Security firm Qualys has improved the integration of its QualysGuard vulnerability management service with Amazon Web Services (AWS) on Monday, allowing its customers to scan their AWS Elastic Compute Cloud (EC2) and Virtual Private Cloud (VPC) instances for vulnerabilities more easily and without requiring explicit approval from Amazon.
QualysGuard is a software-as-a-service (SaaS) product for network auditing, asset discovery and vulnerability assessment. The service is provided through a hardware appliance installed within the network, but is managed from an account on the Qualys Web portal.
This setup was designed for a traditional network environment, but companies are increasingly reliant on virtual servers hosted in the cloud, especially during business peak times when extra computing power and resources are temporarily needed. This poses new challenges for vulnerability assessment because those virtual servers need to be audited as well.
QualysGuard was capable of scanning Amazon cloud instances, but the process was not streamlined, said Wolfgang Kandek, CTO at Qualys. The IP addresses of Amazon cloud instances change as they are switched on and off, forcing customers to manually track them and add them in QualysGuard, he said.
Amazon does not want customers to scan instances that do not belong to them, which makes tracking the IP addresses assigned to their instances at any given time even more important.
On Monday, Qualys announced the release of native AWS API data connectors for QualysGuard which solve this issue by allowing customers to connect their QualysGuard accounts with one or multiple Amazon accounts using their API keys, Kandek said. This allows the service to perform automatic Amazon asset inventory and keep track of which instances are up, their type and their IP addresses.
Customers can define vulnerability scanning rules that grow or shrink dynamically based on the data pulled by the QualysGuard data connectors from Amazon, Kandek said.
Amazon doesn't allow customers to scan their own instances without obtaining prior permission, he said. "This is because they don't want their infrastructure to be overwhelmed."
Qualys solved this problem by putting safeguards into QualysGuard and negotiating with Amazon so that QualysGuard scans do not need to be pre-approved, Kandek said. Amazon still doesn't allow the scanning of micro instances in case QualysGuard overwhelms them, but scanning other types of instances with the service no longer requires explicit permission, he said.
QualysGuard checks immediately before a scan if an IP address scheduled to be scanned is still assigned to one of the customer's instances, Kandek said.
Scans can be performed from the Internet if the services running on the Amazon EC2 or VPC instances are externally accessible, but that's not always the case. For example, a database server running in an Amazon cloud instance might only be accessible through Amazon's internal network, Kandek said.
Sign up for Computerworld eNewsletters.