Public cloud providers operate on a shared responsibility model, which places the onus on the customer to define and secure the data and applications that are hosted within cloud infrastructure.
To that end, it is critical that organizations accurately and selectively pinpoint which cloud workloads and virtual IT assets must be monitored, updated and patched based on developing threats to customer data and applications.
In this webcast, Mark Butler, Chief Information Security Officer at Qualys, and Hari Srinivasan, Director of Product Management for Qualys Cloud and Virtualization Security detail how you can gain complete visibility of your organization’s entire cloud asset inventory and security posture to help you keep up with shared security responsibility models across public cloud infrastructure.
The presentation covers:
• Challenges surrounding increased migration to public clouds
• Using automation for secure DevOps
• How to ensure effective and efficient operations
To watch the on-demand webcast, visit https://lps.qualys.com/securing-your-public-cloud-infrastructure.html
3. Digital Transformation
Opportunities / Reality Check
96% face significant challenges of securing the several technologies they
deploy in the context of their Digital Transformation efforts
85% of Business owners avoid engaging with security teams out of concern
that their initiatives might be blocked
76% of business owners engage security only when called out or due to go-
live compliance sign-off
63% of business owners admit that not engaging security is unfounded and
improving trust and collaboration is required to actually be helpful
3
7. DX / Security Visibility
7
Auditors
Can you generate the
required reports in the
standardized formats?
Are the new
environments meeting
contractual, PCI and
Regulatory
requirements?
How can we partner with
Sales/Marketing since we
are compliant?
CISO
Show me data that proves I
am meeting my security
standards on my new cloud
infrastructure?
Are my cloud and on-
premise environments
secure?
Why can’t I reduce the
reduce the number of
security tools deployed and
associated support staff?
Threat Management
How am I solving root cause
issues and demonstrating
improvements in both
security and compliance
over time?
Do my Business partners trust
what I’m telling them?
How do I accurately prioritize
remediation to address real
risks?
DevSecOps
Are the configurations
compliant with development
and deployment standards
that my organization
follows?
How can we help Security
become a differentiator vs.
a roadblock?
Can I quickly identify the
vulnerabilities in the
compressed CI/CD Agile
code/build/test pipelines?
8. DevSecOps Integration Examples
8
Enable new
application builds in
AWS every 60 days
Automated Testing
and and Test-Driven
Development cycles
Docker containers
abstracts
applications from OS
Vulnerabilities
detected within same
release cycle
Automated
regression testing
enables faster
patching
OS patched
separately vs. Apps
Dynamically enable
test workloads on-
demand
Dynamically enable
production workloads
on-demand
Building security
visibility into the
DevOps cycle
Efficiency VisibilitySpeed
9. Where DX is happening
9
Containers Cloud
BYODPrivate Cloud
10. Poll Question
10
What is your biggest challenge in migrating to clouds?
Visibility – Understanding which BUs are leveraging clouds
Ensuring adequate contract terms for 3rd party cloud
services
Getting timely alerts for any anomalies within Cloud env.
Integrating logs /alerts from clouds into SIEM, Ticketing and
incident response workflows
11. Poll Question
11
What is the highest security priority as you shift workloads to
clouds?
Auditing Identity and Access Controls
Auditing Network Traffic in/out of Containers/workloads
Auditing back-end transactions being run from the cloud
Ensuring operational integrity of the cloud
12. Qualys Cloud Platform
12
Integrated
Suite of
Applications
Qualys API
Distributed
Sensors Hardware Virtual Cloud Agent Passive API
Analytics
and
Reporting
Engines
Distributed Correlation ElasticSearch Clusters
Solr Lucene Indexing Oracle & BFFS Storage
Reporting & Dashboards Remediation & Workflows
3B
Scans
100B
Detections
1T
Security
Datapoints
Annually
15. Poll Question - 1
15
How would you classify your cloud adoption strategy?
Complete
Partial
Planned
Not in the near future
16. Poll Question - 2
16
Choose the public cloud providers you are using today?
AWS
Azure
Google
IBM
Others
17. Cloud ‘Shared Security’ Responsibility
Division of responsibility varies by service layer
Cloud providers make US
responsible for defining
and securing OUR data
and infrastructure in the
cloud
Qualys solutions help the
Business and Technology
owners OWN the shared
security responsibility
model
Cloud ProviderCustomer
18. Cloud Security with Qualys
Secure any infrastructure, any scale, on-premises and in cloud
Single Pane View
Same Security Standards
Same Security Processes
18
ON-PREMISE*
CLOUD
*Support includes private clouds platforms like Hyper
V, Open Stack, VM Ware, etc..
19. Cloud Security with Qualys
19
Adhere to Compliance
PC, PCI, FIM, SAQ
Check against regulatory standards like CIS, NIST,
ISO, ..etc. Generate mandate reports covering
multiple standards
Validate for PCI, and get Qualys ASV report
Monitor and manage files and directories for integrity
Gain Total Visibility
AV
Continuously discover cloud asset inventories
Search assets based on its metadata and security
View or Custom Create - Dashboards and widgets to
track
Track assets with dynamic Tags and grouping
Integrate with SIEM (Splunk) and ITOM (Service Now)
Identify Vulnerabilities
VM, TP, IOC, CM
High accuracy Vulnerability analysis across OS and
Applications
Gain hackers view into Public IPs, URLs from external
scans
Intelligence on threats and identify assets affected
Detect indictors of malware and exploits
Continuous security monitoring and alerting
Secure Applications & Thwart
attacks
WAS, WAF, CERTS
Identify Application and RESTAPI vulnerabilities with Web
Application Scanning
Protect with Firewall rules and instant virtual patches
Discover certificates , track expiration, and broken pages
21. Qualys Public Cloud Coverage
21
QVSA Image is
available in the
marketplace.
Support for both Classic
and ARM modes
Agents are certified to
work in Azure VMs.
Integration with Azure
Security Center for
Vuln. Assessment
solution
QVSA Image is available
in the launcher
Agents certified to work
in GCP
QVSA AMI is pre-
authorized by Amazon
Support EC2 instances
in Classic and VPC
platform
Agents certified to work
in EC2
Licensing: BYOL (Bring
Your Own License)
23. Securing AWS EC2 with Qualys
Secure EC2 Instances (IaaS) from vulnerabilities and
check for regulatory compliance on OS and
Applications (Database, Middleware)
Gain continuous security using Cloud Agents, embed
them into AMIs to get complete visibility
Identify vulnerabilities for public facing IPs and URLs
on the EDGE
Secure Applications using Application Scanning and
Firewall solutions
Vulnerability Scan without penetration form sign ups,
Support includes all 16 global regions , Incl. Gov
Cloud
23
AWS EC2 Global
Regions
24. Light weight, patented
delta processor, low
utilization, and
configurable
Embed into an AMI/Image
or deploy post
provisioning.
Provides continuous
security view of elastic
cloud environments
Qualys Sensors for AWS
VIRTUAL
SCANNER
APPLIANCES
CLOUD
AGENTS
CLOUD
CONNECTOR
(AWS EC2)
Scan from the Internet via
Qualys Scanners located
around the globe
Gain Hacker’s View of all the
the edge facing servers and
application
INTERNET
SCANNERS
WEB
APPLICATION
FIREWALLS
Pre-Authorized by AWS.
Directly deploy from AMI in the
marketplace across global
regions
Covers vulnerability and
compliance checks for Host
OS, Databases , Applications,
App-Web Servers
Provides exhaustive network
scanning, targeting all ports
Deploy directly from marketplace
Out of the box security policy
Integrates with Web Application
Scanning to reduce false positives
and provides one-click virtual
patching
Syncs. up Inventory and
metadata for AWS EC2
Instances
Configured with a ‘read
only’ user access to few
Describe APIs in EC2
Enables Pre-authorization
for scanners, status
tracker for Agents
25. Securing AWS user flow
Setup EC2
Connector
Sync. inventory and
metadata for an AWS
account
25
1 2
43
5
Deploy Sensors
Deploy Scanner Appliances
and Cloud Agents on the
EC2 instances
Scan
Launch scans targeting all
or specific assets
Agent sends auto-scan
results
Analyze, Report &
Remediate
Generate Dashboards, create
custom widgets
Use templates to run reports
Process for remediation
Manage Assets
Search for assets and details
Remove terminated assets
26. Poll Question - 3
26
Average lifetime of Cloud Instances ?
Few Hours
Few Days
Few Weeks
Few Months
All of the above
27. 3 Customers - 3 Use Cases
A financial Institution - Extending vulnerability and
compliance processes to cloud
Online video streaming company - Automates security
checks into DevOps to harden the Image
Entertainment company – Processing subscription
fees certifies for PCI
27
1
2
3
28. 28
Migrate workloads to AWS
Consolidate security tools and gain visibilityAmong top 10 banks in US, ranking high in the Forbes 500
Challenges
! Lack of visibility across the rapid growth into Cloud
! CISO is looking for consolidation of tools and
processes
! Remediation /Ops team expanded to manage Cloud
infrastructure too
Solutions
Qualys AssetView to get visibility from the rich data collection from EC2 Connector, sensors –
Scanner Appliances and Cloud Agents
Maintaining the same processes and practices by utilizing Qualys across On Premise, Cloud,
incorporating Cloud Aware features to handle ephemeral/elastic cloud workloads
Edge servers scanned via Qualys Perimeter Internet Scanners
Environment
• Actively migrating to AWS – 2 Current US regions and
expanding to UK and Europe. Adding Azure too.
• Over 20K Instances, with refreshes max. every 60
days
• Mature vulnerability mgmt. program for on-premise
datacenters
Case Study: Large Financial Institution
FOCUS
29. Securing AWS EC2 Environments with Qualys
Virtual Scanner
Appliance A
Qualys Cloud
Platform
US- East Region
Virtual Scanner
Appliance B
<=>
VPC Peering
VPC 1 VPC 2
EC2 Instances
Incl. DBs, Web servers, and Applications
Instance-
type: t2.nano
…
Internet
Gateway
<=>
VPC Peering
VPC 10
Instance-
type:
t2..micro
Scanning across peering
with scanners grouped in
one or two VPCs
Instances not allowed
for scans have Agents
QUALYS CLOUD AGENT
US –West Region
Multiple Instances
Virtual Scanner
Appliances X,Y
Internet
Gateway
VPC Dev
Sample view of cloud deployment
Embedded
Agents into AMI
for continuous
view
Distribute scan
load across
multiple scanners
Weekly scan runs to
check networks and
App. vulnerabilities
30. 30
Case Study: Online Video Streaming
Company Automate Security
Vulnerability and compliance into DevOpsEntertainment company with a Global presence & large subscriber base
Challenges
! High churn requires agile security practices and
quick visibility
! DevOps focused approach needs to make
processes automated and API centric
Solutions
Qualys Scanning incorporated into the build process to check for Vulnerabilities and
Compliance violations
End to End automation using REST APIs for the complete process
Environment
• Heavy users of AWS services – Mainly situated
in US ,UK and expanding to Asia
• Uses close to 10 – 25 AMIs that gets refreshed
regularly
• Experiences lots of load bursts and have high
ephemeral elastic cloud
FOCUS
31. Automating Security into DevOps
31
Create AMI
Code scans
Build Complete
Create test
Instances
Launch Scans
Parse results and
generate eMail
Resolve Issues
Publish AMI
Integration with
Qualys
via REST APIs
STEP METHOD END POINT
Run EC2 Connector to
sync. Assets and
update dynamic tags
/qps/rest/2.0/run/am/awsassetdataconnector/{id}
Update Authentication
/api/2.0/fo/auth/unix/’action=update&ids={}&ips{}=&ec
ho_request=1’
Launch Scans for the
specific Tag
api/2.0/fo/scan/’action=launch&scan_title={}&conn
ector_name&iscanner_name={}&target_from=tags&ta
g_set_include={id}
Launch Reports on a
pre-defined template
/api/2.0/fo/report/' {'action': 'launch', 'report_refs':
'scan/{id}, 'output_format': 'xml', 'template_id': {id},
'report_type': 'Scan'}
Fetch Scan Results /api/2.0/fo/report/' 'action=fetch&id={id}
Rinse and Repeat
POST
POST
POST
GET
POST
32. 32
Case Study: Entertainment Company
Solutions
Qualys External Scanners to do run a perimeter scan on
the IPs of the sites weekly
Qualys Internal Scanning for Vulnerability Mgmt. with PCI
option turned on to cover all the instances in the VPCs
across the 3 regions
Use the PCI template to generate report for further
processing and audits
Environment
• Run their sites on AWS, 2 of main .com sites
• 3 AWS Regions with specific VPCs running PCI related instances
• Experiences lots of load bursts and have high ephemeral elastic
cloud
Focus: PCI, Perimeter Scanning
34. Deploying Scanner Appliances in Azure
Deploy the Virtual Scanner Appliance (ARM)
version directly from the Azure marketplace
Scanner appliance image compatible with
Classic environments are available for
download from within the Qualys portal*
Appliances are auto-updatable, managed
completely from Qualys portal
Appliances enable Vulnerability Mgmt, Policy
Compliance, and Web Application Scanning
Automate by using power shell to deploy
appliances from the template off the
deployment UI flow or from Qualys github**
* https://community.qualys.com/docs/DOC-5724
** Git Hub - https://github.com/Qualys/azure-cloud/tree/master/qualys-qvsa-v23-marketplace
35. Qualys – Azure Security Center Integration
Automating Agent Deployment and Vulnerability assessments
Azure Security Center integration
provides:
Automated, single click deployment
of Qualys agents on Azure virtual
machines
Qualys is a vulnerability assessment
partner solution
Automatic discovery of machines
without agents and deployment
across one, multiple or complete
subscription
View of vulnerabilities identified by
Qualys with the QID details for the
compute - virtual machines
36. Qualys – Azure Security Center Integration
One click deployment across complete subscription, simplified Ops
Create a new Qualys solution per
subscription
Add license code and public key
from your Qualys portal
Enable ‘Auto Update’ to auto install
agents on any new virtual machines
added to the subscription
Auto discovers virtual machines
without Qualys Vulnerability
assessment agent and deploy
directly
37. Qualys – Azure Security Center Integration
Comprehensive Vulnerability assessments from Qualys
38. Deploying Scanner Appliances in Google Cloud
Deploy the Virtual Scanner Appliance
directly from the Google Launcher
Appliances are auto-updatable,
managed completely from Qualys
portal
Appliances enable Vulnerability Mgmt,
Policy Compliance, and Web
Application Scanning
39. Poll Question - 4
39
Order the services interested in securing as per priority
• IaaS
• PaaS
• SaaS (like Cloud Access Security Broker initiative)
• Networks
• Containers
• Cloud Configuration Audits/Assessments (IAM, VPCs,SG..)
Many people believe that things change completely when you move to the public cloud.
The fact is that we’ve been doing security for a long time and most of the things you know about security still apply to public cloud.
You still need to address defense in depth, you still need vulnerability and antimalware, you still need network security controls, you still need to use secure coding practices, you still need comprehensive logging, reporting and alerting.
You still need to do most of what you’re doing now.
If I had to call out two main differences between public cloud and on-premises security, I’d say they were:
Shared responsibility
Isolation
Lets focus on Shared security responsibility , Qualys solutions help you address that..
Generic term "Dynamic HTML"
AJAX sprinkled here and there
Dynamic updates of DOM (page elements)
No new page loads
JSON data format - less verbose than XML - begins to take hold
Mashups – content pulled in from different sources
Browser plug-ins allow for RIAs – thick client embedded in a thin client!