As organizations seek digital transformation benefits and aggressively move workloads to public cloud platforms, InfoSec teams must support their business units’ efforts by adapting and properly protecting these environments.
This may sound surprising to those who think that, when you use a public cloud service, the platform provider takes on all security and compliance tasks. Rather, these public cloud service providers operate on a “shared security responsibility” model, so the burden is split between you and them.
In other words, you get to define your controls in the cloud to protect your data and infrastructure, while the cloud provider takes care of the security of the cloud.
Cloud environments also tend to be more elastic than the traditional ones, so you need a security solution that is adaptive and works well with these elastic workloads.
Qualys helps you fulfill your obligations in this model, by letting you do vulnerability management, policy compliance, malware detection, web app scanning and other critical security and compliance tasks in your cloud instances.
The Business Driver: Digital Transformation
In its 2017 CEO Survey, Gartner concluded that the digital business shift is no longer speculative for most business leaders, but rather that it “has become a reality for many.” That survey, which polled 388 CEOs from organizations with $1 billion-plus in annual revenue, found that:
- 52 percent describe their digital business posture as “digital first” or “digital to the core”
- 47 percent are being challenged by their boards to make digital business progress
- 56 percent credit digital investments for improved profits
This isn’t surprising in an age when startups like Uber and AirBnB can disrupt mature industries by leveraging digital transformation technologies. According to Gartner’s 2017 global CIO survey, digitization spending is climbing, although enterprise IT budgets rose only 2.2%. Digitization takes up 18% of budgets, a share expected to rise to 28% in 2018, said the survey, which polled 2,600 CIOs.
For public cloud services specifically, including platform-, infrastructure- and software-as-a-service (PaaS, IaaS and SaaS), Gartner is forecasting that global spending will grow 18 percent this year compared with 2016 to almost $247 billion.
Digital transformation, of which cloud computing is a core element, lets organizations, for example, set up digital-only channels, restructure value chains, better comply with regulations, accelerate product and service innovation, and quickly mine data for swift tactical and strategic decisions.
All Hands on Deck for Public Cloud Defense
So who is involved in ensuring the security and compliance of public cloud instances? Unsurprisingly, the same teams involved with defending your on-premises infrastructure.
- The CISO: If the organization uses multiple cloud platforms, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, the CISO must have visibility across all of them, what workloads are running on them and details on how each is being secured. The CISO will use this information for a variety of purposes, including:
- To make sure the organization’s security and compliance standards are being met in the cloud
- To look for opportunities to cut costs and reduce complexity by identifying redundant, obsolete and functionally-narrow security tools and replacing them with consolidated, integrated and modern cloud-based solutions
- InfoSec team: As these cloud migrations and deployments are planned and carried out, these InfoSec pros must make sure their security tools and processes can be connected to these platforms. Why? They need to know what vulnerabilities exist in the new cloud environment, and prioritize threats based on criticality indicators. For example, is a vulnerability a zero-day type — actively exploited in the wild without an available patch? Does a vulnerability affect mission critical environments, leading potentially to severe operations disruption and major data loss?
InfoSec teams also must monitor regulations, industry mandates, and internal policies to make sure their organizations are compliant with these requirements. The security team also must establish remediation processes to handle cloud environments, which are more elastic, with virtual instances getting spun up and down constantly.
- DevSecOps group: Security can play a critical role within the DevOps process by being proactive and automating security tasks, in order to help the organization pursue digital transformation efforts and operate at the speed of today’s business world. By “shifting left,” security practices can be infused directly into the DevOps pipeline, to identify and fix security issues in the development process, and in the deployment stages ahead of production. DevOps teams need extensible solutions that can be integrated into the CI/CD (Continuous Integration / Continuous Delivery) tool chain and become part of the complete process from identification of vulnerabilities and mis-configurations to remediation.
- Auditors: Auditing practices need to be adapted to the cloud as well, by generating security and compliance reports that have the same format as the ones auditors are accustomed to seeing for on-premises systems. This will speed up the auditing process and make auditors happy.
Defense In Depth for Cloud Workloads with Qualys
The Qualys Cloud Platform provides you with a unified approach for preventing and responding to threats anywhere in your IT environment, including in your public cloud instances. With Qualys, you consolidate and simplify your enterprise security solutions toolbox and slash your total cost of ownership, since there’s no software or hardware to install or maintain.
Qualys compiles and continuously updates a complete IT asset inventory to give you instant visibility across your entire IT environment — on premises, on endpoints and in the clouds. AssetView, the platform’s central “single pane of glass” interface, is fully customizable and lets customers see all their IT security and compliance data, drill down into details, generate reports and search for any asset.
The platform’s suite of more than 10 integrated, self-updating cloud apps serve the needs of all your security and compliance teams, such as those in charge of on-premises IT operations, web apps, DevSecOps, cloud services and endpoints.
The platform’s consolidated functionality includes vulnerability management, continuous monitoring, patching prioritization, indication of compromise, web app security, policy compliance, file integrity monitoring, container security, vendor risk assessments and passive network analysis.
Data is collected using a variety of methods and technologies — including virtual scanner appliances, lightweight and configurable cloud agents and Internet scanners — and analyzed in a robust correlation and reporting back-end engine.
For your public cloud workloads, Qualys covers key areas, including:
- Continuous IT asset discovery and tracking, dynamic tagging, dashboarding and reporting
- Internal asset scanning and app protection, which provides vulnerability analysis and compliance checks across operating systems, databases and servers, as well as identification of application and REST API vulnerabilities, combined with firewall rules and one-click virtual patching
- Perimeter scanning, which gives you a continuous hacker’s-eye view into all your public IPs and URLs
Qualys has agreements and integrations with the three main public cloud platform providers — Amazon, Microsoft and Google — with more to come. Qualys sensors are readily available to be deployed across these cloud platforms.
Let Qualys Be Your Digital Transformation Partner
With the Qualys Cloud Platform, you’ll be able to protect your public cloud instances, and support your business’ cloud computing needs. Automate security in the DevOps process, making the security team a partner to the business units, not a naysayer. Become a key participant in the organization’s digital transformation efforts and secure your cloud infrastructure.
To learn more, watch our on-demand webcast, “Securing Your Public Cloud Infrastructure”.
(Hari Srinivasan is the Director of Product Management for Cloud and Virtualization Security at Qualys)