February 25, 2013, 8:07 AM — Security firm Qualys has improved the integration of its QualysGuard vulnerability management service with Amazon Web Services (AWS) on Monday, allowing its customers to scan their AWS Elastic Compute Cloud (EC2) and Virtual Private Cloud (VPC) instances for vulnerabilities more easily and without requiring explicit approval from Amazon.
QualysGuard is a software-as-a-service (SaaS) product for network auditing, asset discovery and vulnerability assessment. The service is provided through a hardware appliance installed within the network, but is managed from an account on the Qualys Web portal.
This setup was designed for a traditional network environment, but companies are increasingly reliant on virtual servers hosted in the cloud, especially during business peak times when extra computing power and resources are temporarily needed. This poses new challenges for vulnerability assessment because those virtual servers need to be audited as well.
QualysGuard was capable of scanning Amazon cloud instances, but the process was not streamlined, said Wolfgang Kandek, CTO at Qualys. The IP addresses of Amazon cloud instances change as they are switched on and off, forcing customers to manually track them and add them in QualysGuard, he said.
Amazon does not want customers to scan instances that do not belong to them, which makes tracking the IP addresses assigned to their instances at any given time even more important.
On Monday, Qualys announced the release of native AWS API data connectors for QualysGuard which solve this issue by allowing customers to connect their QualysGuard accounts with one or multiple Amazon accounts using their API keys, Kandek said. This allows the service to perform automatic Amazon asset inventory and keep track of which instances are up, their type and their IP addresses.
Customers can define vulnerability scanning rules that grow or shrink dynamically based on the data pulled by the QualysGuard data connectors from Amazon, Kandek said.
Amazon doesn't allow customers to scan their own instances without obtaining prior permission, he said. "This is because they don't want their infrastructure to be overwhelmed."
Qualys solved this problem by putting safeguards into QualysGuard and negotiating with Amazon so that QualysGuard scans do not need to be pre-approved, Kandek said. Amazon still doesn't allow the scanning of micro instances in case QualysGuard overwhelms them, but scanning other types of instances with the service no longer requires explicit permission, he said.
QualysGuard checks immediately before a scan if an IP address scheduled to be scanned is still assigned to one of the customer's instances, Kandek said.