Think back for a moment, remember when cloud first happened?

Keep your company’s data and applications (and all manner of digital services) off-site, away from the organisation’s home premises and in some Cloud Services Provider (CSP) datacentre, located at goodness knows where right?

The very notion (around the turn of the millennium) was risible to some and preposterous to many others.

But times have changed and we’re now somewhere approaching a quarter century later, so we can now say that the shift of business applications and on-premises infrastructure to the cloud has resulted in operations teams needing to manage an organisation’s cyber security risks across workloads, cloud services, resources, users and applications. 

Speaking in Las Vegas in line with Qualys QSC North America 2022, Parag Bajaria, vice president for cloud and container security solutions at Qualys has explained how operations and security teams today must deal with a set of siloed point solutions. 

The silo scenario and predicament, at best, enables cloud management engineers to provide a fragmented view of an organisation’s risk factors with no context and no remediation – at worst, it provides even less.

All of this, clearly, leaves cloud applications vulnerable to attacks and increasing security costs & complexities.

A unified cloud-native approach

In the search for what we could reasonably call a more unified cloud-native approach, Qualys used its QSC (Qualys Security Conference) Las Vegas 2022 event this November to detail Qualys TotalCloud with FlexScan (see note below), a technology that helps customers to extend Qualys VMDR with augmented flexible agent-based and agent-less cloud-native assessments. 

NOTE: To explain and clarify, VMDR stands for vulnerability management detection & response – and FlexScan is meant to explain an approach to network security that goes beyond so-called ‘snapshot scanning’ of paused digital workloads to also include agent-based scanning, where a software agent (a small but functional piece of software with a specific job) on the host [device or cloud instance] or workload to scan for vulnerabilities, misconfiguration and security issues. 

There is also API-based scanning, network scanning, other agentless techniques and more, but this is not a scanning story alone.

This is a tale of Qualys bringing Cloud Posture Management (CPM) and cloud workload security into a unified view so that organisations can get a single risk-based metric of where they stand. Let’s not forget, cloud security is not just down to vulnerabilities in the malware sense of security, cloud security is not just down to misconfigurations that may exist inside systems intended to be safely built and deployed. Qualys says that Qualys TotalCloud has been created to find both.

Automated remediation

Key product service features in addition to the above-mentioned capabilities include routes to reduce risk, by automating the remediation of an organisation’s highest-risk assets. It provides proactive security by checking for security issues before deployment.

“Qualys has been scanning workloads for vulnerabilities for 20+ years for both on-premises and [public] cloud assets,” stated Qualys’s Bajaria, while noting that the firm is currently performing 30+ million assessments for workloads in public clouds at the time of writing.

“Qualys FlexScan is the new zero-touch, cloud-native way of performing agent and agentless security assessments. Zero-touch means there is no need for complex configurations like IP ranges, regions, connectors etc. – nor is there a need to set a schedule to enable scanning. FlexScan automatically uses the cloud APIs and the metadata to determine the appropriate configuration parameters and starts scanning as soon it discovers a new workload,” explained Bajaria.

In working practice post-deployment, a user checks an onscreen box to indicate which FlexScan method they want to use.  Qualys states that it has 6-sigma (99.99966%) accuracy scanning capabilities in VMDR, a hefty figure that the company promises gives FlexScan the ability to reduce false positives.

Four cloud-native scanning options

As we get used to the new world of cloud-native application development, cloud-native data workloads and cloud-native pipelines and lifecycles at all levels, it is (arguably) useful for us to also understand four cloud-native scanning options available through Qualys FlexScan.

In an API-based scan, cloud hyperscaler (CSP)-provided APIs are used to collect Operating System (OS) package inventory information from workloads. That information is then subjected to vulnerability analysis. Although effective to a degree (especially for short-lived workloads), API-based vulnerability scans are said to miss some open source vulnerabilities.

The aforementioned technique of snapshot scanning through Qualys FlexScan captures images of workloads – and let’s be specific about what that means – which are captures taken from a cloud services provider’s (CSP) runtime block storage. Expensive (due to the cost of storage access costs), the snapshot method is best used to assess suspended workloads (as in a stopped, paused or terminated cloud instance), or for third-party images deployed in the cloud where an agent cannot be installed.

“In an agent-based scan, FlexScan uses the agent embedded in the workload to collect operating system, installed software and other workload-specific metadata information for vulnerability analysis,” clarified Bajaria. “If FlexScan does not detect the Qualys Cloud Agent on a newly created workload, it automatically installs the agent. Since agents can collect much more meta-data and workload environment data than other scan methods, this method provides the most comprehensive vulnerability coverage.”

The costs of agent-based are described by Bajaria and team as ‘negligible’, largely because the agent is embedded in the workload and uses minimal resources.

Another significant benefit of the agent-based approach is that it can perform double duty, like immediate remediation actions such as patching vulnerabilities and fixing workload misconfigurations to protect against exploits. Finally, in our foursome, a network-based scan sees FlexScan use network scanner appliances to assess workloads over the network. When a new workload is created, FlexScan will automatically instantiate the network scanner in the appropriate network to conduct the scan of the workload. 

There is no single best method for scanning workloads. With each option, you will have to tradeoff cost, coverage, and ease of deployment. Typically, organisations will find that a coalesced combination of methods is the most prudent approach.

TotalCloud dashboard

The TotalCloud dashboard amalgamates all the critical data harvested from the Qualys platform and presents it in a single place. With the TotalCloud dashboard, a business can visualise its cloud security posture and gain insights into cloud infrastructure and workload exposures.

“Qualys TotalCloud allows security teams to move away from the siloed, disconnected approach of cloud-native security, requiring significant manual data collection and analysis to gain insights, only slowing response time and increasing risk. Instead, Qualys TotalCloud provides a single integrated platform, not defined by industry categories but by the real-world scenarios security teams face in securing their infrastructure and cloud-native workloads,” concluded Bajaria.

The company says that the TotalCloud solution offers out-of-box one-click remediation for vulnerabilities and misconfigurations. If these out-of-box remediations don’t meet a team’s needs, then engineers can build their own using Qualys Flow (QFlow), a low-code/no-code drag-and-drop product to build cloud-native end-to-end workflows.

Did Qualys really just say low-code/no-code drag-and-drop cloud-native end-to-end workflows? Yes, this is the overly-hyphened occasionally slash/stroke based structure of modern cloud-native environments if we are to work with their complexity in appropriately secured and compliant formats.

On the pitch, does TotalCloud score as well as Totaalvoetbal? Well, Cruyff only knows, right?