When you move workloads to public cloud platforms, you offload many tasks on the cloud provider, but don’t fall for the misconception that you’re entirely off the hook with security.
Although cloud providers “rent” their computing infrastructure to you, they operate on a “shared security responsibility” model, meaning you still must protect your workloads in the cloud.
So, just as with your on-premises systems, you must perform vulnerability management, policy compliance, malware detection and web app scanning in your cloud instances.
By the same token, the responsibility for extending security to cloud workloads falls on the same constituencies involved with defending your on-premises infrastructure, namely:
The CISO, who needs to see the organization’s on-premises and cloud security posture from a single, central dashboard. If the organization is using multiple cloud platforms, such as Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure, the CISO will want to have visibility across all of them, with details on how each instance is being secured and what workloads are running on them. The CISO will use this information for a variety of purposes, including:
- To make sure the organization’s security and compliance standards are being met in the cloud
- To look for opportunities to cut costs and reduce complexity by identifying redundant, obsolete and functionally-narrow security tools and replacing them with integrated cloud-based suites
Vulnerability management / security pros, who are eager to be in the loop as these cloud migrations and deployments are planned and carried out. These staffers want to make sure their security tools can be connected to these cloud infrastructures. They need to know what vulnerabilities exist in the new cloud environment, and which ones are critical, such as zero-day types. Likewise, they need to monitor regulatory and policy compliance. The security team also wants to learn how to establish remediation priorities in cloud environments, which are more elastic, with virtual instances getting spun up and down constantly.
The DevSecOps group, which will want to be part of the entire lifecycle of application development projects carried out in cloud platforms, just as they are involved with the on-premises pipeline. That way, they will be able to “shift left” in the cloud as well, spotting and fixing security issues and vulnerabilities early and often in the app dev process, before code gets to the deployment and production stage.
Auditors, who will want security and compliance reports to have the same format as the ones they’re accustomed to seeing for on-premises systems. This will speed up the auditing process and make auditors happy.
Qualys: One security and compliance platform for all your on-premises and elastic cloud needs
As your IT environment becomes hybrid you’ll need a set of security and compliance tools that can protect your systems both on premises and in the cloud.
This will lower your costs, simplify the management of your security and compliance posture, and both boost and improve your defenses.
Here’s where Qualys can help you. The Qualys Cloud Platform provides consistent, uniform, scalable, versatile and effective visibility of security and compliance posture for hybrid on-premises and elastic-cloud IT environments.
Our suite of 10 integrated security and compliance solutions use a variety of data collection methods and technologies, and connect to a robust analysis, correlation and reporting back-end engine.
For your cloud workloads, Qualys covers key areas, including:
- Continuous asset discovery and tracking, dynamic tagging, dashboarding and reporting, to give you “single pane of glass” visibility into all your IT assets, wherever they reside.
- Internal asset scanning and app protection, which provides vulnerability analysis and compliance checks across operating systems, databases and servers, as well as identification of application and REST API vulnerabilities, combined with firewall rules and one-click virtual patching.
- Perimeter scanning, which gives you a continuous hacker’s-eye view into all your public IPs.
For security and compliance data collection, we offer options including virtual scanner appliances, lightweight and configurable cloud agents and Internet scanners.
Cloud coverage: AWS, Azure and Google Cloud, with more to come
Qualys has agreements and integrations with the three main public cloud platform providers: Amazon, Microsoft and Google.
For AWS, our Qualys Virtual Scanner Appliance (QVSA) is pre-authorized by Amazon, and we support both EC2-Classic and EC2-VPC (Virtual Private Cloud). In addition, our groundbreaking Cloud Agents are also certified to work in EC2, giving you the option of using them for security and compliance monitoring as well.
Meanwhile, the QVSA is available in the Azure marketplace, where we support both the Classic and ARM modes. The Qualys Cloud Agents are integrated within the Azure Security Center.
In Google Cloud, you’ll find the QVSA in the Launcher, and the Cloud Agents are certified to work with this platform.
In all cases — AWS, GCP and Azure — you license the Qualys tools from us and use them on your cloud instances, the BYOL (bring your own licensing) model.
Qualys is working to add support for a few more cloud platforms.
Qualys is already being used to protect critical cloud workloads in the real world. For example, a large global bank replicated the success of its mature vulnerability management program for on-premises data centers on AWS instances, which it is aggressively adopting.
With more than 20,000 AWS instances getting frequently refreshed, the bank needed visibility across its rapidly-growing cloud deployments. The CISO was also looking to consolidate tools and processes.
The bank utilized AssetView, Qualys’ automated IT asset inventory service, to obtain visibility and detailed asset information from its EC2 instances using Qualys scanners and agents. To monitor edge servers, it is using Qualys perimeter Internet scanners.
In addition, an online video streaming company with a global presence is using Qualys to automate security and compliance within a DevOps process in AWS.
With frequent load bursts and a high churn of elastic cloud instances, the company realized it needed agile security practices and quick and clear visibility into its cloud environment, as well as automated and API centric build processes.
The company incorporated Qualys scanning into the build process to check for vulnerabilities and compliance violations early and often, and implemented end-to-end automation using REST APIs.
With our existing security and compliance capabilities for cloud instances, we are supporting and securing your infrastructure in the cloud, so you’ll have a single pane of glass view of your hybrid on-premises and cloud IT environment.