Qualys Cloud Platform Whitepaper
Qualys Cloud Platform Whitepaper
Cloud
Platform
One stack to consolidate traditional
enterprise security and compliance
solutions and secure the digital
transformation
White paper | Qualys Cloud Platform
Table of Contents
Introduction 3
How it operates 12
Versatile set of sensors 13
Qualys appliances 14
Passive Network Sensor 15
Qualys Cloud Agent 16
Qualys Cloud Apps 17
Qualys Subscriptions 27
SMB, mid-size, enterprise, consultant and MSPs, government 27
Community Edition 30
Customers 32
Customer base 33
Geisinger Health Systems 34
Synovus Financial Corp 35
The future 36
A peek at what's coming 37
2
White paper | Qualys Cloud Platform
Introduction
The Modern IT
Environment: Borderless,
Distributed, Elastic
White paper | Qualys Cloud Platform
5
White paper | Qualys Cloud Platform
Mobile devices, non-computing appliances compliance checks on public cloud deployments, as they
do for their on-premises systems, including vulnerability
and IoT systems
management, web app scanning, and policy compliance.
Your perimeter reaches out to every device employees To do so, they need security tools that give them visibility
connect to public and home Wi-Fi networks: Laptops, into their public cloud workloads and instances.
smartphones, tablets and smartwatches. These digital
travel companions contain critical confidential data and Web apps and Dev(Sec)Ops pipelines
applications, and are often lost, stolen, and compromised.
As organizations digitally transform operations,
these innovations are primarily delivered via web apps:
Another weak link: Organizations’ geographically dispersed
Internet-facing, internal and cloud-hosted web apps,
locations, such as remote offices and retail stores. These
as well as REST API-based web services. With these web
facilities, which house PCs, point-of-sale systems and other
apps, organizations simplify and automate key functions
endpoints, often have weaker physical and cyber security
and processes for employees, customers and partners.
than larger corporate buildings.
Unfortunately, many web applications are unsafe
due to latent vulnerabilities and weak configurations.
Meanwhile, non-computing devices are connecting to your
Unsurprisingly, they’ve become a favorite vector for
network, including copiers, printers, thermostats and even
data breaches.
Wi-Fi enabled coffee makers in office kitchens.
7
Part II
Introduction
The Qualys Cloud Platform has been architected with Qualys Cloud Platform’s state-of-the-art, massively
the goal of simplifying security by eliminating friction scalable back-end has robust, centralized capabilities for
and making it as intuitive and automated as possible. reporting, storage, data analysis, search indexing and asset
tagging, among other functionality. A centralized, web-
It’s what Qualys calls “Transparent Orchestration (™)”, based, single-pane-of-glass UI gives you a complete and
a principle that represents the future of security, and continuously updated view of your IT environment and its
serves as a key guiding principle and goal for Qualys. security and compliance posture.
Transparent Orchestration is reflected by the Qualys Qualys also offers a private platform that delivers all
Cloud Platform’s design, in particular its three main the benefits of the Qualys Cloud Platform within the
pillars: its versatile sensors; massively scalable backend; walls of your data center. The Qualys Private Cloud
and integrated suite of cloud apps. Platform allows organizations to store scan data locally
under their control for compliance with internal policies
With its always-on sensors, the Qualys Cloud Platform or external regulations.
gives organizations continuous, real-time visibility of
all their IT assets – on-premises, at endpoints or in clouds With this cloud architecture, the Qualys Cloud Platform
– for comprehensive prevention, detection and response. is uniquely designed for protecting today’s hybrid IT
Centrally managed and self-updating, the Qualys sensors environments, including the DevOps pipelines where
come as physical or virtual appliances, or lightweight digital transformation projects are built and deployed.
agents.
• On-premises infrastructure
• Cloud workloads
3+ billion
IP scans/audits a year
• Endpoint devices
• DevSecOps environments
• Web apps 28+ billion
• IT audit and compliance data points indexed on elastic
search clusters
By consolidating your security stack on the centrally
managed and self-updating Qualys Cloud Apps, you
can keep your teams in sync. You also eliminate the
plethora of siloed, heterogeneous point products that 99.999%
don’t interoperate well, and are difficult to integrate and six sigma scanning accuracy
expensive to manage.
9
White paper | Qualys Cloud Platform
Qualys, a pioneer of cloud-based security and compliance “Capabilities native to these new
since its founding in 1999, is uniquely positioned to
approaches must therefore become
help organizations protect their fast-paced digital
transformation deployments without slowing them down.
a hallmark of an emerging generation
of security technologies. Qualys’ SaaS
To build security into digital transformation efforts, platform is not the only asset it brings
organizations must embed infosec processes and tools into to the opportunity; its own experience
the DevOps software development and delivery pipeline.
The reason: The mobile and web apps, and web services
in developing for the cloud informs it as
generated by DevOps teams are the vehicles for new digital to what organizations need from their
transformation initiatives. forward-looking security tools.”
Qualys can help your organization facilitate the Since digital transformation is so closely tied to
availability and use of automated security tools for enterprises’ use of public cloud services, it’s important to
developers and operations staff, so that code can be highlight how Qualys helps organizations protect their
scanned for vulnerabilities, misconfigurations and other IaaS and PaaS deployments.
security issues early and often in the software lifecycle.
As organizations increase their use of public cloud
Embedding security into DevOps – making it DevSecOps platforms, they encounter security and compliance threats,
– will make code cleaner, and the resulting systems more and cloud-specific challenges, such as:
secure. This approach will foster confidence in security
• Lack of visibility into their cloud assets, usage and
among IT and developer teams, and will help organizations
resources
securely accelerate their digital transformation journeys.
• A misunderstanding of cloud providers’ shared security
In a recent report, 451 Research Senior Analyst Scott responsibility model
10
White paper | Qualys Cloud Platform
• Visibility
It compiles a complete, continuously updated IT asset
inventory, and detects changes instantly — on premises,
in clouds and at remote endpoints.
• Accuracy
It centrally collects, stores and analyzes all security and
compliance data, eliminating the incomplete information
from siloed, fragmented point solutions.
• Scale
Its massively scalable cloud architecture protects the
largest global, hybrid IT environments.
• Immediacy
Its robust back-end engines deliver instant prevention
capabilities and incident response.
11
White paper | Qualys Cloud Platform
How it operates
12
White paper | Qualys Cloud Platform
Qualys sensors collect data from your IT environment and automatically beam
it up to the Qualys Cloud Platform, which continuously analyzes and correlates
the information to help you quickly and precisely identify and eliminate threats.
Real-time network Secure highly locked- Collect data from 3rd Collect data from 3rd
analysis of your data down devices or on party cloud platforms parties such as threat
air-gapped networks and software intelligence feeds
13
White paper | Qualys Cloud Platform
Qualys Appliances
14
White paper | Qualys Cloud Platform
Passive Network Sensor (PNS) provides continuous and Identify suspicious traffic: PNS provides deep packet
unobtrusive detection of all network-connected systems inspection to continuously analyze and detect suspicious
and their activity in real time. traffic. The Qualys Cloud Platform then correlates these
network anomalies to other indications of compromise.
With PNS, customers can:
Secure and control network access: PNS lets you respond
Eliminate blind spots: The Qualys Cloud Platform
to threats automatically by controlling access to critical
aggregates asset telemetry from PNS, Qualys scanners
resources. Network access control, informed by PNS real-
and Qualys Cloud Agents to provide a comprehensive,
time detection, autonomously protects the network by
detailed and multidimensional inventory of all IT assets
quarantining noncompliant devices based on established
across hybrid infrastructures. This includes unmanaged
policies and security posture.
devices such as employee-owned smartphones and rogue
devices. PNS also discovers and profiles assets that can’t
(Qualys PNS is scheduled for general availability in 2019.)
be actively scanned nor monitored with cloud agents, such
as industrial equipment, IoT systems and medical devices.
Using the Cloud Agent and the multiple Qualys apps that
leverage it, organizations can get a multi-dimensional view
of a breached asset.
16
White paper | Qualys Cloud Platform
All applications are based on the same platform, share • IT audit and compliance
a common UI, feed off of the same scanners and
agents, access the same collected data, and leverage the Qualys automates compliance and risk management
same user permissions. This lowers the complexity of tasks so your company stays on the right side of internal
usage while maintaining a high level of access control policies and external regulations through asset inventory,
throughout the organization. vulnerability management, configuration assessments, PCI
compliance and vendor risk management.
A centralized, web-based, single-pane-of-glass dashboard
provides a complete and continuously updated view of • Endpoints
your IT environment. This interactive, dynamic dashboard Qualys continuously discovers and monitors the growing
also allows you to aggregate and correlate all of your IT, and increasingly complex universe of networked
security and compliance data in one place, drill down endpoints via comprehensive asset inventory, vulnerability
into details, and generate reports customized for different management, configuration assessments, threat
audiences. prioritization and indication of compromise.
Often, InfoSec teams use an array of heterogeneous, point • DevSecOps and web apps
tools that don’t interoperate well and are difficult and
You can use Qualys to automate testing for vulnerabilities
costly to maintain and integrate, making it difficult for
and misconfigurations in your code throughout your
CISOs to get a single, unified view of the organization’s
web app development and deployment pipeline via
security and compliance posture.
vulnerability management, configuration assessment,
threat prioritization, web app scanning, file integrity
By consolidating their security stacks with the Qualys
monitoring and indication of compromise.
Cloud Apps, organizations escape this tool-fragmentation
nightmare, tear down organizational silos and keep
security teams in sync, including those in charge of
protecting:
• On premises infrastructure
Qualys helps secure the organization’s networks and
data centers with vulnerability management, continuous
monitoring, configuration assessment, threat prioritization,
file integrity monitoring and indication of compromise.
17
White paper | Qualys Cloud Platform
Many customers are using multiple Cloud Apps to develop a more complete
understanding of their environment’s security and compliance posture. The
Qualys Cloud Platform currently provides the following Cloud Apps:
18
White paper | Qualys Cloud Platform
19
White paper | Qualys Cloud Platform
Container Security (CS) policies and external regulations. With PC, you
CS Qualys CS continuously discovers, tracks and can leverage out-of-the-box library content to
protects containers in DevOps pipelines and fast-track your compliance assessments using
deployments across cloud and on-premises industry-recommended best practices.
environments. It gives you complete visibility
of container hosts by gathering comprehensive PCI Compliance (PCI)
topographic information about your container PCI Qualys PCI streamlines and automates
projects — images, image registries, and compliance with PCI DSS requirements for
containers spun from the images. Qualys also protecting the collection, storage, processing
CS lets you scan, protect and secure running and transmission of cardholder data. Qualys
containers. PCI scans all Internet-facing networks and
systems with Six Sigma (99.9996%) accuracy,
Certificate Assessment (CRA) generates reports and provides detailed patching
CRA Qualys CRA lets you assess your digital certificates instructions. An auto-submission feature
and TLS configurations by providing continuous completes the compliance process.
monitoring, dynamic dashboarding and custom
reporting of certificate issues and vulnerabilities. File Integrity Monitoring (FIM)
Qualys Certificate Assessment generates FIM Qualys FIM logs and centrally tracks file change
certificate instance grades using a straightforward events on common enterprise operating systems.
methodology that allows administrators to assess Qualys FIM collects the critical details needed
often overlooked server SSL/TLS configurations to quickly identify changes and root out activity
without having to become SSL experts. It also that violates policy or is potentially malicious.
identifies out-of-policy certificates with weak Qualys FIM helps you comply with change control
signatures or key length. policy enforcement and change monitoring
requirements.
Cloud Security Assessment (CSA)
CSA Qualys CSA automates continuous monitoring Security Configuration Assessment (SCA)
of your public cloud infrastructure, detects SCA A Qualys VM add-on, Qualys SCA expands your
misconfigurations, malicious behavior and non- VM program with automatic assessment of IT
standard deployments, and provides remediation assets’ configurations using the latest Center for
steps. Qualys CSA supports REST APIs for Internet Security (CIS) Benchmarks for operating
seamless integration with the CI/CD tool chain, systems, databases, applications and network
providing DevSecOps teams with an up-to-date devices. SCA users can automatically create
assessment of potential risks and exposure. downloadable reports and view dashboards.
practices. SAQ automates the launch insert security into DevOps environments. Qualys
and monitoring of assessment campaigns, and WAS also identifies and removes malware from
provides tools for displaying and analyzing websites using behavioral and static analysis.
the data.
Web Application Firewall (WAF)
Web Application Security WAF Simple, scalable and adaptive, Qualys WAF blocks
attacks, and lets you control when and where your
Web Application Scanning (WAS)
applications are accessed. Qualys WAF and Qualys
WAS Qualys WAS continuously discovers and
WAS work together seamlessly. You scan web apps
catalogs web apps in your network and detects
with Qualys WAS, deploy one-click virtual patches
vulnerabilities and misconfigurations. Its
for detected vulnerabilities in WAF, and manage it
integration with Qualys WAF provides one-click
all from a centralized cloud-based portal. It can be
patching of web apps. With WAS, you can also
deployed in minutes.
Scanner
Service
VM PC WAS WAS FIM
Passive
Sensor Qualys Streaming Data Backbone
Service
22
White paper | Qualys Cloud Platform
23
White paper | Qualys Cloud Platform
24
White paper | Qualys Cloud Platform
25
White paper | Qualys Cloud Platform
26
White paper | Qualys Cloud Platform
Qualys Subscriptions
Qualys caters to organizations of all types and sizes with Qualys for Mid-Size Organizations
various subscription options. Offerings can be tailored
For mid-size businesses, Qualys can help
and expanded to fit customer needs, with pricing based on
simplify their IT security and lower their cost
selected Qualys Cloud Platform features, apps, scanners
of compliance. The Qualys Express cloud suite
and agents, and on the range of monitored IT assets.
includes capabilities for IT asset inventorying,
vulnerability management, continuous network
We offer subscriptions for enterprises, mid-size
monitoring, web application scanning and firewall,
organizations, small businesses and government agencies.
threat prioritization, policy compliance including
We also have a subscription for consultants and MSPs that
PCI, and vendor risk management.
use Qualys to provide security and compliance services to
their clients.
• 5,120 IPs for scans
All subscriptions include free training and support. • 200 web apps for scans
Customers can also scan their devices and web apps an • 5 scanners
unlimited number of times, and use an unlimited number
of Cloud Agents. • Unlimited users
• Remediation ticketing & tracking
Let’s look at each offering individually.
• Integration with public clouds
27
White paper | Qualys Cloud Platform
28
White paper | Qualys Cloud Platform
29
White paper | Qualys Cloud Platform
To help small organizations tackle today’s security CertView lets organizations take back control of their
and compliance challenges, Qualys offers the Qualys Internet-facing certificates by inventorying and assessing
Community Edition, a free version of its platform. With them. It gives you visibility into all of your Internet-facing
Qualys Community Edition, small businesses can leverage certificates and SSL/TLS configurations, and lets you
the accuracy and reliability of Qualys Cloud Platform to centrally control and visualize prioritization of certificate
discover IT assets and vulnerabilities, identify compliance and configuration remediation. Customizable dashboards
gaps and get detailed reports. with highly configurable widgets help you see your
certificate status, grade information and vulnerability data.
Using Qualys agents and scanners, this community
edition provides asset discovery, vulnerability assessment, CloudView and CertView are also available as stand-alone
configuration assessment, web app scanning, and free apps outside of the Community Edition offering.
inventory of public cloud workloads.
qualys.com/communityedition
30
White paper | Qualys Cloud Platform
COMPREHENSIVE TRAINING
AND SUPPORT
31
White paper | Qualys Cloud Platform
Part III
Customers
32
White paper | Qualys Cloud Platform
Customer Base
The best testament to the quality of our products is our customer base.
Qualys has more than 10,300 customers from all major vertical industries in
over 130 countries. We have a majority of the Forbes Global 100 and Fortune
100 as customers.
33
White paper | Qualys Cloud Platform
Geisinger Health System uses Qualys Cloud Platform's, Geisinger, which has 30,000 employees, piloted Cloud
Vulnerability Management, PCI, Web Application Scanning Agent on the servers of its security team department. “It
and Cloud Agent to help protect its IT environment, which passed. There were no discrepancies between the agent
contains a mix of on-premises and cloud systems. The and the Qualys Cloud Platform VM vulnerability scans,”
Danville, Pennsylvania healthcare services provider has Cooper says. “Now we can have the agent added to our
several data centers, over 20,000 endpoints and thousands base server image so that any new server that’s built from
of servers. our virtual template instantly has the agent installed. That
means, new servers immediately report themselves to the
Geisinger has been a Qualys customer for about Qualys Cloud Platform.”
8 years, during which time it has deepened its use of
Qualys products. “Right out of the gate we know that a new system is
provisioned and in our vulnerability management life
“We started with traditional vulnerability management, cycle,” Cooper says. “That’s precisely how the Qualys
but we’ve expanded our use as our organization has grown Cloud Agent, powered by the Qualys Cloud Platform, helps
along with the complexity of the devices, applications Geisinger improve its vulnerability management efforts
and infrastructure, especially on equipment that directly and achieve the real-time, continuous security both the
impacts patient care,” says Nathan Cooper, information security team and Geisinger needed.”
security analyst in cyber operations at Geisinger.
34
White paper | Qualys Cloud Platform
The Qualys Cloud Agent is making a difference at Synovus precision. It soon found out that, contrary to its previous
Bank, a financial services company based in Columbus, estimates, its average laptop didn’t have 30 vulnerabilities
Georgia with about $28 billion in assets. but rather about 200 vulnerabilities.
Synovus started using Qualys VM to perform frequent Synovus changed its laptop patching schedule and
vulnerability scans for all internal and external assets; increased it to a daily frequency. The results: its average
receive faster notification and remediation for zero day laptop now has about 10 vulnerabilities, a dramatic drop.
and critical threats; and improve its vulnerability analysis
and security patching programs by providing data that can “Cloud Agent had an immediate impact,” says Corey Reed,
be used to prioritize patch distribution. a senior security analyst at Synovus.
The company then adopted Cloud Agent to sharpen the Synovus likes that the Cloud Agents require minimal
collection of vulnerability information from its laptops. maintenance because they’re self-updating, and that they
Unlike desktop workstations, servers and network can be easily deployed through group policy and SCCM
appliances, laptops are mobile and thus are intermittently (System Center Configuration Manager). Synovus also
connected to its network, so at Synovus they often missed appreciates the negligible impact Cloud Agents have on its
prescheduled vulnerability scan windows. network and IT assets because the agents consume very
little computing resources.
With Cloud Agent, Synovus was able to discover
vulnerabilities in laptops in near real time and with more
35
White paper | Qualys Cloud Platform
Capital One has embedded automated security checks Building a secure AMI bakery
into its DevOps pipeline with the help of Qualys,
dramatically accelerating the assessment of vulnerabilities Initially, Capital One’s process for certifying the security
and mis-configurations in its virtual machine images of Amazon Machine Images (AMIs) was manual and slow,
and containers. taking up to two weeks, as the DevOps and security teams
got on a “fix / find / verify” loop.
As a result, the code created in the DevOps pipeline
is certified as secure and released to production To shorten this process, the DevOps team was given
without unnecessary delays. This allows Capital One to API access to the security team’s Qualys vulnerability
consistently boost its business across the board by quickly management and policy compliance tools.
and continuously improving its web properties, mobile
apps, online services and digital offerings. This allowed developers to run scans themselves, get
reports, remediate and re-scan as needed, without
“This has provided a huge benefit to the entire company,” involving the security team. This shortened the process to
said Emmanuel Enaohwo, Capital One’s Senior Manager for under 24 hours.
Vulnerability/Configuration Management.
36
White paper | Qualys Cloud Platform
Securing containers
37
White paper | Qualys Cloud Platform
Part IV
The future
38
White paper | Qualys Cloud Platform
The Qualys Cloud Platform will continue to grow in scope of our Qualys Cloud Platform, with its cloud oriented,
as we push ahead of competitors. New products that are modular, comprehensive and integrated architecture,
in the works include cloud apps to manage patches and including:
digital certificates.
• Unified suite of best of breed solutions
Also in the pipeline: a mobile security offering that will • Global delivery
include Cloud Agents for iOS, Android & Windows Mobile,
EMM (enterprise mobility management) capabilities, as • Faster, simpler, inexpensive deployment
well as asset inventory, vulnerability management, threat • Higher quality
detection and policy compliance and enforcement.
• Continuous improvements
39
White paper | Qualys Cloud Platform
About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions with over 10,300 customers
in more than 130 countries, including a majority of each of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline
and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for
greater agility, better business outcomes and substantial cost savings. The Qualys Cloud Platform and its integrated Cloud Apps deliver
businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance and protection
for IT systems and web applications on premises, on endpoints and elastic clouds. Founded in 1999 as one of the first SaaS security
companies, Qualys has established strategic partnerships with leading managed service providers and consulting organizations
© Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 9/16
40