Qualys streamlines vulnerability scanning of Amazon cloud instances
Qualys launches Amazon AWS API data connectors for QualysGuard
Security firm Qualys has improved the integration of its QualysGuard vulnerability management service with Amazon Web Services (AWS) on Monday, allowing its customers to scan their AWS Elastic Compute Cloud (EC2) and Virtual Private Cloud (VPC) instances for vulnerabilities more easily and without requiring explicit approval from Amazon.
QualysGuard is a software-as-a-service (SaaS) product for network auditing, asset discovery and vulnerability assessment. The service is provided through a hardware appliance installed within the network, but is managed from an account on the Qualys Web portal.
This setup was designed for a traditional network environment, but companies are increasingly reliant on virtual servers hosted in the cloud, especially during business peak times when extra computing power and resources are temporarily needed. This poses new challenges for vulnerability assessment because those virtual servers need to be audited as well.
QualysGuard was capable of scanning Amazon cloud instances, but the process was not streamlined, said Wolfgang Kandek, CTO at Qualys. The IP addresses of Amazon cloud instances change as they are switched on and off, forcing customers to manually track them and add them in QualysGuard, he said.
Amazon does not want customers to scan instances that do not belong to them, which makes tracking the IP addresses assigned to their instances at any given time even more important.
On Monday, Qualys announced the release of native AWS API data connectors for QualysGuard which solve this issue by allowing customers to connect their QualysGuard accounts with one or multiple Amazon accounts using their API keys, Kandek said. This allows the service to perform automatic Amazon asset inventory and keep track of which instances are up, their type and their IP addresses.
Customers can define vulnerability scanning rules that grow or shrink dynamically based on the data pulled by the QualysGuard data connectors from Amazon, Kandek said.
Amazon doesn't allow customers to scan their own instances without obtaining prior permission, he said. "This is because they don't want their infrastructure to be overwhelmed."
Qualys solved this problem by putting safeguards into QualysGuard and negotiating with Amazon so that QualysGuard scans do not need to be pre-approved, Kandek said. Amazon still doesn't allow the scanning of micro instances in case QualysGuard overwhelms them, but scanning other types of instances with the service no longer requires explicit permission, he said.
QualysGuard checks immediately before a scan if an IP address scheduled to be scanned is still assigned to one of the customer's instances, Kandek said.
Scans can be performed from the Internet if the services running on the Amazon EC2 or VPC instances are externally accessible, but that's not always the case. For example, a database server running in an Amazon cloud instance might only be accessible through Amazon's internal network, Kandek said.
In order to allow the scanning of such machines, Qualys also released the QualysGuard Virtual Scanner Appliance AMI (Amazon Machine Image) on Monday. This is a virtual QualysGuard appliance that can run on one of the customer's instances and can scan other machines through Amazon's internal network.
The scanner appliance is available from the AWS marketplace, but using it also requires a license from Qualys costing US$995 per year. Customers might need to run multiple QualysGuard virtual scanner appliances, one for each of Amazon's availability zones in which they have instances.
The integration with Amazon AWS is only the first step, Kandek said. The architecture of the data connector was built to support other services as well, both internal and external, he said.
For example, it will be able to support other cloud providers, but also private virtual infrastructure like the one controlled with VMware vCenter that raises similar problems of tracking how many virtual machines are running at any given time. The data connector will be able to run on a QualysGuard hardware appliance inside the network and gather inventory data from VMware vCenter and other similar systems in the future, Kandek said.
"The cloud services are growing and our customers are starting to adopt them and have challenges of how to scan such machines," Kandek said. "We have customers that tell us that during some times of the year -- for example, the Christmas season -- they need twice as many machines than they need during the rest of the year. It's simply not efficient to have that many machines in your own data center, because most of the time they would just sit there idling."
"The are also start-up companies that opt for doing everything into the cloud, because it allows them to get their product out faster and only need to pay a monthly fee that is much lower than the cost of building a private data center," Kandek said. These companies will now find it easier to scan their assets for vulnerabilities, he said.