The SANS Institute recently released its 2017 report on cybersecurity trends. We examined the report’s six threat trends in a recent blog post, as well as in a webcast with the report’s author, security analyst John Pescatore, and with Qualys Product Management Vice President Chris Carlson. Now, we’re providing you with a useful checklist to help put you in a better position to respond these trends, which are expected to continue to dominate this year.
As we’ve discussed in this blog series on automated IT asset inventory, having — or regaining — unobstructed visibility of your IT environment is key for a strong security and compliance posture.
We met Max, the CISO of a large manufacturer, whose organization progressively lost this visibility, as it adopted cloud computing, mobility, virtualization, IoT and other digital transformation technologies.
With the company’s IT environment upended and its network perimeter blurred, Max and the InfoSec team recovered control with a cloud-based, automated IT asset inventory system. This successful solution featured six key elements. In the previous posts, we addressed the first three:
- Complete visibility of your IT environment
- Deep visibility into assets, wherever they reside
- Continuous and automatic updates
This means that you need a complete and continuously updated list of IT assets, as well as granular security, compliance and system details on each one.
In this post, we’ll explain the next two requirements for an effective cloud-based IT asset inventorying system:
- Asset criticality rankings
- Dashboarding and reporting
In the first installment of this blog series on automated asset inventorying, we met Max, the CISO of a large manufacturer whose InfoSec team lost full visibility of the company’s hardware and software.
Dangerous blind spots appeared progressively over time as Max’s company adopted more and more digital transformation technologies, such as cloud computing, mobility, IoT, and virtualization.
Eventually, Max and his team became alarmed at the inability of their legacy on-premises security products to account for the new cloud instances, virtualized environments, mobile endpoints and other assets outside of the traditional, tightly-controlled network perimeter.
They were concerned that this lack of visibility could lead to an increase in employee use of unapproved personal devices and unauthorized software, as well as to data breaches.
First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.
That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”
“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”
The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.
Several years ago, Max, the CISO of a large manufacturer, realized that his organization’s formerly homogeneous, self-contained IT environment had lost its clearly delineated perimeter. Instead, it had become a hybrid environment with blurred borders, made up of a mix of legacy on-premises systems, new cloud workloads, and a variety of mobile endpoints.
With 2017 still in its infancy, plenty of time remains for InfoSec practitioners to make concrete strides toward better security and compliance in their organizations. That’s why to help you start off the year on the right foot, we’ve shared best practices, ideas and recommendations in our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series.
It used to be difficult or outright impossible for employees to install and use unapproved software on their work computers. For many IT departments, those happy days are over.
Web apps’ proliferation combined with mobile devices’ ubiquity have drastically lowered the bar — or removed it altogether — for people to use software of their own choosing at work.
As we continue our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we zoom in on the all important area of compliance and risk monitoring, a key element of any comprehensive security program.
IT compliance and risk managers don’t have it easy. You face an increasingly complex regulatory landscape, constantly evolving industry standards and a technology environment that’s changing at a dizzying pace. It falls on your shoulders to make sure your organizations follow rules, regulations, laws, standards and practices in areas of IT across all business functions.
In this post, we’ll offer tips 5 – 7 on our list, to help you:
- Ensure internal and external IT compliance
- Assess procedural and technical controls among vendors to reduce the risk of doing business with them
- Comply with the Payment Card Industry Data Security Standard (PCI DSS)
The FedRAMP authorization obtained by the Qualys Cloud Platform was one of Qualys’ significant achievements in 2016. Why is that, you may be asking? Here we explain five reasons why the FedRAMP (Federal Risk and Authorization Management Program) approval is important for Qualys customers and partners. (And we explain what FedRAMP is!)