Cloud is complex, continually. The structure of modern cloud networks is developing in a multi-tired way where every complex connection and intelligent intersection also has an equal (and often opposite) reaction in terms of delivering vulnerability and risk.
Cloud risk comes in many forms, but we can distil the streams into two core channels – external and internal.
There are those risks created as a result of vulnerabilities that expose a cloud system or network to external malicious bad actors and threats. There are also internal cloud risks created as a result of poorly misconfigured services, where cloud engineering teams (software developers, system architects, supporting operations staff and others) have built and formed joins to components, Application Programming Interfaces (APIs) and various digital data services which fail to connect fully, safely and securely.
Even more straightforwardly, cloud risks are potentially created every time some server-side back-office user changes a setting.
As a provider of what it calls disruptive cloud-based IT security and compliance solutions, Qualys aims to cover both types of cloud system vulnerability with its many tools approach.
“Cyber risk is becoming part of the business risk equation. Even the most advanced organizations can’t patch all the threats they uncover, which increasingly includes poorly misconfigured services,” said Michelle Abraham, research director at IDC. “Organisations must prioritize efforts that result in the maximum reduction of risk. Qualys’ approach to cyber risk management considers multiple factors like vulnerabilities and misconfigured systems, so organizations can focus on fixes that reduce their overall risk.”
A broad vulnerability landscape
Qualys president and CEO Sumedh Thakar, has some wide-ranging views on how we should de-risk and secure the cloud landscape going forwards.
He says that vulnerability management is a very broad area and suggests that the conventional way this practice is used in industry is all about software vulnerabilities where bugs exist that could open up channels for hackers to exploit a system. This is the traditional view, but Thakar urges us to think further than this.
“A vulnerability could also be a misconfiguration of a software system so that (let’s say) you’ve left your C: drive open for anybody to be able to read and write from it. If you look at security in the widest sense, it’s all about mitigating risk and also concurrently performing threat monitoring. You can wash your hands, or you can take antibiotics after you’ve been infected – but really you should be doing everything possible to ensure that you strengthen your vulnerability management to the highest level [whether we’re talking in human or business terms] today,” said Thakar.
All of which is comforting, but why is all this system misconfiguration and application discord happening in the first place? Wasn’t the drive to cloud-native supposed to be a chance to build new information systems running on a post-millennial foundation of hyperscaler Cloud Services Provider (CSP) efficiency with all the acceleration of Artificial Intelligence (AI) enabled through conscientiously executed Machine Learning (ML)?
“Cloud system misconfiguration is happening quite directly as a consequence of the speed at which we are building and harnessing cloud computing at a higher level – commercial and public organizations are grasping the flexible advantages of cloud at a speed that outpaces their approach to securing the services they themselves are adopting,” explained Thakar.
Day #1 immediate vulnerability
He clarifies further and says that cloud computing is just one element of overall technology system risk. Take an airline ticketing system for example, there will be elements of cloud services involved for sure, but there will also be on-premises terrestrial mainframe systems underpinning the functions that surface at the user level.
De-risking these systems means using a variety of cloud security tools and it requires us to understand that when a new secure system is brought online (let’s say using an approved Infrastructure-as-Code template), the moment someone changes a setting, the vulnerability landscape broadens and widens. Given the technology industry’s proclivity for relabelling cost center expenditure burdens, are we now going to be told that cloud security investments are a business enabler for competitive advantage?
“Look, it’s part of any organization’s responsibility to move towards a positive cyber posture,” insists an upbeat Thakar. “I tell chief information security officers (CISOs) all the time to highlight investments in security as an enabler of the business when speaking to the board. This allows for CISOs to escape being on the defensive and CEOs and sales directors to then echo that same message when talking to customers about their IT stack’s robustness.”
From Thakar’s calmly considered perspective, he agrees that it might sound like a tough way to start a business conversation, but in a world of ransomware and even now destructware (attacks designed to render companies, public bodies and utilities inoperable – cheaper than arming soldiers and sometimes faster, sometimes also called destructionware) with the additional world factors of infection, invasion and inflation to consider, it is perhaps not such a hurdle to overcome after all.
In this world of continually complex cloud then, what has Qualys done with its own platform and product set to address some (if not all) of the factors discussed here so far? The company’s most recent platform enhancements see it announce a comprehensive service known as TotalCloud with FlexScan. This is cloud-native vulnerability management detection & response (VDMR) capable of working at what is known as six sigma 6σ levels of accuracy (i.e. 99.99966%) with tools that make use of both software agent and agentless system scanning.
Zero-touch end-to-end control
The company details TotalCloud’s capabilities as broad enough to automate inventory, assessment, prioritization and risk remediation. All of this can be performed by using a drag-and-drop workflow engine for continuously operating zero-touch security that runs from software application development coding, right through into working ‘production’ cloud applications.
The aforementioned FlexScan element of Qualys TotalCloud represents a cloud-native assessment product to provide a means of combining multiple cloud scanning options to get a more accurate security assessment of any given cloud environment.
In terms of operation, Qualys’ TotalCloud FlexScan can perform API-based scanning, virtual appliance-based scanning to assess unknown workloads over the network for open ports, snapshot scanning (often used on offline or suspended clouds that are paused for one reason or another) and also software agent-based scanning, where a smaller piece of software code known as an agent is deployed to (in this case scan) perform one specific defined job inside a wider system.
According to a product release statement from Qualys, this is a shift-left security opportunity (i.e. one that starts left on the page, earlier) to catch cloud risk issues early.
“TotalCloud provides shift-left security integrated into developers existing continuous integration & continuous deployment (CI/CD) tools to continuously assess cloud workloads, containers and Infrastructure as Code artifacts. This allows for the rapid identification of security exposures and remediation steps during the development, build and pre-deployment stages while providing support for the major cloud providers including AWS, Azure and Google Cloud,” notes the company.
There’s a lot happening
We started off by saying that cloud is complex and it feels like we’ve added to that statement, reinforcing it even. The fact that Qualys has a whole arsenal of tools to offer in the risk remediation business tells a story in and of itself i.e. cloud is complex, but cloud risk vulnerability management might be even more complex and – as CEO Thakar has openly stated – no one tool necessarily fits the job for any given cloud deployment environment.
As in many forms of combat, a combined and coalesced approach is more likely to win.
In this case, that combined approach could include some or all of the following practices, disciplines and toolkit-based approaches: endpoint detection & response, the above-noted VMDR vulnerability management detection & response, software patch management, cybersecurity asset management, SOAR standing for security orchestration automation & response, threat intelligence feeds and external attack surface management.
That’s a lot of functions to shoulder at one time, so Qualys has developed a unified security view technology to help prioritize cloud risk. TruRisk offers a single view of cloud security insights across cloud workloads, services and resources is provided via a dashboard console. Additionally, Qualys TruRisk quantifies security risk by workload criticality and vulnerability detections and correlates it with ransomware, malware and exploitation threat intelligence to prioritize, trace and reduce risk.
Is cloud computing safer now? The answer is probably yes and no isn’t it?
It’s less safe if we think about how teams will plug in externally developed – but essentially totally secured – applications into networks without thinking about the ramifications of where these apps and data services connect to. But it’s arguably safer if we take on the process and functions being offered here throughout this story.
Figuring out misconfiguration really figures now, so go figure.