QSC17: Qualys Battles the Silos, Helps Protect Digital Transformation Efforts
Last updated on: October 27, 2022
Digital transformation initiatives, if properly implemented, must go way beyond deploying the latest shiny IT systems. Instead, they must aim to fundamentally disrupt and reinvent business processes throughout the entire organization.
That was the message Qualys Chief Product Officer Sumedh Thakar delivered on Wednesday during his morning keynote “Our Journey into the Cloud: The Qualys Cloud Platform & Architecture.”
“Digital transformation is more than just adopting new technology,” Thakar said, citing Uber’s upending of the taxi industry by inventing a new approach to car transportation services enabled by a mobile app.
Digital Transformation Must Be Secure
But as businesses deliver more services using digital technologies, and at increasingly faster speeds, they must strive to protect the integrity of their IT environments and of the confidential customer and corporate data they store.
If customers can’t trust a company’s ability to protect itself against hackers, the damage to that business will be profound, even if it has achieved high levels of technology innovation.
“Security can’t be an afterthought,” Thakar said. “It has to be something that’s fundamentally thought through.”
For example, as organizations shift workloads to public cloud providers’ infrastructure- and platform-as-a-service platforms, they must still ensure that their code is secure and properly configured.
This means that organizations need visibility into their public cloud assets, and the ability to scan them for vulnerabilities, and for policy compliance violations.
“Security has to be integral to this new architecture. It has to be built in,” Thakar said.
Inserting Sec into DevOps
A key component for building security into digital transformation efforts is to insert Infosec processes, people and tools into the DevOps software development and delivery pipeline.
The reason: The mobile and web apps, and web services coming out of DevOps teams tend to be the vehicles for new digital transformation initiatives. In other words, developers are at the center of these projects.
Thus, the role for security is to facilitate the availability and use of automated security tools for developers, so that code can be scanned for vulnerabilities, misconfigurations and other security issues early and often in the software lifecycle.
That will make code cleaner, and more secure, and give the security team a new role: Helping and supporting developers collaboratively and throughout the software lifecycle, sharing the joint goal of delivering secure apps quickly.
Too often, security and operations teams focus myopically on configuring, managing and running security tools, while losing sight of desired business outcomes, according to Thakar.
If security teams embrace this opportunity, DevOps is transformed into DevSecOps – an enhanced model in which security is embedded and involved with developers and IT ops staff at every step of an application’s lifecyle.
Fight the Silos
Thakar warned against the common siloed structure of many enterprise security teams, where multiple groups tasked with protecting different areas – on-premises infrastructure, cloud workloads, endpoints, web apps, DevOps pipeline and policy compliance – operate independently and with little communication and collaboration.
The result: an InfoSec team that uses a plethora of heterogeneous tools that don’t interoperate well and are difficult and costly to maintain and integrate. This makes it impossible for CISOs to get a single, unified view of the organization’s security and compliance posture. Naturally, this fragmented, obstructed visibility heightens the risk of successful attacks against the organization.
The Qualys Cloud Platform
The Qualys Cloud Platform and its growing number of integrated security and compliance apps can help organizations escape this tool fragmentation nightmare and regain unimpeded visibility across their IT environment, even if it’s hybrid with assets on premises, in clouds and at endpoints.
This starts with the platform’s various types of agent, agent-less and passive sensors, including physical, virtual and cloud scanners; the groundbreaking Qualys Cloud Agent; and an upcoming passive network traffic analyzer. All sensors are highly scalable, self updating and centrally managed.
Thakar highlighted in particular the Cloud Agent for its versatility in collecting a wide variety of security and compliance data from endpoints, while consuming negligible device and network resources.
Qualys sees the Cloud Agent use cases expanding soon to include IoT device security and compliance. As of mid-2017, 3.4 million Qualys Cloud Agents had been deployed by customers. Thakar also drew attention towards the upcoming passive network analyzer, based on assets Qualys acquired from Nevis Networks recently.
On the backend, the platform has robust, centralized capabilities for reporting, data analysis, elastic search indexing and asset tagging, among other functionality.
Meanwhile, the growing number of integrated apps provides an impressive slate of capabilities, including IT asset inventory, vulnerability management, threat prioritization, continuous monitoring, indication of compromise, file integrity monitoring, policy and PCI compliance, vendor risk management and web application scanning and firewall.
New apps in the works will offer public cloud asset inventory and security assessment, certificate management and assessment, container security, and IT asset management.
To illustrate the benefits of Qualys Cloud Platform in real-world scenarios, Thakar conducted several demos in which he showed how a combination of Qualys apps and platform services can help organizations deal with:
- Prevention, detection and response for Petya
- Prevention, detection and response for public cloud environments
- GDPR compliance
“We’re trying to take a unified approach to discovery, detection, prevention and response, so you can get access to the information that you need quickly,” Thakar said.
“…an enhanced model in which security is embedded and involved with developers and IT ops staff at every step of an application’s lifecyle.”
I couldn’t agree more. I wrote a paper on IoT Security few years ago about building security form the ground up and stated “Security must be baked in like eggs in a cake, and not smeared on later as icing.”