Cloud computing has evolved.
Where we once discussed cloud migration, we are now increasingly talking about cloud-native development across hybrid (sometimes poly) cloud instances that are drawn from a stock of pure cloud-first DNA.
This of course throws up the reality of cloud-specific security and compliance threats, which (at the risk of massive generalization) manifest themselves in two distinct spheres: a) lack of visibility into cloud assets and b) some level of misunderstanding or misinterpretation of the Cloud Service Provider’s shared security responsibility model.
Clearly, we need to protect public cloud (and the public portion of the hybrid cloud pie) workloads in a cloud-native way.
According to Himanshu Kathpal, director of product management at Qualys, there is a way forward.
Qualys is expanding its security and compliance capabilities for OCI (Oracle Cloud Infrastructure) and extending capabilities by integrating with OCI Vulnerability Scanning Service (VSS).
“By using Qualys’ platform to defend hybrid IT environments, organizations get a unified view of their security posture and can apply the same standards and processes on-premises and in the cloud. The advantages of doing so within a single pane of glass are to reduce your total cost of ownership and to have all the data in one place. That way, when a major attack like Log4j is unleashed, organizations can quickly assess their risk by running vulnerability scans across their entire environment, quickly understand the extent of their exposure, and acting from a single console instead of scrambling to assemble fragmented information from siloed tools,” said Kathpal.
Shared responsibility
As a provider of what it calls disruptive cloud-based IT security and compliance solutions, Qualys has some clear views on the shared security responsibility model. As we know OCI operates on the shared model and Oracle protects the platform, while customers must secure their data and infrastructure on it.
What Qualys does is to help organizations to fulfil obligations in this model for OCI IaaS (infrastructure as a service) and PaaS (platform as a service) deployments, enabling organizations to both prevent and respond to threats.
This is made possible by the Qualys Cloud Platform’s versatile set of sensors, including: Lightweight, multi-platform Cloud Agents installed on assets, such as OCI virtual machines. Also here we find virtual scanner appliances for remote scanning across your networks, hosts, and applications.
Coverage for OCI
“Qualys lets [a business execute] a complete set of security and compliance checks on OCI virtual machines, web apps, containers and other resources. On OCI VMs, Qualys provides multiple functionalities, including VMDR (Vulnerability Management Detection and Response) with TruRisk risk prioritization, Policy Compliance, CyberSecurity Asset Management, File Integrity Monitoring, Multi-Vector EDR (Endpoint Detection & Response), Custom Assessment and Remediation (CAR), and Patch Management.
Although robust security is obviously fundamentally important… if there is one factor that rises above any solution provider’s ability to offer and deliver effective protection tools, it is the need to be able to control and view the implemented functions in an accessible single interface (spoiler alert, this is key to what Qualys does).
This functional access element – as the technology industry stands today – appears to be the most proven and effective way to understand resource associations to effectively identify threats and prioritize remediation across the sprawl of modern cloud.