Qualys has expanded its CloudView app to support Infrastructure as Code (IaC). CloudView provides a continuous inventory and assessment of public cloud workloads. By adding in support for IaC, Qualys is seeking to identify and remediate misconfigurations before deployment. For organisations, this should strengthen the quality of production environments. It should also prevent companies from discovering that their cloud infrastructure has been publicly exposed.
Sumedh Thakar, president and CEO of Qualys, said: “With the addition of IaC assessment to CloudView, Qualys is extending its cloud security posture management (CSPM) solution to handle shift-left use cases.
“Leveraging the Qualys Cloud Platform and its integrated apps, customers can now insert security automation into all stages of their application lifecycle ensuring complete visibility into both runtime and build-time posture via a unified dashboard.”
CloudView IaC has been released to beta with a full production release due before the end of the year.
What does Qualys CloudView IaC do?
In a blog by Parag Bajaria, VP Cloud and Container Security at Qualys, he writes about why Qualys has gone down this route of extending CloudView. His position is that CSPM tools have failed because they only catch problems late in the production cycle. As such, systems will continue to be vulnerable unless we change where and how we detect them.
Bajaria wrote: “The real answer is to prevent misconfigurations in the first place – fix the issues at the source. In many cases, that means fixing the misconfigurations in the Infrastructure As Code (IaC) that was used to create the resources. DevOps teams are increasingly using IaC to deploy cloud-native applications and provision their infrastructure. IaC languages, like Terraform, CloudFormation (CF), Azure Resource Manager (ARM), make it easy to express resource configuration.”
What Bajaria wants to see is the templates that drive IaC being scanned, verified and fixed. Anything later than that in the cycle, and there is a risk of data being exposed. It’s a good plan and one that plays very well with the CI/CD community. One of the challenges they have is that for all the talk of shifting security left, it all too often isn’t. Security teams do not build pipelines that CI/CD teams can easily deploy. This is why CloudView IaC looks interesting.
The goal is that CloudView will continue to scan assets and resources that are deployed in the cloud. Where it detects a misconfiguration, it will identify the template in use. That is then passed to CloudView IaC, which will search through a range of IaC languages, as mentioned by Bajaria above. Additionally, IaC assessments can be initiated through other means. The result is full verification of IaC templates.
Enterprise Times: What does this mean?
Data exposed through a misconfigured cloud resource is a familiar story. The problem is that dev teams deploy their test code and environment into the cloud as they build apps. Those environments are not properly checked and tested to ensure they are secure. When projects move from test to production, seemingly no or at least very few security checks are made.
To compound the problem, IaC is not designed for manual processes that might catch errors. It is designed to deploy at scale and speed. The result is that a single bad template can be reused hundreds of times before it is caught. By then, rectifying and cleaning up the mess becomes a significant problem. Worse, there are a whole host of malicious actors actively looking for misconfigurations that they can exploit.
The reports that Qualys has had from beta testers show that CloudView IaC can detect more misconfigurations than manual checks of templates. It is good news because it means that DevOps teams have a tool they can slot into their work process. It means that all templates that are checked into code repositories can be verified before they are used.
Importantly, Qualys is also saying that CloudView IaC means “organizations can assure compliance with more than 20 industry mandates such as PCI, HIPAA, and NIST 800-53.” It’s a big claim, and it will be interesting to see its effectiveness rates once it is full adoption.