above type wherein a range of criteria are used to determine the order or priority of installation. Even more particularly, the invention pertains to a method of the above type wherein the criteria includes information indicating the probability that respective servers will or will not be used within a time frame related to the time required for all patch installations to be completed.
2. Description of the Related Art
As is known by those of skill in the art, a patch used in computing is a small piece of software designed to update or fix problems with a computer program or its supporting data. A patch is used to fix bugs, replace graphics and improve usability or performance. Though meant to fix problems, poorly designed patches can sometimes introduce new problems. Patch management is generally the process of using a strategy and plan to decide which patches should be applied to which systems at a particular time.
It is increasingly common to use patches in order to deal with security threats to network computer systems. In large enterprise networks and outsource data centers, which can comprise systems having large numbers of servers, it is likely that a patch cannot be installed at the same time on all the servers that need it. Accordingly, there will be a delay in getting the patch into some of the servers, while it is being installed in others. At present, different approaches are used to determine the order in which the patch is to be provided to the servers of different systems of a network. In one arrangement, the patching effort pushes patches down through a hierarchy of gateways (a top down node type of distribution). In another arrangement, a patch is applied to servers according to a list, which may or may not be current. Alternatively, the list can be built dynamically, if the user understands what conditions are to be checked for, and pertinent information is available.
It is to be emphasized that in a network of the above type, the order in which different servers receive the patch can be very important. As an example, a LAN network having a large number of servers at respective work stations could be threatened by a virus or worm, wherein some of the work stations were directly connected to access the Internet, whereas other work stations were remote from the Internet. If a decision was made to install a patch to overcome the worm or virus on the remote workstations first, and leave the directly connected workstations until later, the virus may be able to enter the network through the directly connected workstations, before those stations could be patched to stop the virus.
In addition to patches provided for security reasons, there may also be other reasons for applying patches to system servers of a network in an expedited fashion. For example, a patch may be used to enhance the data integrity of system servers, or may improve the performance thereof. However, any sort of emergency patch or fix, whether for security or non-security purposes, generally does not undergo sufficient regression tests before installation. Accordingly, in determining the order or priority in which a patch is to be applied to the servers of a network, such application should be limited only to the servers that truly have an immediate need for the patch.
For example, usage history of a particular server, if available, could show that the server is used only at the beginning of each calendar quarter, and that use for the current quarter has just occurred. As a result, this server should be given low priority in a project to install a patch on network servers of the associated network, particularly if the entire project will be completed within a month. However, server usage histories are generally not considered, in common approaches for sequentially installing a patch into different servers of a network or system.
The task of prioritizing network servers to receive patches can also be affected by policies that have been put in place by the business or other entity that owns or controls the network. Such policies tend to prioritize patching by considering which servers have the highest use, the highest value, and/or the highest vulnerability. However, different organizations or entities typically have patch prioritization policies that can be quite different from one another. It is thus necessary, in determining the priority in which a patch is to be installed into the system servers of a particular entity network, to take pertinent policies of such entity into account.