Basically, he’s working to make security a part of the fabric of the IT infrastructure on which companies run their businesses. And to make things easier on people using the systems, the security should be painless and out of sight, and just do its work in the background.
“The challenge is to bring security into this new infrastructure and make it invisible,” he said in his keynote at the Qualys Security Conference 2013 today. Security should not be a burden for anyone, otherwise it’s a failure.
Qualys’ aim is to “build continuous security into the fabric of the cloud. In the mainframe world, it took 10-15 years to build security into their infrastructure,” he said. “In the cloud security world we had to do everything again, and the challenge is to bring security into that infrastructure.”
About five years ago or so, Qualys adopted a philosophy from an unlikely source — Goldman Sachs. The financial services firm had a security model in which it used different enterprise security tools to ensure the security of the entire infrastructure and treated vulnerabilities as a part of compliance. It might seem counter-intuitive, but that approach is more dynamic and effective, Courtot said. If a device if misconfigured, in violation of an internal policy or external regulations, it can be addressed more quickly than dealing with disparate enterprise software solutions that have different update cycles, for example.
“At the core, you define your assets, then provide them attributes, fingerprint them…” he said. “Now you can have two different views, from compliance and security. You want to have the ability to report, to look at trending, have alerts and integrate with another solution, and deliver all of it on a global scale. That’s what Qualys is all about. It’s our fundamental belief that this is the right model — to build security into the fabric of the cloud.”
Courtot also teased some new features that are coming up from Qualys. The company already is using its cloud protection architecture to bring security to a range of platforms, such as Amazon Web Services, Azure and vCloud, and it is increasing scalability, working to expand the capabilities of protecting against network threats, focusing on Web application security and expanding the notion of continuous monitoring of the perimeter.