The challenges of keeping a strong cloud security posture

It’s simple – you can’t secure what you can’t see or don’t know about.

In this interview, Badri Raghunathan, Director of Product Management for Container and Serverless Security at Qualys, talks about cloud security, and their approach for enabling global CISOs to focus on what’s most important.

What are the main challenges organizations face when it comes to maintaining security architectures for the public cloud?

The usage of public cloud infrastructure is mainstream, and enterprises often have a multi-cloud footprint. However, even after 10+ years of the public cloud, enterprises still struggle with the security principle of shared responsibility. This has to do with putting in place a security architecture (or a set of principles) that meets the organization’s needs and works in the public cloud world. The challenges include:

• Having the trifecta of talent (security, DevOps, developers) that’s well versed with the public cloud and can collaborate effectively to create a security program for public cloud infrastructure and applications.
• Handling drift via Infrastructure-As-Code (IaC) is not easy given the reality of IaC tooling and cloud application architectures. IaC tooling requires tedious specifications and is susceptible to errors in deployed infrastructure. Additionally, IaC changes (to address errors and drift) impose costs in certain cases where applications need to be rewritten because of hardcoded IaC behavior dependencies.
• Adopting newer automated approaches to managing security posture and hygiene requires the scale and elasticity of ephemeral cloud resources. Conventional manual remediation approaches don’t scale given resource and skill set concerns.
• Avoiding siloed tools for DevOps, and security that require enterprises to bear integration costs and that increase total costs of ownership.

The Qualys Cloud Platform provides a convenient SaaS solution for enterprises looking to protect their public cloud workloads and boost their security posture. Users get a comprehensive view of their public cloud asset inventory and security posture from a single pane of glass, which allows them to address the needs of various stakeholders.

Additionally, DevOps teams can leverage the same trusted Qualys security solutions for cloud security in their DevOps pipeline and address developers’ needs. Lastly, a platform approach allows different sources of data to be indexed, searched and correlated to address various use cases for cloud security and prevent data siloes.

How does a large enterprise make sure its multi-cloud security posture remains strong?

Different business entities within an enterprise choose various cloud providers for specific business reasons. The security teams need to provide security solutions and standardize security programs across these different types of infrastructure.

Since every cloud provider is different, taking a platform approach to security tooling will allow for a standardized security program across your multi-cloud infrastructure.

These are the keys elements of an effective security program for multi-cloud infrastructure:

• Infrastructure-As-Code adoption for all infrastructure deployments. This allows for infrastructure standardization and for security tooling to scan infrastructure for security posture prior to deployment.
• A variety of sensors (agents, connectors, network sensors) to discover cloud resources and provide a baseline inventory. This serves both asset management and security use cases.
• Continuous assessment of cloud resources’ security posture based on an extensive library of controls so as to serve various business and regulatory requirements, such as NIST, HIPAA, and PCI.
• A unified view of cloud context and posture, and workload security (e.g. vulnerabilities and misconfigurations). This allows for better prioritization and remediation of security findings.
• Automated detection and response capabilities to manage security hygiene at scale and allow pre-defined actions to be performed when the infrastructure and security posture drifts, or when undesired or anomalous behavior is detected in the enterprise’s public cloud environment.
• Native cloud provider integrations that allow for built-in security workflows, such as native integration with security agents.

Qualys recently announced Container Runtime Security. What are its main advantages?

Qualys Container Runtime Security provides policy-driven visibility and enforcement of in-container behaviors. This solution uses a unique instrumentation approach that offers the following advantages:

• Security follows the container image. Once the Qualys security instrumentation is embedded into the container image, the Qualys Container Runtime Security solution will secure running containers that will be instantiated from this image. It doesn’t matter if the container is instantiated in a known or unknown container environment – security is built-in.
• Newer Container-As-A-Service environments like AWS Fargate, Google CloudRun, and Azure Container Instances do not provide node-level access required for traditional node-based container security solutions. An instrumentation-based approach allows for a standardized security solution across all container environments.
• The visibility and enforcement is driven by granular behavioral rules. This allows runtime security to be highly targeted and lightweight. The instrumentation processing to inspect behaviors inside a container is invoked only upon the occurrence of the actual behavior. Thus, Qualys’ instrumentation approach is lightweight compared to traditional daemon based in-line processing approaches that are heavier in nature.

Tell us more about the Qualys approach to securing containers

Qualys Container Security, built on the Qualys Cloud Platform, provides comprehensive inventory, security assessment and runtime defense capabilities for containers across the build-ship-run container lifecycle in your hybrid IT environment.

Qualys advocates for a defense-in-depth container security approach – consisting of scanning the build pipeline, container registries and running containers with its cloud-native container sensor and its unparalleled security knowledge base. Once the container attack surface is minimized via this scanning approach, a lightweight container-friendly runtime security solution can be leveraged to protect the remaining attack surface.