This new release of the Qualys Cloud Platform (VM, PC), version 8.21.2, includes Virtual Scanner Appliance support for Alibaba Cloud Compute, scheduling of EC2 scans with no scannable EC2 assets in Asset Tags in Qualys Vulnerability Management, expanded support for instance discovery and auto record creation in Qualys Policy Compliance, compliance support for Oracle 19c, and more.
The upcoming release of the Qualys Cloud Platform (VM, PC), version 8.21.2, includes several new features in Qualys Cloud Platform and support for multiple technologies in Qualys Policy Compliance. The 8.21.2 release is scheduled to go live on 16th Sept, 2019.
See full 8.21.2 new features blog post for additional details on this release.
Are you a FedRamp-certified organization looking to more effectively maintain your FedRAMP status? There are tools available to help simplify the process and while the process involves some terminology, it is easily understood as outlined below. Additionally, it is supported by pre-built dashboards in the Qualys Cloud Platform that help organizations meet SLAs for required remediations.
This new release of the Qualys Cloud Platform (VM, PC), version 8.20.1, includes support for new technologies and platforms, addition of new technology for Windows UDCs as well as an update in an existing option name (“Scan agent hosts in my target”) in the Launch Vulnerability Scan page.
Qualys is extending the Cloud Agent capabilities for users of the Policy Compliance (PC) application by letting them define controls.
Until now, the Cloud Agent could only assess Qualys PC’s “out of the box” controls. By adding support for user defined controls (UDC), Qualys PC users now can use Cloud Agents to evaluate those types of controls. UDCs allows users to create their own controls dynamically, as needed, without having to submit control requests to Qualys development.
Discussions about the EU’s General Data Protection Regulation (GDPR) reached a crescendo on May 25, the compliance deadline, but many companies continue seeking guidance.
The reason: A majority of companies missed the deadline, according to estimates from various sources, including Gartner, Crowd Research, IDC, Spiceworks, TrustArc, and Ponemon Institute, so it’s very likely that millions are still working on GDPR compliance.
Although GDPR has been in effect for months, “it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” Gartner analyst Deborah Kish said in August.
To help companies still in the process of meeting the regulation’s requirements, the IT GRC Forum recently held a webcast titled “GDPR 101: Monitoring & Maintaining Compliance After the Deadline.” The webcast’s panelists included Qualys expert Tim White, who spoke about the importance of managing vendor risk and leveraging a control framework.
White explained that IT security is a small yet key subset of GDPR. “The need to protect the privacy of the information, to prevent accidental or intentional disclosure, is a critical sub-component,” he said.
It’s also important to know that GDPR offers vague, general requirements for IT security, unlike other industry mandates and regulations that are very specific and prescriptive in this regard, said White, Qualys’ Director of Product Management for Policy Compliance.
“In GDPR, you’ve got to implement a good security program and apply the appropriate technical compensating and procedural controls to do due diligence to protect the information privacy,” he said.
The best way to achieve this is by leveraging a technical control framework, like the Center for Internet Security’s (CIS) Critical Security Controls or the National Institute for Standards and Technology’s (NIST) 800-53 controls.
“It’s really important to make sure you have comprehensive coverage of all aspects of IT security, including vulnerability management, configuration management and patching, as well as all appropriate detection and preventative controls at the network layers,” White said.
In prior installments of this GDPR compliance blog series, we’ve discussed the importance of key security practices such as IT asset inventory and vulnerability management. Today, we’ll focus on another core component for GDPR: policy compliance.
As we’ve stated before, to comply with the EU’s General Data Protection Regulation (GDPR), organizations must show they’re doing all they can to protect their EU customers’ personal data. Thus, InfoSec teams must provide a rock-solid security foundation that gives organizations superior data breach prevention and detection.
With a strong IT policy compliance program, organizations can deploy and manage their IT environment according to applicable government regulations, industry standards and internal requirements.
For organizations, it’s critical to establish a lifecycle for managing assets and controls to protect the data they contain. One must continuously: identify IT assets and scope, define control objectives, automate control assessment, prioritize fixes, and ultimately remediate the security configuration problems.
To be effective, this entire process must be trackable by auditors and must maintain the proper reports and dashboards necessary to drive continuous improvement. Organizations must have this knowledge not only to properly protect their EU customers’ personal data — the regulation’s core goal — but also to comply with other GDPR requirements.
After gaining complete visibility into their IT assets, organizations can create data maps and decide which technical controls it needs to secure EU residents’ personal data in a way that meets GDPR’s considerable expectations and strict requirements.
To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.
Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.
If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings.
“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.