Qualys Gateway Service now available in AWS, Azure, and Google Cloud Marketplaces

Joseph Rose
Joseph Rose
- 7 min read

Table of Contents

Why are customers moving to the Cloud?

Cloud computing adoption has been increasing, with cloud-specific spending expected to grow at more than five times the rate of general IT spending through 2023. Many organizations are working to move their enterprise systems to the cloud, with those migrating as part of a strategy and transforming their architectures, rather than lifting and shifting, gaining the most benefits.

Customers move to the Cloud for a variety of reasons:

Business-Driven:

  • Exit a data center or managed hosting service
  • Mergers, acquisitions, or divestiture
  • Reduce CapEx / Move costs to OpEx
  • End of Support for important technologies / re-platform
  • Regulatory compliance
  • Data Sovereignty requirements
  • Reduce disruption / improve stability
  • Meet or report environmental obligations

Migration or Transformation

  • Real or perceived cost savings
  • Supplier reduction/complexity reduction
  • Optimise internal operations
  • Increased agility is launching or extending services
  • New technical or business capabilities
  • Scaling for market or geographic demands
  • Integration of complex IT portfolio
  • Improve customer or colleague experience
  • Product or service transformation
  • Market disruption
  • Self-service tools/process automation

What challenges do customers face?

When customers move workloads to the cloud, there are additional security elements such as host-based firewalls, virtual private networks, internet gateways, as well as cloud-native items such as S3 buckets, which customers find themselves responsible for.

Bandwidth costs may be levied if, for instance, the traffic leaves a cloud venue and goes back on-premises. The opposite direction is usually encouraged, but providers will charge for private links and for egress costs out to the internet.

Costs for running workloads can be tough to manage, and additional charges exist to create ephemeral build servers to drive CI/CD pipelines, therefore some customers will opt to patch virtual desktop or server workloads.

Costs for virtual desktops can be higher from an OpEx perspective but avoid that initial investment (CapEx) in traditional VDI infrastructure and DaaS virtual desktops have allowed organizations to pivot quickly to hybrid- or remote-working, especially during the COVID pandemic.

Qualys Gateway Service is now available on AWS, Azure, and Google Cloud

Qualys Gateway Service (QGS) is an extensible container platform that is mainly used for proxy and caching services, allowing you to simplify your connection to the Qualys platform and stage manifests, cloud agent binaries, config files, and patches.

Other Qualys sensors, including Scanner and Network Passive Sensor, can also backhaul their traffic to the Qualys platform, via QGS.

Customers can now conveniently search for and find QGS within the AWS, Azure, and Google Cloud marketplaces and leverage its capabilities for their specific requirements.

QGS Architecture – delivering value

QGS architecture provides great value to customers through multiple attributes:

Scalability

QGS features 2 proxy servers behind a Load balancer. This allows a larger number of connections to be serviced, and for patch delivery throughput to be increased.

QGS can be connected to the Cloud Platform and thousands of agents and other sensors can be connected to QGS, drastically simplifying firewall rules and firewall lifecycle management.

Isolation

QGS runs on a container Linux platform, with segregation between containers, so that they can be co-hosted while remaining isolated.

Registration and management

QGS management is controlled through the CAMS module and its user interface. This also controls the operating system and container updates.

Logging

QGS logs are visible on the platform before being backhauled to the platform.

Updates

QGS updates and improvements are delivered on a regular basis, without any admin intervention being required.

SSL Bump

Older operating systems are assisted in meeting minimum encryption standards using SSL Bump to ensure that their data can still be backhauled to the Qualys platform.

QGS Deployments

Figure 1 QGS sample deployment in AWS

QGS saves on bandwidth

Your cloud service provider will likely include internet download charges in your monthly bill. QGS saves you money, allowing those updates to manifests, config files, and cloud agent binaries, to be cached locally, saving bandwidth, and avoiding excess charges.

ObjectBefore: Direct Connection (10,000 agents)After: QGS caching (10,000 agents)
Manifest (3-5MB)50GB 
daily		5MB
daily
Config File (< 10KB)100MB
as needed		10KB
as needed
Installer (15-19MB)190GB
3-4x per year		76MB
3-4x per year

QGS drives efficiency with Patch Management

In order to ensure that Cloud Agents can retrieve patches and other files quickly, QGS acts as a cache for content retrieved by the Cloud Agent, which can be held locally.

Figure 2: QGS artefacts and mapping to disks

Qualys Patch Management leverages the Qualys Cloud Platform and Cloud Agents to help IT and security teams quickly and efficiently remediate vulnerabilities and patch systems.

  • New intelligent automation allows prioritization of vulnerabilities based on threat indicators such as ransomware, matching of prioritized vulnerabilities with known patches, and a zero-touch “set and forgets” feature to proactively patch devices and applications per predefined policies – leading to increased productivity.
  • An organization can create a policy to keep Adobe Reader or Google Chrome software always patched on corporate laptops.
  • QGS can pre-fetch patches in some cases, meaning that even the first agent to patch will find the new update, locally, on QGS
Patch TypeBefore: Direct Connection (10,000 agents)After: QGS caching (10,000 agents)
Microsoft Office Update (monthly enterprise channel) e.g. Apr2023-May20231.16 TB 
monthly,
deploy over 1-2 days		122MB
monthly
Adobe Acrobat Reader908 GB
monthly,
deploy over 1 day		93MB
Monthly
Google Chrome
(full update)		928 GB
Weekly,
deploy over 1 day		95MB
Weekly,
QGS will pre-fetch daily
  • QGS can integrate with the Patch Management ‘Install Software’ feature to ensure that even large ISO files used for Operating System upgrades can be cached.

QGS supports Cloud Patch Management

  • While the majority of Cloud Servers will be ephemeral and rebuilt rather than patched:
    • Not all organizations have CI/CD pipelines for all Cloud or DevOps teams.
    • Some servers were built manually
    • Some organizations have used Managed Virtual Desktop solutions to deliver persistent VDI, and these may be patched in place, on a regular basis
  • QGS delivers features and benefits in the Cloud for different types of servers:
    • Ephemeral servers are rebuilt in an automated fashion, utilizing Qualys CI/CD plug-ins to avoid the promotion of insecure images to Production.
    • Non-ephemeral servers can be patched, in-place, to improve security.
    • Both types can benefit from simplified firewall lifecycle management with a single point of egress for HTTPS traffic, via the QGS
    • QGS is also able to backhaul Scanner and Passive Sensor traffic

The application of patches for compliance is automated to help security teams align with regulatory and internal security policies.

  • By identifying the riskiest products in the environment, organizations can focus automation efforts on those that introduce the most vulnerabilities.
  • In addition, the quick application of low operational risk patches also reduces the overall time to remediation improving vulnerability SLAs, further accelerated by caching the patches on the QGS, while reducing bandwidth because the patch does not need to be obtained from a vendor patch repository.

Deploy QGS in Cloud

Amazon Web Services

Please follow AWS to understand how to deploy QGS in AWS.

Figure 3: QGS on AWS Marketplace

For a full setup procedure, refer to our QGS AWS Deployment Guide.

Azure

Please follow Azure to understand how to deploy QGS in Azure.

Figure 4: QGS on Azure Marketplace

For a full setup procedure, refer to our QGS Azure Deployment Guide.

Google Cloud Platform

Please follow GCP to understand how to deploy QGS in the Google Cloud Platform.

Figure 5: QGS on Google Chrome Marketplace

For a full setup procedure, refer to our QGS GCP Deployment Guide.

In summary, Qualys offers a comprehensive Gateway Service solution that proxying, backhauls, and caching services for Cloud Agent, Scanner, and Passive Sensors, and is now available within AWS, Azure, and Google Cloud. This solution can be accessed through a single interface, affording easy configuration.

Get Started

To learn more on how Qualys Gateway Service for public clouds can help with security and compliance in your organization:

  • Contact your Qualys Technical Account Manager
  • Start a Qualys Trial at no extra cost
Share your Comments

Comments

Your email address will not be published. Required fields are marked *