Enterprise IT environments are getting exponentially more complex with the booming adoption of cloud computing, upping the ante for InfoSec teams, which must protect these new environments. As the foundation for modern IT innovations that propel digital transformation, public cloud platforms are now fundamental for business agility and competitiveness. With their benefits come a world of security and compliance challenges demanding their own comprehensive security controls for continuous prevention, detection, and response.
Managing Shared Responsibility With the Right Security Architecture
The heart of cloud security is the concept of shared responsibility, where cloud service providers and their customers split various security and compliance tasks according to who controls particular assets. As a major global cloud service provider, Alibaba Cloud takes responsibility for safeguarding its platform, while its customers are expected to ensure the security of their own data and infrastructure hosted within that platform.
As your security partner, Qualys helps secure your Alibaba Cloud instances with an architecture built on these pillars.
- Shift-left means having a set of natively integrated tools whose security and compliance checks are automated and embedded end-to-end into your cloud processes and infrastructure, starting with the design of software builds.
- Real-time inventory means having an always updated, comprehensive inventory of all your cloud assets for full visibility into your environment.
- Quick, precise and continuous detection and response enables you to address security and compliance issues.
- Built-in security provides native integration of your security and compliance tools with Alibaba Cloud.
Organizations can no longer rely on security stacks comprising a mixture of point solutions that don’t interoperate, can’t scale, and are not connected or are manually stitched together, making them difficult and costly to deploy and manage. They can’t depend on multiple agents with limited functionality that collect fragmented data that is fed to multiple consoles. This forces security practitioners to manually correlate the data, preventing them from responding quickly to threats.
Qualys helps you fulfil your organization’s shared responsibility security obligations for your Alibaba Cloud IaaS (Infrastructure-as-a-Service) and PaaS (Platform-as-a-Service) deployments by letting you both prevent and respond to threats. This is made possible by the Qualys Cloud Platform’s versatile set of sensors, including: lightweight, multi-platform Cloud Agents installed on assets such as Alibaba Cloud virtual machines.
Qualys Sensors Collect Data for Analytics
Qualys offers security teams a broad variety of sensors to collect security, IT, and compliance operational data from assets in Alibaba Cloud. Scalable, self-updating and centrally managed, Qualys sensors include:
- Virtual scanner appliances that can conduct remote scans across your networks, hosts, and applications. Please follow Scanners in Alibaba to understand how to deploy Qualys scanners in Alibaba Cloud.
- Internet scanners that perform perimeter scans on edge-facing instances, hosts, and URLs. These scanners offer a hacker’s view and perspective of your Alibaba Cloud environment.
- A full API set for integration with third-party threat intelligence feeds and other tools.
- Lightweight Cloud Agents installed on assets for real-time data collection.
This versatile set of sensors gives security teams valuable options for collecting data from many IT asset types. The Qualys Cloud Agent, in particular, is a game changer for reasons mentioned in the next section.
Under the Hood With Cloud Agent
Cloud Agents work in concert with the Qualys Cloud Platform to let customers easily add security and compliance capabilities. The capability to deliver multiple functions via a single agent changes how security leaders are developing and creating security programs across a hybrid enterprise IT environment.
The Cloud Agent is lightweight, which consumes negligible computing and network resources. After completing a comprehensive initial data collection of the asset, Cloud Agent only gathers changes from subsequent scans. Cloud Agent provides many benefits for securing Alibaba Cloud environments, including:
- No requirement for scanning windows. Cloud Agent continuously collects data on assets where it’s installed, even when these assets are offline.
- Continuous monitoring yields faster vulnerability discovery and patch confirmation.
- No need for complex credentials and firewall management. Cloud Agent only communicates outbound to the Qualys platform.
- Cloud Agent comes with 30+ flexible and granular performance configuration and scanning controls, allowing organizations to tune agent performance and bandwidth usage for specific environmental requirements. You can control a tiny memory footprint and minimal network bandwidth using a Configuration Profile.
- Each Configuration Profile contains settings for:
- Agent performance
- Assigned hosts
- Agent scan interval
- Data collection options
- Blackout windows
- Suspending data collection
- Preventing auto-updating of agent binaries and more
- Cloud Agent works with multiple Qualys applications, which lets security teams remove point-solution agents from assets and consolidate security tools to reduce costs and complexity.
- Cloud Agent extends security to assets that are difficult or impossible to monitor with scanners, including Elastic, ephemeral cloud instances.
Qualys Secures DevSecOps in Clouds
Qualys supports three main use cases for securing DevOps in cloud deployments.
- After integrating Qualys into your DevOps pipeline, you’ll be able to obtain a clear picture of the vulnerabilities and misconfigurations of your operating systems and web applications.
- Teams can remediate these security problems before launching an app or image into production.
- Teams can place the lightweight and versatile Qualys Cloud Agent into your DevOps environment to provide continuous monitoring throughout the CI/CD lifecycle.
For example, in an Alibaba Cloud environment, after creating an image, you spin-up sample instances and run Qualys scans on each one.
Next, after identifying and fixing the vulnerabilities and misconfigurations, the result is a hardened base instance. DevOps then seeds it with a Qualys Cloud Agent before releasing it into production. Qualys functionality for vulnerability management, policy compliance and web application scanning are supported via REST APIs, so you can programmatically integrate it with your DevOps tools.
Once instances have been released live, Qualys helps you monitor and track their security posture via dynamic and interactive dashboards in which you can search for and tag instances based on attributes, and use pre-built or custom widgets to monitor deployments.
A Single View of the Asset
With Qualys, you can conduct a comprehensive range of security and compliance checks on various resources within your Alibaba Cloud environment, including virtual machines, web applications, and containers. For Alibaba Cloud instances, Qualys offers several features such as VMDR (Vulnerability Management Detection and Response) with TruRisk risk prioritization, Policy Compliance, CyberSecurity Asset Management, and Custom Assessment and Remediation (CAR).
The Cloud Agent also processes metadata for an instance in Alibaba cloud via Qualys Cloud Agent for Linux (5.6 onwards).
It is possible to use the following Alibaba-specific tokens in QQL once your Cloud Agents in Ali Cloud are registered with Qualys Cloud Platform:
|alibaba.instance.accountid||Find Alibaba cloud instances with a certain account ID.|
|alibaba.instance.dnsServer||Find Alibaba cloud instances associated with the Domain Name System (DNS) configuration.|
|alibaba.instance.hasAgent||Find Alibaba instances that have a cloud agent installed.|
|alibaba.instance.hostName||Find Alibaba cloud instances associated with the hostname.|
|alibaba.instance.imageld||Find Alibaba cloud instances with the specified image ID used during instance creation.|
|alibaba.instance.instanceld||Find Alibaba cloud instances with a certain ID.|
|alibaba.instance.instanceType||Find Alibaba cloud instances with a certain instance type.|
|alibaba.instance.interfaceld||Find Alibaba cloud instances by the ID of network interface controllers (NICs).|
|alibaba.instance.instanceState||Find Alibaba cloud instances of the selected state.|
|alibaba.instance.macAddress||Find Alibaba cloud instances with the specific MAC address.|
|alibaba.instance.networkType||Find cloud instances of the selected network type.|
|alibaba.instance.privatelpAddress||Find Alibaba cloud instances with private IPv4 addresses or a range of IPs assigned to NIC.|
|alibaba.instance.publicIpAddress||Find Alibaba cloud instances with public IPv4 addresses or a range of IPs.|
|alibaba.instance.region.code||Find Alibaba cloud instances that belong to the specific region code.|
|alibaba.instance.region.name||Find Alibaba cloud instances that belong to the specific region name.|
|alibaba.instance. serialNumber||Find Alibaba cloud instances that belong to the specific serial number.|
|alibaba.instance.vpcCidrBlock||Find Alibaba cloud instances that belong to the CID block of the VPC network.|
|alibaba.instance.vpcid||Find Alibaba cloud instances that belong to the specific virtual private clouds (VPC) ID.|
|alibaba.instance.vswitchid||Find the Alibaba cloud instance that is connected to the Switch ID.|
|alibaba.instance.vswitchCidrBlock||Find Alibaba cloud instances that are connected to the CIDR block of Switch.|
|alibaba.instance.zoneld||Find Alibaba cloud instances that belong to the specific zone ID|
For Alibaba web apps, Qualys provides its Web Application scanning (WAS) for comprehensive discovery and performance of deep, exhaustive application scans at scale, malware detection and more.
In summary, Qualys offers a comprehensive cloud security platform solution that covers various cloud resources within Alibaba Cloud. This solution can be accessed through a single interface, allowing for a clear view of resource associations and effective threat identification and remediation prioritization with additional data and criteria.
To learn more on how Qualys for Alibaba can help with security and compliance in your organization:
- Contact your Qualys Technical Account Manager
- Start a Qualys Trial at no extra cost