Version and Patch Management Services
Keeping software updated against the latest threats is a critical component of Concero’s managed security services. During new deployment, the latest stable OS and application versions are installed by Concero — unless an alternative version is required by the customer – and patched with the latest security releases. Concero’s policy is to support Windows OSs and applications two (2) major releases of the most current production version and to support Linux OSs and applications one (1) major release of the most current production version. Customers may request Concero to update their OS or application to a newer, stable version at any time to take advantage of new features. To keep supported OS and application versions up-to-date with the latest patches and updates, Concero uses industry-leading patch management software.
Minor Windows updates to major versions are typically low impact changes – although a system reboot is often necessary – which are evaluated and rolled-out on a quarterly basis. In rare cases, an emergency change window may be opened outside the routine patch cycle to remediate an especially high-risk vulnerability. After being automatically downloaded to Concero’s local repositories, Windows updates and patches are rolled-out to Concero’s test systems. After running error free for at least two weeks, the updates are approved for roll-out on a customer by customer basis via Concero’s regular change management process. Each customer’s change plan is customized to their technical and business requirements but whenever possible updates begins with a customer’s development and staging environments before being rolled-out to production. To further reduce risk, Concero’s patching policy also dictates that if a patch cannot be safely rolled-back then a snapshot is made of the target host before roll-out.
Application-level updates follow the same release process as OS updates but typically have a longer release cycle because updates to programming frameworks like.NET frequently cause dependent applications to break. As a result, a higher degree of coordination with the customer’s development team is required to do test/fix before this type of update can be rolled into production.