Qualys Broadens Security Offerings for Oracle Cloud Infrastructure
Last updated on: December 2, 2022
As organizations increase their use of public cloud platforms, they encounter cloud-specific security and compliance threats, which can be challenging to address without the right tools and processes.
Organizations’ cloud security difficulties lie in two main areas: Lack of visibility into their cloud assets and resources and a misunderstanding of the cloud service providers’ shared security responsibility model. These security breakdowns have caused data breaches and other compromises at organizations, large and small. The key to protecting public cloud workloads lies in adopting a cloud-native way of supporting and securing your resources in a hybrid IT environment to have complete visibility and control.
Qualys is expanding its security and compliance capabilities for OCI (Oracle Cloud Infrastructure) and extending capabilities by integrating with OCI Vulnerability Scanning Service (VSS). By using Qualys’ platform to defend hybrid IT environments, organizations get a unified view of their security posture and can apply the same standards and processes on-premises and in the cloud. The advantages of doing so within a single pane of glass are to reduce your total cost of ownership and to have all the data in one place. That way, when a major attack like Log4j is unleashed, organizations can quickly assess their risk by running vulnerability scans across their entire environment, quickly understand the extent of their exposure, and acting from a single console instead of scrambling to assemble fragmented information from siloed tools.
Shared Responsibility
Like any public cloud provider, OCI operates on a shared security responsibility model. Oracle protects the platform, while customers must secure their data and infrastructure on it.
Qualys helps you fulfil your obligations in this model for your OCI IaaS (infrastructure as a service) and PaaS (platform as a service) deployments, letting you both prevent and respond to threats.
This is made possible by the Qualys Cloud Platform’s versatile set of sensors, including:
- Lightweight, multi-platform Cloud Agents installed on assets, such as OCI virtual machines.
- Virtual scanner appliances for remote scanning across your networks, hosts, and applications. Please follow Scanners in OCI to understand how to deploy Qualys scanners in OCI.
- Internet scanners for performing perimeter scans on edge-facing instances, hosts, and URLs, providing a hacker’s view and perspective of your OCI environment.
- Oracle Cloud Compute Infrastructure (OCI) connector gathers asset inventory data from your OCI environment. The connector currently populates the inventory data, and the other sensors provide security data.
In this manner, organizations can protect OCI deployments using the same Qualys Cloud Platform apps, sensors, and analysis engine and reap benefits such as:
- 360-degree view of all OCI assets from a centralized user interface (UI)
- Lower costs
- Ease of use
- Improved prevention and response
- Scan data consistency
Qualys Coverage for OCI
Qualys lets you do a complete set of security and compliance checks on your OCI virtual machines, web apps, containers, and other resources. On OCI VMs, Qualys provides multiple functionalities, including VMDR (Vulnerability Management Detection and Response) with TruRisk risk prioritization, Policy Compliance, CyberSecurity Asset Management, File Integrity Monitoring, Multi-Vector EDR (Endpoint Detection & Response), Custom Assessment and Remediation (CAR), and Patch Management. Qualys also captures OCI metadata, as shown in the following table:
| Metadata for Windows | Metadata for Linux |
|---|---|
| asset.oracle.compute.image | asset.oracle.compute.instanceId |
| asset.oracle.compute.vnic | asset.oracle.compute.displayName |
| asset.oracle.compute.state | asset.oracle.compute.compartmentId |
| asset.oracle.compute.displayName | asset.oracle.compute.shape |
| asset.oracle.compute.instanceId | asset.oracle.compute.state |
| asset.oracle.compute.compartmentId | asset.oracle.compute.region |
| asset.oracle.compute.timeCreated | asset.oracle.compute.availabilityDomain |
| asset.oracle.compute | asset.oracle.compute.timeCreated |
| asset.oracle.compute.definedtags | asset.oracle.compute.image |
| asset.oracle.compute.freeformtags | asset.oracle.compute.faultDomain |
| asset.oracle.compute.shape | asset.oracle.compute.hostName |
| asset.oracle.compute.region | asset.oracle.compute.canonicalRegionName |
| asset.oracle.compute.faultDomain | asset.oracle.compute.definedtags |
| asset.oracle.compute.availabilityDomain | asset.oracle.compute.freeformtags |
| asset.oracle.compute.hostname | asset.oracle.compute.vnic |
For OCI web apps, Qualys provides its Web Application Firewall (WAF), which blocks attacks and applies virtual patches in conjunction with the Web Application Scanning (WAS) app. Meanwhile, Qualys protects OCI containers with the Qualys Container Security (CS) app.
Cloud Connectors provide a continuous inventory of workloads.
Introducing Integration with OCI VSS
With our OCI VSS integration, Qualys helps you use our same vulnerability scanning engine – across your distributed deployments while eliminating the need to manually patch and update the scanning agents on your OCI Compute instances. Using our Qualys Cloud Agent platform, you can continuously deploy lightweight cloud agents to assess your infrastructure for security and compliance.
OCI VSS – a unified security management and monitoring console – detects OCI virtual machines and deploys the lightweight Qualys Cloud Agents in bulk to them. Customers only need to create one scan recipe and one target and start seeing findings on their compute instances. Details are in VSS, while the findings are sent to Cloud Guard and become issues based on your detector settings.
The agents gather vulnerability data and send it to the Qualys Cloud Platform, which provides a complete security posture for these instances and sends system health monitoring data back to OCI VSS (Vulnerability Scanning Service). VSS will then display the results in the VSS UI and forward them to Cloud Guard for global alerting of security problems. Customers will be able to see the following information in OCI VSS:
- Full Common Vulnerability Exposures (CVE) descriptions
- What package and version caused the CVE to match
- Location of the package when possible
- Package version needed to remediate the vulnerability
Please also refer to https://blogs.oracle.com/cloudsecurity/post/announcing-oci-vss-integration-with-qualys as it goes into more detail on the key benefits of the OCI VSS integration with Qualys:
- Simple – Change your VSS host scan recipe to use the Qualys agents
- Managed – Know that OCI will install and update these agents on your compute instances
- Qualys VMDR will match the OCI compute instance information into QIDs (Qualys ID) (CVEs)
- View multi-cloud findings in the Qualys dashboard
- View OCI findings in VSS and Cloud Guard
In summary, Qualys provides a comprehensive cloud security platform solution covering cloud resources in OCI, all from a single interface, which helps to understand resource associations to effectively identify threats and prioritize remediation across the sprawl using additional data and criteria.
Get Started
To learn more on how Qualys for OCI can help with security and compliance in your organization:
- Contact your Qualys Technical Account Manager
- Start a Qualys Trial at no extra cost