At Millard Public Schools in Nebraska, District Technology Manager Joe Kuehl knows he needs to keep devices and servers current on their security patches — and he knows he can’t do that by hand.
“In our district, we have upward of 25,000 to 30,000 endpoints, and we’ve got essentially three people that run patch management,” he said. “For three people to try to manage patches on that many devices, that quickly becomes unrealistic and unmanageable if you’re trying to do that manually.”
Automated patch management offers a way to keep technology up to date, ensuring robust cyber protection across a wide K–12 landscape of legacy devices.
What Is Automated Patch Management?
Automated patch management is an IT process in which software, device and system updates are automatically managed and deployed. Patching is a key piece of the IT management puzzle.
Regular software updates “may bring new and useful functionality,” according to the Center for Internet Security. “Patches are also security updates that address known vulnerabilities that could allow cyber threat actors unauthorized access to information systems or networks.”
But patching can be a heavy lift. “You can have patches coming out daily,” says Robert Duke, chief operating officer for the Consortium for School Networking. “Imagine a school system with 50 or more different software systems and multiply that by the number of patches. If you were to do this manually, that’s a lot of patches that someone on your tech team has to manage.”
Automation “removes the need for someone on your team to do all this by hand,” he continues. “It also lets you queue these things up to run in off hours to avoid impeding performance. If a patch is running, it can slow down your software, and you don’t want that during the day.”
Most current operating systems will offer some degree of automated patching, so “turning that feature on is a really good idea,” says CoSN Cybersecurity Program Director Amy McLaughlin.
In addition, districts can automate patching through various mobile device management and endpoint management tools. The SolarWinds patch manager and Quest KACE systems management appliance, for example, can support automation.
Tools like these “allow you to force the patch. You can set it to trigger — this device needs to be updated within this time frame — and you can schedule it so that the end user cannot override it,” McLaughlin says.
How Does Automated Patch Management Protect K–12 Cybersecurity?
As a general rule, patching plays an important role in cybersecurity. “It is always important to keep the devices as up to date as possible, to be patching the latest vulnerabilities. Anytime a machine is not up to date with its software patches, it’s vulnerable,” Kuehl said.
In K–12 institutions in particular, automated patching offers an elevated level of protection. “When you’re talking about a K–12 environment, you have students, staff and administrators — a whole array of users — who may or may not be able to understand and keep up with those patches if you ask them to do it on their own,” Kuehl says.
In addition, many K–12 districts are running older servers and endpoint devices. “Because of budget constraints, they are forced to hold on to some equipment longer than they probably should. They don’t always have the latest and greatest upgrades,” Duke says. That makes patching even more critical.
With newer equipment, “you are getting better cybersecurity defenses than what may exist in your legacy system,” he says. If you’re staying on the legacy equipment, “this is where patches are valuable. Software developers are going to help you keep your software more secure.”
In terms of privacy, K–12 has an added interest in keeping patches up to date. “In public school districts, you’re dealing with the public trust. You have a responsibility to protect your students’ data and to make sure your systems are operating at the best level,” Duke says. “You have FERPA, the federal privacy laws, and you also have a maze of state laws that require similar things.”
Automation is key to meeting those demands. “You are obligated to make sure that you are doing these things, and the next logical step is to automate this, to further reduce the potential for human error,” he says.
How Automated Patch Management Prevents Legacy Tech from Being Penetrated
Automated patching ensures that bad actors cannot breach legacy devices by exploiting vulnerabilities that have already been identified.
“The patches that come out are there to protect against the known vulnerabilities, and those are what the bad actors are going after. By keeping systems up to date, you’re staying at least on par with the bad actors, if not one step ahead of them,” says Kuehl, who uses Fortinet Managed Endpoint Protection to automate patching of Fortinet products and a range of tools for patching Microsoft endpoints.
Given that bad actors are looking to exploit known vulnerabilities, automated patch management is especially important because it ensures the safeguards will be deployed in a timely way.
“The longer a vulnerability remains open, the more criminals are going to become aware of it and use that vulnerability,” Duke says. “It is to your advantage to patch as soon as possible.”
— Robert Duke Chief Operating Officer, Consortium for School Networking
In addition to securing endpoint devices, automated patching also helps to ensure the security of legacy servers.
“Endpoints are going to be your point of entry — that’s how they’re going to get into the system — so keeping those protected and updated is very important. But let’s say they do find a way to get in. Keeping your servers and your back-end infrastructure up to date is just as important, if not more so, because once you get to a server, that’s where all the data is,” Kuehl says.
That’s where cybercriminals can be the most disruptive to the environment, so that’s most threat actors’ goal. Therefore, it’s crucial to keep servers and infrastructure protected.
“We run a monthly schedule to make sure all the Windows servers stay fully patched. For the non-Windows servers, I’ve got someone who keeps an eye on those and makes sure any critical updates that are released get applied in a timely fashion,” he says.
How K–12 Schools Can Afford Automated Patch Management
Through automation, districts can apply the latest protection to legacy servers and endpoint devices. Given the cost of a manual patch management process in terms of time and labor, it isn’t hard to make a financial case for automation tools.
“If I were looking at this as a CTO, I would consider the time it takes my staff to do manual patching. If there were one piece of software that could organize all of this at a system level, I would look at the cost of that and evaluate it against the cost of my labor,” Duke says. In that formula, automation comes out ahead.
“You can also quantify the risk,” he said. “If the person assigned to do the manual updates is sick one day, then you’ve gone another day with that impending risk. I’d take all that into account and do a cost benefit analysis.”
Here again, the ROI calculation will likely come down in favor of automated patching tools.