Table of Contents
- Why are customers moving to the Cloud?
- What challenges do customers face?
- Qualys Gateway Service is now available on AWS, Azure, and Google Cloud
- QGS Architecture delivering value
- QGS Deployments
- QGS saves on bandwidth
- QGS drives efficiency with Patch Management
- QGS supports Cloud Patch Management
- Deploy QGS in Cloud
- Get Started
Why are customers moving to the Cloud?
Cloud computing adoption has been increasing, with cloud-specific spending expected to grow at more than five times the rate of general IT spending through 2023. Many organizations are working to move their enterprise systems to the cloud, with those migrating as part of a strategy and transforming their architectures, rather than lifting and shifting, gaining the most benefits.
Customers move to the Cloud for a variety of reasons:
- Exit a data center or managed hosting service
- Mergers, acquisitions, or divestiture
- Reduce CapEx / Move costs to OpEx
- End of Support for important technologies / re-platform
- Regulatory compliance
- Data Sovereignty requirements
- Reduce disruption / improve stability
- Meet or report environmental obligations
Migration or Transformation
- Real or perceived cost savings
- Supplier reduction/complexity reduction
- Optimise internal operations
- Increased agility is launching or extending services
- New technical or business capabilities
- Scaling for market or geographic demands
- Integration of complex IT portfolio
- Improve customer or colleague experience
- Product or service transformation
- Market disruption
- Self-service tools/process automation
What challenges do customers face?
When customers move workloads to the cloud, there are additional security elements such as host-based firewalls, virtual private networks, internet gateways, as well as cloud-native items such as S3 buckets, which customers find themselves responsible for.
Bandwidth costs may be levied if, for instance, the traffic leaves a cloud venue and goes back on-premises. The opposite direction is usually encouraged, but providers will charge for private links and for egress costs out to the internet.
Costs for running workloads can be tough to manage, and additional charges exist to create ephemeral build servers to drive CI/CD pipelines, therefore some customers will opt to patch virtual desktop or server workloads.
Costs for virtual desktops can be higher from an OpEx perspective but avoid that initial investment (CapEx) in traditional VDI infrastructure and DaaS virtual desktops have allowed organizations to pivot quickly to hybrid- or remote-working, especially during the COVID pandemic.
Qualys Gateway Service is now available on AWS, Azure, and Google Cloud
Qualys Gateway Service (QGS) is an extensible container platform that is mainly used for proxy and caching services, allowing you to simplify your connection to the Qualys platform and stage manifests, cloud agent binaries, config files, and patches.
Other Qualys sensors, including Scanner and Network Passive Sensor, can also backhaul their traffic to the Qualys platform, via QGS.
Customers can now conveniently search for and find QGS within the AWS, Azure, and Google Cloud marketplaces and leverage its capabilities for their specific requirements.
QGS architecture provides great value to customers through multiple attributes:
QGS features 2 proxy servers behind a Load balancer. This allows a larger number of connections to be serviced, and for patch delivery throughput to be increased.
QGS can be connected to the Cloud Platform and thousands of agents and other sensors can be connected to QGS, drastically simplifying firewall rules and firewall lifecycle management.
QGS runs on a container Linux platform, with segregation between containers, so that they can be co-hosted while remaining isolated.
Registration and management
QGS management is controlled through the CAMS module and its user interface. This also controls the operating system and container updates.
QGS logs are visible on the platform before being backhauled to the platform.
QGS updates and improvements are delivered on a regular basis, without any admin intervention being required.
Older operating systems are assisted in meeting minimum encryption standards using SSL Bump to ensure that their data can still be backhauled to the Qualys platform.
QGS saves on bandwidth
Your cloud service provider will likely include internet download charges in your monthly bill. QGS saves you money, allowing those updates to manifests, config files, and cloud agent binaries, to be cached locally, saving bandwidth, and avoiding excess charges.
|Object||Before: Direct Connection (10,000 agents)||After: QGS caching (10,000 agents)|
|Manifest (3-5MB)||50GB |
|Config File (< 10KB)||100MB|
3-4x per year
3-4x per year
QGS drives efficiency with Patch Management
In order to ensure that Cloud Agents can retrieve patches and other files quickly, QGS acts as a cache for content retrieved by the Cloud Agent, which can be held locally.
Qualys Patch Management leverages the Qualys Cloud Platform and Cloud Agents to help IT and security teams quickly and efficiently remediate vulnerabilities and patch systems.
- New intelligent automation allows prioritization of vulnerabilities based on threat indicators such as ransomware, matching of prioritized vulnerabilities with known patches, and a zero-touch “set and forgets” feature to proactively patch devices and applications per predefined policies – leading to increased productivity.
- An organization can create a policy to keep Adobe Reader or Google Chrome software always patched on corporate laptops.
- QGS can pre-fetch patches in some cases, meaning that even the first agent to patch will find the new update, locally, on QGS
|Patch Type||Before: Direct Connection (10,000 agents)||After: QGS caching (10,000 agents)|
|Microsoft Office Update (monthly enterprise channel) e.g. Apr2023-May2023||1.16 TB |
deploy over 1-2 days
|Adobe Acrobat Reader||908 GB|
deploy over 1 day
deploy over 1 day
QGS will pre-fetch daily
- QGS can integrate with the Patch Management ‘Install Software’ feature to ensure that even large ISO files used for Operating System upgrades can be cached.
QGS supports Cloud Patch Management
- While the majority of Cloud Servers will be ephemeral and rebuilt rather than patched:
- Not all organizations have CI/CD pipelines for all Cloud or DevOps teams.
- Some servers were built manually
- Some organizations have used Managed Virtual Desktop solutions to deliver persistent VDI, and these may be patched in place, on a regular basis
- QGS delivers features and benefits in the Cloud for different types of servers:
- Ephemeral servers are rebuilt in an automated fashion, utilizing Qualys CI/CD plug-ins to avoid the promotion of insecure images to Production.
- Non-ephemeral servers can be patched, in-place, to improve security.
- Both types can benefit from simplified firewall lifecycle management with a single point of egress for HTTPS traffic, via the QGS
- QGS is also able to backhaul Scanner and Passive Sensor traffic
The application of patches for compliance is automated to help security teams align with regulatory and internal security policies.
- By identifying the riskiest products in the environment, organizations can focus automation efforts on those that introduce the most vulnerabilities.
- In addition, the quick application of low operational risk patches also reduces the overall time to remediation improving vulnerability SLAs, further accelerated by caching the patches on the QGS, while reducing bandwidth because the patch does not need to be obtained from a vendor patch repository.
Deploy QGS in Cloud
Amazon Web Services
Please follow AWS to understand how to deploy QGS in AWS.
For a full setup procedure, refer to our QGS AWS Deployment Guide.
Please follow Azure to understand how to deploy QGS in Azure.
For a full setup procedure, refer to our QGS Azure Deployment Guide.
Google Cloud Platform
Please follow GCP to understand how to deploy QGS in the Google Cloud Platform.
For a full setup procedure, refer to our QGS GCP Deployment Guide.
In summary, Qualys offers a comprehensive Gateway Service solution that proxying, backhauls, and caching services for Cloud Agent, Scanner, and Passive Sensors, and is now available within AWS, Azure, and Google Cloud. This solution can be accessed through a single interface, affording easy configuration.
To learn more on how Qualys Gateway Service for public clouds can help with security and compliance in your organization:
- Contact your Qualys Technical Account Manager
- Start a Qualys Trial at no extra cost