Cybersecurity groups have many needs competing for scarce resources. Limited budgets and a shortage of staff are problems. There is also the need to maintain business continuity at all times. It’s a frustrating mix of challenges – with resources behind tasks such as patching rarely sufficient to meet security prerogatives or compliance deadlines.
Many security standards are time-bound and business requirements may not always be in line with them. At the core of what TuxCare does is automated live patching – a way to consistently keep critical services safe from security threats, without the need to expend significant resources in doing so, or the need to live with business disruption.
In this article, we’ll outline how TuxCare helps organizations such as yours deal better with security challenges including patching, and the support of end-of-life operating systems.
The patching conundrum
Enterprise Linux Linux users are well aware that patching is essential. It’s a great way to close security gaps and it’s also an important compliance requirement. Patching isn’t done as often or as closely as needed in reality. Limited resources are a constraint, but patching has business implications too which can lead to patching delays.
Take, for instance, the task of patching the kernel in a Linux OS. This usually involves restarting an OS. If the OS is not rebooted, the OS’s services will be affected. It doesn’t matter what patch you are trying to apply, it is impossible to remove databases and virtualized workloads offline. There are two options: delaying or implementing complex patching solutions.
Risks of not patching in time
But as we all know, delaying patching carries significant risks, of which there are two big ones. The first is compliance regulations that set a time limit between the patch being released and its application.
Organizations that struggle to overcome the business disruption of patching risk delaying patching to the extent that they run workloads in breach of compliance regulations such as the recent CISA mandate. This could lead to fines and even business loss.
However, even fully compliant workloads leave a window of exposure – the time between the moment criminal actors develop the ability to exploit a vulnerability and the moment it gets patched.
It opens up the possibility for hackers to gain access and cause harm. Even though it can be difficult to patch within the regulations, a delay in patching could lead to an extended risk window. It is generally accepted that, today, 30 days is the common denominator of the most common cybersecurity standards for the “accepted” delay between vulnerability disclosure and patching, but that is still a very large risk window – you’ll meet the compliance requirements, but are your systems really safe? This window can be reduced only if patches are released as quickly as possible.
While it’s impossible to completely avoid a window where vulnerabilities are exploitable – after all, the recent Log4j vulnerability was actively being exploited at least a week before it was disclosed – it’s still nonetheless imperative to minimize this window.
Bridging the patching gap with TuxCare
TuxCare identified an urgent need to remove the business disruption element of patching. The live Kernel patching solution ,, which was first launched under the name KernelCare allows companies like yours to fix even the most difficult workloads with minimal disruption.
Instead of the patch, reboot, and hope that everything works routine, organizations that use the KernelCare service can rest assured that patching happens automatically and almost as soon as a patch is released.
KernelCare eliminates threat windows and compliance concerns by offering live patching of the Linux Kernel within hours. This reduces exposure and meets or exceeds compliance requirements.
Timeframes around patching have consistently been shrinking in the past couple of decades, from many months to just 30 days to combat fast-moving threats – KernelCare narrows the timeframe to what’s about as minimal a window as you could get.
KernelCare does this while maintaining the normal operation of servers or services. End users will never realize the patch has been deployed. A server can be vulnerable at one time, but it is not vulnerable the next.
What about patching libraries?
We’ve got you covered there too, thanks to LibrayCare, TuxCare’s solution for critical system libraries, which covers patching of other critical components like glibc and OpenSSL. Those are fundamental components of any Linux system that are heavily used by third-party developers for providing functionality such as IO or encryption.
Libraries is a popular target for malicious actors who want to gain a foothold within a system. OpenSSL alone is associated with a list of hundreds of known vulnerabilities. The unfortunate side effect of being used by other applications is that any patching applied to a library will incur business-disrupting downtime, just like kernel patching.
This is again the main factor in patch deployment delays. It’s because patches cannot be deployed without disrupting the flow of business activity on the affected systems. It is also necessary to plan, approve, and implement maintenance windows for libraries. This can be a problem in today’s IT environment. Thanks to live patching, LibraryCare can effectively patch libraries without requiring even a single service restart on other applications.
Ensuring database security in running, live database services
Databases store the most valuable assets in a company’s arsenal, its data. Keeping it safe is paramount for business continuity and effectiveness, and this is covered by multiple standards like GDPR, the CCPA and other industry-specific standards in, say, healthcare and finance, that translate data breaches into heavy, business-threatening fines. For example, Amazon reported the largest GDPR fine to date, with a staggering USD 887m in value.
Data must be accessible at all times, or risk causing disruption to business operations if it is patched. For this reason, the TuxCare team extended live patching technology to also cover database systems like MariaDB, MySQL or PostgreSQL, the most commonly used open-source database systems today.
Now makes it easy to keep your backend database secure against known vulnerabilities. Patches can be deployed quickly and without waiting for weeks or even months. It helps meet data security requirements transparently and with no friction with other users and systems.
Virtualization is covered too
Another TuxCare product, QEMUcare, takes away the complexity of patching virtualization hosts that rely on QEMU. Before live patching was available, updating QEMU required extensive virtual machine migrations around nodes. This involved a complicated and often error-prone process that could impact the performance and useability of these virtual machines.
Patching was used to significantly impact virtual tenant’s end-user experiences. QEMUcare solves this by live patching QEMU while the virtual machines are happily running on the system.
Traditionally, virtual infrastructure was designed in a way to make sure that extra capacity could be used for nodes that were down due to maintenance. This allowed for resources not being wasted that are just sitting around twiddling their IT thumbs.
If you don’t need to take your hosts down or migrate virtual machines around anymore, you don’t need to acquire extra hardware to accommodate those operations, saving on equipment, electricity, cooling, and vendor support bills. You can patch your systems in a short time after the patches become available. Your infrastructure will be more secure.
Legacy systems are not left behind
Companies commonly have legacy systems that for one reason or another have not or cannot be migrated to more recent operating systems. These older systems will go out of support eventually, thus crossing the commonly referred to “end-of-life” (EOL) date.
At this point in time, the vendor behind those systems will no longer support them or provide patches for emerging threats. That means that organizations running those systems automatically fail compliance standards because, of course, you can’t patch if you don’t have patches available to you.
Developing patches internally is difficult. The amount of effort that goes into the development, testing, deployment, and maintenance of patches quickly gets overwhelming in anything other than the simplest situations. Even then, you won’t have the comfort of having a dedicated team of developers with the experience and expertise to help you if anything goes wrong.
TuxCare has that experience, and our Extended Lifecycle Support (ELS) service is the result. It has, for years, helped users of EOL Linux distributions such as CentOS 6, Oracle 6, and Ubuntu LTS. TuxCare backports relevant fixes to the most used system utilities and libraries.
TuxCare provides ongoing cover for patching
We are continuously adding EOL systems as these reach end of life, with CentOS 8 the latest addition to the supported distribution list, given that CentOS 8 reached EOL on January 1st, 2022.
With our established live patching service now also joined by patching across libraries, virtualization and more, TuxCare provides a truly comprehensive patching service that fills the major security gaps that so many organizations battle with.
Live patching allows you to rest easy knowing that critical systems will be protected from new exploits quickly and without disruption. This powerful combination makes TuxCare Live Patching a valuable tool in your security arsenal.