Establishing Digital Trust: Don't Sacrifice Security for Convenience
Qualys is adding new services to its Software-as-a-Service cloud platform, providing customers with new cloud security and SSL/TLS certificate security capabilities.
While the Qualys Cloud Platform by definition is in the cloud, the CloudView module is a new service.
"CloudView a is an entirely new module built on the Qualys Cloud Platform," Hari Srinivasan, Director of Product Management, Qualys, told eSecurityPlanet. "CloudView is a new app framework in the Qualys Cloud Platform for comprehensive and continuous protection of cloud infrastructure."
Srinivasan said that CloudView contains multiple apps, beginning with Cloud Inventory and Cloud Security Assessment. He added that Cloud Inventory (CI) and Cloud Security Assessment (CSA), provide visibility of all resources within public cloud environments. CI and CSA also provide continuous security of public cloud infrastructure against misconfigurations, malicious behavior and non-standard deployments.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"These two apps allow teams to gain critical insights into these cloud resources and their security posture across them," Srinivasan said.
At launch, Srinivasan noted that CloudView does not provide CASB or access control functionality.
Qualys has a long history providing users with insight into SSL/TLS certificate status and deployment. Among the services already offered by Qualys is the SSL Labs site that provides free tools for the analysis of the configuration of publicly accessible SSL/TLS web servers.
"SSL Labs does not however store this data for later use," Asif Karel, Director of Product Management at Qualys, told eSecurityPlanet. "CertView is a commercial offering intended for enterprise customers who will not only benefit from similar assessments of their public as well as internal servers and services, they will also be able to create and maintain an inventory of the certificates deployed in all of their environments and critical infrastructure."
With CertView, Karel said that customers will be able to identify and get alerted on TLS and certificate related vulnerabilities and weaknesses, and quickly act to isolate and mitigate these risks.
When it comes to understanding SSL/TLS certificate security issues, Karel emphasized that there is more to it than just having a valid certificate. He noted that CertView provides a single-pane-of-glass view of certificate status, weaknesses/strengths, deployment status, as well as associated vulnerabilities on the hosts where these certificates were found.
"The grading calculation highlights the support, or lack of support, for mechanisms such as HSTS that prevent protocol downgrade attacks as well as other TLS related vulnerabilities," Karel said.
HTTP Strict Transport Security (HSTS) is a a configuration on a webserver that only allows pages to be served over SSL/TLS as HTTPS.
The market for SSL/TLS certificates has been disrupted in recent years by the emergence of Let's Encrypt, which provides free certificates to users. Karel noted that while providing easy access to free certificates can be considered a step up from having no certificates at all, it also means that the bad guys can now hide in encrypted traffic easily, avoiding inspection from other security measures such as DLP and IDS.
"Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA (Certificate Authority), without realizing that these are just domain validated certificates with no assurance about the identity of the organization that owns the site, Karel said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.