SECURITY & COMPLIANCE IN THE CLOUD AGE

Similar documents
Automating the Top 20 CIS Critical Security Controls

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

SIEMLESS THREAT DETECTION FOR AWS

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

SIEMLESS THREAT MANAGEMENT

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Best Practices in Securing a Multicloud World

locuz.com SOC Services

Accelerate Your Enterprise Private Cloud Initiative

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Everything visible. Everything secure.

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Securing Your Most Sensitive Data

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

QUICK WINS: Why You Must Get Defensive About Application Security

Qualys Cloud Platform

AKAMAI CLOUD SECURITY SOLUTIONS

CA Security Management

SYMANTEC DATA CENTER SECURITY

Industrial Defender ASM. for Automation Systems Management

SIEM: Five Requirements that Solve the Bigger Business Issues

What is Penetration Testing?

SIEM Solutions from McAfee

Total Threat Protection. Whitepaper

Maximizing IT Security with Configuration Management WHITE PAPER

TRUE SECURITY-AS-A-SERVICE

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Securing Your Amazon Web Services Virtual Networks

ALERT LOGIC LOG MANAGER & LOG REVIEW

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

INTELLIGENCE DRIVEN GRC FOR SECURITY

MITIGATE CYBER ATTACK RISK

Securing Your Microsoft Azure Virtual Networks

CyberArk Privileged Threat Analytics

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Reinvent Your 2013 Security Management Strategy

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Imperva Incapsula Website Security

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Continuous protection to reduce risk and maintain production availability

Managed Endpoint Defense

PROTECT AND AUDIT SENSITIVE DATA

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

Next Generation Privilege Identity Management

Networking for a dynamic infrastructure: getting it right.

Transforming Security from Defense in Depth to Comprehensive Security Assurance

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Security

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Smart Data Center From Hitachi Vantara: Transform to an Agile, Learning Data Center

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Networking for a smarter data center: Getting it right

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

Make security part of your client systems refresh

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Symantec Security Monitoring Services

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Symantec Data Center Transformation

Securing Your Digital Transformation

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Spotlight Report. Information Security. Presented by. Group Partner

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

with Advanced Protection

The Convergence of Security and Compliance

Mitigating Risks with Cloud Computing Dan Reis

Modern Database Architectures Demand Modern Data Security Measures

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Secure Access & SWIFT Customer Security Controls Framework

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

Run the business. Not the risks.

One Hospital s Cybersecurity Journey

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Unlocking the Power of the Cloud

Sustainable Security Operations

Cisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

IBM Internet Security Systems Proventia Management SiteProtector

Total Protection for Compliance: Unified IT Policy Auditing

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

NEXT GENERATION SECURITY OPERATIONS CENTER

Operationalizing the Three Principles of Advanced Threat Detection

Clearing the Path to PCI DSS Version 2.0 Compliance

TechValidate Survey Report: SaaS Application Trends and Challenges

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Data safety for digital business. Veritas Backup Exec WHITE PAPER. One solution for hybrid, physical, and virtual environments.

Transcription:

SECURITY & COMPLIANCE IN THE CLOUD AGE

Table of Contents Introduction................................................ 2 Security and Compliance in the Cloud Age................... 3 Challenges of Security and Compliance in the Cloud Age..... 5 The Cloud Security Platform................................. 7 Providing Security and Compliance in the Cloud Age......... 9 The Qualys Cloud Platform.................................. 11 Why Qualys.................................................. 13

Introduction We have entered the age of pervasive technology. At home, in the office, or on the road, a vast portion of us are connected wherever we are, not only with people but with an array of information and technologies. It has become hard to distinguish between work time and leisure time, with the same devices used for both contexts interchangeably. This inescapable trend provides both tremendous opportunities and significant risks to organizations that embrace the always on culture for their customers, trading partners and employees. Technology services are consumed whenever and wherever needed, and the associated data can be stored anywhere. We believe at Qualys that organizations, at the risk of being left behind, must enter the Cloud Age, marking a major departure from the constraints of client/server and even the first generation Web applications, enabling a new connectivity-based world to foster better communications, tighter collaboration and accelerating productivity. 2

Security and Compliance in the Cloud Age The Cloud Age can be described by a few attributes: Browser-Centricity The web browser is the common interface to the Internet, corporate systems and data stores. This opens up pervasive access to all constituencies on a variety of devices, including PCs and smartphones owned by both the organization and employees (BYOD). Yet browsers contain vulnerabilities that can lead to malware infection despite efforts from developers to patch and address these issues and have become the path of least resistance for attackers to capture information, steal access credentials or gain control of users devices. Web Applications: The New Perimeter Easier to build and deploy, web applications now represent the main access point to enterprise networks and data, thus replacing the traditional perimeter. Organizations now must spend as much time and effort detecting, tracking and managing web applications as they do their traditional perimeter networks. The importance of these applications and the quantity and sensitivity of their underlying data have attracted attackers intent on exploiting web application weaknesses and configuration flaws to steal sensitive data or to reduce application availability. 3

Data Location Independence Cloud computing enables applications to be composed of data from anywhere and everywhere, stored in a variety of internal and cloud-based data stores, requiring secure communications between these various locations. Although many cloud application providers have made significant security investments, cloud services (by definition) provide organizations with limited visibility and access to the underlying architecture, inhibiting organizations from identifying potential gaps and validating the effectiveness of their security strategies. Globalization Is the Norm, Not the Exception The cloud disintegrates regional and territorial boundaries. Data moves from place to place, users move transparently between locations, and systems can be administered by a variety of authorized parties, not necessarily employees of your organization. This creates jurisdictional complexities, authentication and trust requirements, and complicates compliance reporting and attestation. Hybrid Infrastructure No organization of scale can shut down their internal systems overnight, but they have been making significant efforts to make those resources more efficient through consolidation and virtualization. Given IT infrastructure will remain a hybrid of traditional physical data center and cloud-based technologies for the foreseeable future, security controls must be enforced and compliance documentation produced consistently regardless of whether the technology asset is in your organization s data center or a cloud-provider anywhere in the world. The productivity, agility and economic advantages of cloud computing mean there is no stopping the drive to the Cloud, regardless of the risks and complexities. So let s dig a little deeper into the challenges the Cloud Age introduces for every IT organization. 4

Challenges of Security and Compliance in the Cloud Age Security is a battle that your organization can t win, and success is usually measured by keeping organizations out of the news and your senior executives out of jail. The drive to a web-based reality and increasing adoption of new cloudbased and hybrid infrastructures further complicate the job of the typical security professional. 5

Securing at Cloud Scale As described by the Cloud Security Alliance, one of the essential characteristics of the cloud is rapid elasticity, meaning the cloud can grow as quickly as your organization needs it to. In the old days, devices needed to be procured, provisioned, and installed, giving the organization time to protect the new devices. Provisioning a new cloud instance takes minutes, creating issues in both visibility (knowing what devices are actually out there at any point in time) and control (ensuring proper configurations and controls are implemented on new resources). Prioritizing Security Activities Ongoing funding, resource and expertise constraints make it difficult for many organizations to remain protected in the Cloud Age, thus security success depends on carefully selecting which activities get done. The Cloud Age complicates these decisions forcing organizations to prioritize security activities across a number of internal/external service providers and staff that may not be under your control. Compounding the issue is the dynamic nature of the attackers, who could launch a new attack requiring immediate activity, rendering the best-laid plans irrelevant. Increasing Attack Surface With web applications emerging as the New Perimeter, organizations must embrace the reality that they have as many perimeters as they have web applications. This combined with increased outsourcing and business partnering result in a dramatic expansion of the attack surface. This exponential increase of targets, including databases, desktops, mobile devices, routers, servers and switches, mushrooms the number of security vulnerabilities potentially providing hackers with unauthorized access to IT systems. It s no longer sufficient to build a strong network security perimeter and neglect the security of internal networks and devices. Leveraging Existing Security Controls Organizations have historically deployed niche security products to address specific security issues. However, this approach often does not provide a current, accurate and global picture of an organization s security and compliance. As IT infrastructures evolve to include a mixture of on-premise, cloud and hybrid, these task-specific security products running on premise create challenges providing a complete and accurate inventory of IT assets and configurations, thus preventing organizations from effectively protecting their infrastructures from the threats of the Cloud Age. Reporting for Compliance One of the unfortunate effects of security breaches is an increasingly restrictive regulatory and compliance environment. Given the global nature of most Cloud Age business, your organization likely must adhere to regulations and policies from multiple national and local authorities, which frequently overlap and change. Compliance with these various regulatory regimes requires costly and timeconsuming measures and carries significant financial and reputational consequences for non-compliance. Examples of such external regulations include the Revised International Capital Framework, or Basel II, the Health Insurance Portability and Accountability Act, or HIPAA, North American Electric Reliability Corporation Standards, or NERC, Payment Card Industry Data Security Standards, or PCI DSS, and the Sarbanes-Oxley Act of 2002, or SOX. A 2011 Gartner survey estimates that it costs organizations an average of $1.7 million to become compliant with PCI DSS, and that is only one regulation. Securing Thin Devices The evolution of smartphone technology has brought more sophisticated and secure mobile operating systems, locked down by default, yet offering limited visibility and control to the operating system core. Yesterday s kernel-level antimalware techniques are no longer relevant. As data leakage and malware continue to plague these devices, organizations will need to consider different methods to provide sufficient security for these devices. 6

The Cloud Security Platform: Laying the Foundation of Security and Compliance in the Cloud Age Anywhere Access Elastic Scalability On Demand Flexibility Dynamic Security Intelligence Today s customer premise-based solutions cannot meet the needs of security and compliance in the Cloud Age, so a new solution is required. 7

Cloud platform essential characteristics: Anywhere Access Your employees, service providers, and customers can be anywhere, thus your cloud security platform must be accessible from anywhere, at any time. Elastic Scalability The security and compliance function for the Cloud Age needs to be as elastic and scalable as the cloud itself. As your organization s IT infrastructure grows, the platform you use to secure it needs to grow in lock step. On Demand Flexibility The platform to secure the Cloud Age needs to have flexibility to offer your organization only what s needed, when it s needed, and charge only for the amount used. Dynamic Security Intelligence Battling constantly changing, finely tuned attacks, the cloud security platform needs to be updated dynamically with the most current vulnerability, configuration, and malware information to allow your organization to respond faster to emerging threats. The cloud security and compliance platform must deliver the following features to meet the needs of today s organizations: Asset Management Your organization cannot protect unknown assets. Furthermore, in order to prioritize, the value of the asset to your organization must be considered. Thus, the platform needs to have a robust asset management capability. Threat Management The platform must have the ability to scan for vulnerabilities, assess and monitor configurations, and determine the risk an attack presents to the organization. In hybrid IT environments, the platform must provide a single view across the traditional data center and in private/public cloud environments, across a multitude of devices and across the application layer. Analytics The key to helping prioritize activities and combat advanced attacks is generating actionable information from a variety of data sources. The platform needs to be able to analyze the data and provide clear visualization of the information to security administrators needing to make instant decisions. Reporting and Workflow Given the increasing number of regulatory mandates across regions and jurisdictions, the platform needs to provide a common set of reports across the enterprise, while supporting any regulatory reporting regime, and offering the ability to support inter-enterprise workflows, as outsourcing security functions becomes more prevalent. Protection If it s possible to block an attack while minimizing false positives, the platform should provide a capability to either provide direct protection or integrate with other active defenses, including web application firewalls, intrusion prevention, and next generation firewalls. Building a Cloud Security Platform doesn t happen overnight. In fact, it takes over a decade to gain the critical mass, global presence, security intelligence and world-class expertise required. It takes a unique company to meet the security and compliance needs of organizations in the Cloud Age: that company is Qualys. 8

Providing Security and Compliance in the Cloud Age Qualys was founded in 1999 at the height of the technology bubble, when Internet security was just beginning to appear on executive agendas. In December 2000, the company became one of the first entrants in the vulnerability management market. Driven by a powerful combination of highly accurate and easy-to-use scanning technology delivered via the web, Qualys pioneered the use of Software-as-a-Service, or SaaS, to address security and compliance problems for organizations of all sizes. The heart of Qualys is the Qualys Cloud Platform, which provides an integrated suite of solutions to automate the lifecycle of asset discovery, security assessment and compliance management for an organization s IT infrastructure and assets, whether they reside inside the organization, on their network perimeter or in the cloud. Qualys cloud delivery model can be easily and rapidly deployed on a global scale, enabling faster implementation, broader adoption and lower total cost of ownership than traditional on-premise enterprise software products. By deploying Qualys, organizations can gain actionable security intelligence into potential vulnerabilities and malware in their IT infrastructure and expedite their compliance with internal polices and external regulations. The results speak for themselves. Over the past 14 years, Qualys has built a global customer base of over 6,700 organizations located in 100+ countries, including a majority of both the Forbes Global 100 and Fortune 100. These customers perform over 1 Billion IP scans/ audits per year. 9

Actionable Security Intelligence Vulnerabilities Malware Compliance Threat Intelligence & Protection MITIGATE & PROTECT DEFINE & DETECT ANALYZE & REPORT CO M P LY & D O C U M E N T Security & Compliance Scans Global Scanning Infrastructure 1+ Billion Scans Yearly The Cloud Age will force organizations of all shapes and sizes to become more nimble in how they protect critical corporate information assets. Qualys delivers actionable security intelligence, and is positioned to be the organization s strategic IT security and compliance platform for years to come. 10

Cloud Platform The Qualys Cloud Platform consists of a suite of IT security and compliance solutions that leverage shared and extensible core services and a highly scalable multi-tenant cloud infrastructure. Qualys Cloud Infrastructure Qualys Core Services Qualys Cloud Suite Qualys infrastructure includes the data, analytical capabilities, software and hardware infrastructure and infrastructure management capabilities providing the foundation for the cloud platform. Here are some key aspects: Qualys Core Services enable integrated workflows, management and real-time analysis and reporting across all of our IT security and compliance solutions. Our Core Services include: Qualys enables your organization to use the solutions you need, when you need them and pay for only what you use. Your organization can subscribe to one or more of our security and compliance solutions, and over time expand your use. Scalable Capacity Qualys modular and scalable infrastructure leverages virtualization and cloud technologies allowing our operations team to dynamically allocate additional capacity on demand across our entire Qualys Cloud Platform to provide for the growth and scalability of our solutions. Big Data Indexing and Storage Built on top of our secure data storage model, Qualys analytics engine indexes petabytes of data and uses this information in real time to execute tags or rules to dynamically update IT asset properties, for use in various workflows for scanning, reporting and remediation. KnowledgeBase Qualys relies on our comprehensive repository, the Qualys KnowledgeBase, of known vulnerabilities and compliance controls for a wide range of devices, technologies and applications to power our security and compliance technology. The KnowledgeBase is dynamically updated with information on new vulnerabilities, control checks, validated fixes and content refinements on an ongoing basis. Managed Appliances Qualys hosts and operates thousands of globally distributed physical appliances used to assess customers externally facing systems and web applications. To assess internal IT assets, organizations deploy either physical appliances or downloadable virtual images within their internal networks. Qualys appliances update themselves in a transparent manner using our automated and proprietary management technology. Asset Tagging and Management Enables your organization to easily identify, categorize and manage large numbers of assets in highly dynamic IT environments and automates the process of inventory management and hierarchical organization of IT assets. Reporting and Dashboards A highly configurable reporting engine that provides your organization with reports and dashboards based on user roles and access privileges. Questionnaires and Collaboration A configurable questionnaire engine enables your organization to easily capture existing business processes and workflows to evaluate controls and gather evidence to validate and document compliance. Remediation and Workflow An integrated workflow engine allows your organization to automatically generate helpdesk tickets for remediation and to manage compliance exceptions based on organizational policies, enabling subsequent review, commentary, tracking and escalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches are applied and remediation is verified in subsequent scans. Big Data Correlation and Analytics Engine An analytics engine indexes, searches and correlates petabytes of security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable your organization to quickly assess risk and access information for remediation, incident analysis and forensic investigations. Alerts and Notifications An alert engine creates email notifications to alert team members of new vulnerabilities, malware infections, scan completion, open trouble tickets and system updates. Continuous Monitoring Qualys CM delivers a comprehensive, alwayson view of potential security holes, enabling organizations to immediately identify and proactively address potential threats before they turn into breaches. Uses elastic scanning capacity to catch unexpected hosts, expiring SSL certificates, open ports, severe vulnerabilities and undesired applications. Helps organizations identify the highest priority issues to enable fast and efficient mitigation and remediation. Vulnerability Management Qualys VM automates the lifecycle of network auditing and vulnerability management across your global business. Gives you visibility into IT systems across your network, how they might be vulnerable to the latest Internet threats, and how to protect them. Policy Compliance Qualys PC helps organizations pass security audits and document compliance tied to corporate security policies, laws, and industry regulations, supporting the requirements of both internal and external auditors. Audits the configurations of your computers to see if they are enforcing password controls and other compliance policies. Questionnaire Service Qualys QS centralizes and automates the gathering of risk data and compliance evidence from employees, partners, vendors and other subject matter experts. Frees organizations from manual, labor-intensive approaches (such as email and spreadsheets) so that all phases of their assessment programs can be managed efficiently and reliably online. PCI Compliance Qualys PCI provides small and medium-sized businesses with enterprise-level scanning and reporting that s easy to implement and maintain. Enables large corporations to meet PCI compliance requirements for data protection on a global scale. Web Application Scanning Qualys WAS provides automated crawling and testing of custom web applications to identify vulnerabilities including crosssite scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure large numbers of web sites. Proactively scans web sites for malware infections, sending alerts to web site owners to help prevent black listing and brand reputation damage. Web Application Firewall Qualys WAF protects web sites against attacks on server vulnerabilities and web app defects. Brings cloud scalability and simplicity to strongly secure web apps against cross-site scripting (XSS), SQL injection, corrupted requests and other attacks. Qualys SECURE Seal Qualys SECURE Seal enables online businesses of all sizes to scan their web sites for the presence of malware, network and application vulnerabilities, as well as SSL certificate validation. Once a web site passes all four security scans, the service generates a Qualys SECURE seal for the merchant to display on their web site, demonstrating to visitors that the company is committed to security.

Why Qualys? Qualys vision is to transform the way organizations secure and protect their IT infrastructures and applications. Qualys is the best choice for your security and compliance needs. Trusted brand in cloud security Qualys pioneered cloud security, having introduced the first vulnerability management solution as a service in 2000, and maintains a reputation as a trusted and objective provider of reliable and accurate vulnerability and compliance assessments. Scalable and extensible cloud security platform Our highly-scalable cloud architecture and modular security and compliance solutions allow customers of all sizes, across many industries to access the functionality to help ensure the security of their IT infrastructures. Our cloud platform serves organizations ranging from small businesses to globally distributed enterprises with millions of networked devices and applications. History of cloud security and compliance innovation For over 14 years, Qualys has introduced innovative cloud security and compliance solutions allowing our customers to protect their IT environments more effectively and at a lower cost. We have invested significantly in the Qualys Cloud Platform and are well positioned to address the challenges of the evolving IT security and compliance landscape. Pay for What You Use, When You Use It Qualys allows customers to easily try one or more of our solutions without risk from any web browser. This model allows our customers to subscribe to only the solutions they need and provides the ability to easily expand the breadth and depth of their deployment as their needs evolve. To get a free trial of the Qualys Cloud Suite, visit http://www.qualys.com/trial 13

+ 8 8 8 8 Software Biotech Technology Retail 7 7 7 7 Health Care Banking Media Food Retail 6 6 6 6 Auto Manufacturers Chemical Telecom Conglomerates CONTINUOUS SECURITY

Qualys, Inc. (NASDAQ: QLYS) Headquarters 1600 Bridge Parkway Redwood City, CA 94065 USA T: 1 (800) 745 4355, info@qualys.com Qualys is a global company with offices around the world. To find an office near you, visit http://www.qualys.com Qualys and the Qualys logo are registered trademarks of Qualys, Inc. 9/14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback