As organizations increase their use of public cloud platforms, they encounter cloud-specific security and compliance threats, which can be challenging to address without the right tools and processes.
Organizations’ cloud security difficulties lie in two main areas: Lack of visibility into their cloud assets and resources, and a misunderstanding of cloud providers’ shared security responsibility model. As a result, there have been a multitude of easily preventable security mishaps in public cloud deployments due to leaky storage buckets, misconfigured security groups, and erroneous user policies.
These security breakdowns have caused data breaches and other compromises at organizations large and small, including Verizon, Viacom, the Republican National Committee, Tesla and the U.S. Department of Defense. The key to protect public cloud workloads lies in adopting a cloud-native way of supporting and securing your resources in a hybrid IT environment, so as to have full visibility and control.
“Rather than having bifurcated tooling or bifurcated processes or even bifurcated teams, organizations need a unified view of their resources and security posture across on-premises and cloud environments,” Hari Srinivasan, Director of Product Management at Qualys, said during a recent webcast.
Read on to learn about cloud security challenges, best practices, and how Qualys can help you secure any infrastructure, at any scale, on-premises and in cloud, via a unified interface, using uniform standards and processes.
Cloud security difficulties
Whenever Srinivasan asks security teams how many assets they have in their public clouds, the answer typically is “no idea.” And when he delves deeper and asks whether their VM program includes identifying crypto mining attacks and data exfiltration from storage buckets, the finger-pointing begins: Another team must be in charge of that, they say.
In short, as more and more business units move workloads to the cloud, security teams lose visibility into deployments, and into who’s doing what and what resources they’re using. Communication and collaboration among the different infosec teams is often minimal.
It’s also common for organizations to ignore their responsibilities under that shared security model under which cloud platform providers operate, in which the burden is split between them and their customers. These vendors take care of the security of the cloud. Customers, in turn, are responsible for defining their controls to protect their data and software on these platforms.
This means that organizations must still do essential security checks on those cloud deployments as they do on-premises, including vulnerability management, threat prioritization, web app scanning, and policy compliance.
“It’s key to understand the shared security responsibility model. At Qualys, it’s our goal to help you with that,” Srinivasan said.
Qualys Cloud Security
Qualys’ cloud security products let organizations continuously monitor and secure their public cloud infrastructure against misconfigurations, malicious behavior and non-standard deployments.
Qualys currently features two cloud security applications called Qualys Cloud Inventory and Qualys Cloud Security Assessment. Qualys Cloud Inventory is a free app that gives you comprehensive inventory of your public cloud workloads and infrastructure. Meanwhile, the paid Qualys Cloud Security Assessment includes Cloud Inventory as well as capabilities to monitor and assess your cloud assets and resources for misconfigurations and non-standard deployments.
Together, Qualys Cloud Inventory and Qualys Cloud Security Assessment cover three key use cases:
- Visibility into your public clouds
- Continuous security monitoring
- Actionable insights and threat prioritization
Let’s look at each one in detail.
Visibility into your public clouds
“You must understand your topography, understand your users, and know where things are, and how they’re related to each other,” he said.
From its central cloud security dashboard, Qualys gives you a topographic view of your current and historical inventory. You can view instances, security groups, storage buckets, IAM users, ACL users, Azure Virtual Machines, SQL Databases and so on.
Interactive and customizable dashboard widgets let you, for example, see resource distribution by type, resources by region, and misconfigurations by criticality. You can also build your own widgets.
Qualys also provides a searchable resource inventory that lets you fire off queries based on all attributes, set up search filters, and see inventory trends. It includes cloud hosts and instances, and all related resources and services.
Continuous security monitoring
“A monitoring solution needs to be aligned with the way in which the cloud operates,” he said. “As resources get spun up and down, it needs to be continuous in nature.”
Qualys provides continuous security monitoring for configuration assessments. It lets you monitor against security standards, and identify threats from misconfigurations and nonstandard deployments. For example, you can also find S3 buckets that are publicly accessible, and security groups with ingress on ports open to Internet.
Actionable insights and threat prioritization
The elastic nature of the cloud makes it difficult to track and prioritize threats. With its unified security solution, Qualys provides a 360-degree view of cloud assets’ security posture, which includes cloud host vulnerabilities, compliance requirements and threat intelligence insights, so users can contextually prioritize remediation.
With Qualys, you can understand resource associations to effectively identify threats, and prioritize remediation across the sprawl using additional data and criteria, he said.
In summary, Qualys provides you with “a true cloud security platform solution covering cloud resources in Microsoft Azure, Amazon AWS, and Google Cloud, all from a single interface,” Srinivasan said.
If you’re interested in Qualys cloud security apps and you’re an existing Qualys customer, you can subscribe to the Cloud Inventory (CI) and Cloud Security Assessment (CSA) apps from your account. If you’re not a Qualys customer, you can request a trial for CI and CSA, or sign up for the free Qualys CloudView service, which allows you to inventory your public cloud workloads and infrastructure.