Many companies are responding to the large number of people working from home as a result of the public health situation. Qualys has rolled out a totally free 60-day version of its cloud-based security and compliance solution at no charge.
We spoke with Sumedh Thakar about the free release and how Qualys is helping enterprises with their remote workforce.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Alan Shimel: Hey, everyone, it’s Alan Shimel for DevOps.com, Security Boulevard. You’re listening to another DevOps Chats. Today’s DevOps Chats features Sumedh Thakar, President of Qualys. Sumedh, welcome to DevOps Chats.
Sumedh Thakar: Thank you, Alan, how are you?
Shimel: You know, good. Making—we’re all in uncharted waters, Sumedh, so—
Shimel: – every day’s an adventure and look, I’m an adventurous kind of person, so it’s all good.
Sumedh, Qualys came out with some news this morning. Why don’t you share it with your audience?
Thakar: Yeah, we got a lot of questions from our customers around a new challenge that they are facing now with the changing situation, which is really, you know, we’re in lockdown so everybody is working from home and, you know, IT administrators, security administrators are now faced with how do you secure the remote endpoints, right, with everybody taking their laptop or using home desktops to continue to work and, you know, where traditionally a lot of that, what is called the remote clients used to be more within the office space are now suddenly outside. So, that, of course, creates a new sort of a vector for access to companies’ most important information and how do you secure those?
And it really brought up a lot of interesting questions around VPNs and how VPNs scale to be able to do that, because a lot of the traditional tools that do the basics of the patching and the basics of the security hygiene are on-prem tools, are more installed inside the company environment, which works okay when you had occasionally somebody coming in and patching over VPN. Now, you have 5,000, 10,000 employees suddenly trying to patch over VPN—that’s a real challenge.
And so, offering that, we have really come out with this leveraging Qualys cloud-based platform where we have the ability to essentially monitor remote endpoints leveraging the cloud platform without requiring VPN, providing an ability to keep a complete track of the security hygiene of these Windows laptops, Mac laptops, and then also provide a way to patch them directly over the Internet without requiring any VPN. So, these devices can get patched directly by pulling patches from the vendors on the endpoints and not saturating your VPN, and then be able to sort of give that quick way to secure these endpoints to ensure that a lot of people are leveraging the unfortunate incident that is happening to scam people and to send out e-mails and compromise them with fake maps of infections and things like that.
So, really, this gives the opportunity for the IT administrators to lock down and really harden these remote endpoints, and that’s what we’re offering, basically. It’s a 60 day free so that people don’t have to get into trying to talk to salespeople and trying to get purchase orders and all of that. It’s really, let’s first get people secure and help them to price and then we can talk about the rest of it.
Shimel: Later, sure. So, I just wanted to make sure—Sumedh, you don’t have to be an existing Qualys customer for this? Anyone, any company can pick it up?
Thakar: Yeah, absolutely. You don’t have to be an existing Qualys customer. You can sign up, we’re putting out a signup page quickly so that you can sign up and then we’ll give you a quick account to download the agents that can then be distributed. It’s very lightweight, 3MB agents, so that way, we can leverage the cloud off of that to really keep an eye on what’s going on.
Shimel: Excellent. Now, this—I have the benefit of looking at a screenshot, others may not be looking at it. But it’s a pretty—this is not, like, a dumbed-down version of this. This seems to be pretty full-featured in terms of what it’s finding and—
Thakar: Oh, yeah, absolutely. In fact, it’s an enriched version, I would say, really focused on the remote end points, because they have their own challenges compared to servers. And so, really, what we did is, we said—look, what would an IT administrator who is sitting in his office by himself with his entire workforce working in 15, 20, 30 countries, what would they want to know?
And so, first is inventory and the breakdown of what type of operating systems are these laptops using? Are they end of life? How many of them are still not patched? What are the latest patches that are missing?
We also kinda went a step further to focus on configurations, because a lot of times, you have this device that is left open in a public space. Does it even have the basic hygiene of saying, you know, is there a screen saver? Is the device set to lock when you walk away—you go get coffee or something, you know, does the device lock by itself?
So, a lot of times, a lot of these things are actually not really thought about because people focus just on patching. And so, what we’ve done is really package more in a workflow the ability to do your inventory, the ability to look at the critical vulnerabilities, the critical missing controls that really help you secure these endpoints.
Shimel: Yeah, so, this is much more than vulnerability scanning.
Shimel: This reminds me more of what we used to do back in my StillSecure days with Mac.
Shimel: Where we could really look at the registry.
Thakar: Right, right, right.
Shimel: We looked for a lot of things besides vulnerabilities, what versions of software, what’s turned on, what’s turned off—
Shimel: – stuff like that. And that’s critical for this. I’ll tell you another thing, just—you know, before you came onto our conference platform to record this, I was talking with someone else who said, “You know, I’m working from home and I plugged in an old headphone” and, you know, there’s so many people who are pulling equipment out of the closet right now, and—
Thakar: Yeah. It’s also ________ to find a webcam right now, by the way, so just—
Shimel: Oh, I know. I—
Thakar: I couldn’t buy a webcam on Amazon, so.
Shimel: There’s a lot of things you can’t buy, it’s pretty crazy. But you know, hopefully, the supply chain will [Cross talk]—
Shimel: – works its way through. But you know, so, we are turning on a lot of older equipment and a lot of this equipment probably hasn’t been updated regularly. And, you know—but you know, we still need to use it. People need to get work done. People are working. People are—you know, no one wants to sit at home and watch doom and gloom on TV, right? We all have stuff to do.
And so, it’s important, you wanna—I think, you know, it gets to the role of what’s the role of IT. IT has to serve its customers—
Shimel: – who are the business.
Shimel: And so, we can’t be the people who say, “No, you can’t use that.”
Thakar: All the more important—yeah, all the more important right now in this kind of a situation. IT is really what’s keeping the business running right now, right? Making sure that these devices are up and access is there and they’re secure. And I think that’s the reason why we really jumped in to sort of create this service and give it something, you know, without having to deal with the signups to start, it’s really straightforward, and we give it for 60 days and then really give that ability to get started with securing quickly without really having to worry about other things.
Shimel: Sure. You mentioned another thing, Sumedh, and that is, you know, businesses are relying on IT. And I think IT is relying on the cloud.
Shimel: All of us, really. I mean, here we are, we’re recording this over Zoom.
Shimel: Shout out for Zoom, right?
Shimel: But just, you know, thank God for the cloud, because think about it, if every company had to maintain their service clause and their data centers and everything else and we didn’t have this whole cloud infrastructure with SaaS and so forth.
Thakar: Yeah, I think the cloud and the SaaS really has shown how important that architecture is to a lot of the companies who moved on to leverage cloud for collaboration, for e-mail, like Zoom platform and, you know, they’re using cloud-based services to scale at the back end because they’re seeing tremendous pull on their service right now.
And it’s the same with the Qualys platform, and that’s really why, for us, also, it was pretty straightforward to be able to create the service to help the community because we are already deployed and for us to have, provide a service that’s directly off of the platform makes it a lot easier if at this point the customers had to try and use enterprise solutions that would just not work because you had to first even go to the office to get something installed in the first place in your data center that’s just not going to work.
So, the architecture that Qualys has and some of these other solutions that were being used heavily, I think those really are showing why that cloud-based architecture is the future today as we go into a more distributed and remote workforce.
Shimel: Yep. Sumedh, I wanted to ask, you mentioned that it covers Windows devices and Mac devices, so kinda your typical laptops or, if people are working from home, desktops and stuff. Any other device coverage in terms of mobile or pads or anything?
Thakar: Yeah, so, we’re going to evaluate how our customers are rolling this out. Today, the focus has been on Windows, really, for the most part, and a lot bit of the Macs, so today, we provide the complete visibility on Windows and Mac and then there’s the patching we provide on Windows. And then the next steps, we’ll see how we can leverage additional capabilities from Qualys to be part of this free service, whether it’s detecting malware or anything else and if we can expand, as you know, Qualys already has a solution for mobile devices as well as Android and iOS devices.
And so, today, customers are more focused on getting their Windows devices secure, and I think that that will be the next step, of course, to say, how do we look at the mobile devices? So, that definitely is an opportunity for us to help customers as they go through this journey and take it to the next level.
Shimel: Yep. So, Sumedh, this is great, and thanks to Qualys for doing this and making it free for people. And I should also emphasize, you don’t have to be a big organization to do this. This is fine for small organizations as well. I’m thinking, you know, here at MediaOps, we’re on 20, 25 people.
Thakar: And that’s the beauty of a cloud-based platform, right? You—for us, we don’t really have to go and do a huge deployment that takes a long time. You know, even, we have customers all the way from 5 devices to 5,000,000 devices. And so, it’s the same platform and, you know, you go and you sign up and you get an account and get the agents, and it’s really straightforward.
So, yeah, you’re right, you don’t need to be a big massive company. Even somebody with 15, 20 devices, this is perfect, because it’s cloud-based and it just deploys out of the box.
Shimel: Sure. So, we don’t have a lot of time left, Sumedh. I wanted to hit one other area. I wanna, you know, you’re the President, now, of Qualys, right, and we’re talking to an IT audience here. And the IT team is, as we mentioned, they’re trying to serve their customers the best they can; especially like CSOs and security teams out there.
And here’s what we’re faced with, right? This is real world now, not theoretical. We want to enable people working from home to be as productive as possible, right? That we don’t see a big drop off from the kind of production—as a matter of fact, I saw a recent article, people are working on average three hours more a day at home than they would at the office.
Thakar: [Laughter] I believe that.
Shimel: Yeah, who may—you know, if I’m an employer, I may never bring them to the office.
Shimel: But, with that being said, it’s the old security conundrum, right?
Shimel: I wanna make it happen. I really, really do. But I gotta have my security, right? And there has to be, at some point, there might be sacrifices or decisions that have to be made. What’s your—you know, speaking officially now on behalf of Qualys, what’s your advice to these people who are dealing with this real-life situation? I’ve gotta get my remote workforce up and running and allow them to make it happen—but look, the security mission hasn’t gone away.
Thakar: Yeah. Yeah, I think it’s always about the balance between the security and the ease of use and deployment and all of that. And I think one of the great things of IT, if you see recently with the move to the cloud and all of that, is that they have been very agile in adapting to the changing trends and leveraging newer technology to be able to do a much better job with IT, and the same with security now, we have seen with DevOps, DevSecOps, a lot of that happen, and it’s really not that different on the endpoint because today we have a situation and we want to enable our teams to really do a good job remotely and security is very important.
And so, this is a good opportunity to really look at a new architecture of cloud-based solutions. Not just Qualys, there’s others out there like Zoom and a few others where this is the opportunity, this is the time to really look at new architectures, new solutions that are going to help us deal with the new reality and, as has happened in the cloud and others, most of the time, you are going to find that this is actually much more beneficial, cost-effective, and something that gets security out of the way because it’s happening on the endpoint, it’s in real-time, and it’s not going through your VPNs and all of that, creating more headaches for you.
So, I think my—really, my thought process here is that, let’s take the opportunity to meet this new challenge with a new approach from a technology perspective as we’ve always done. Technology can be really leveraged to make things better and adapt to the new, changing situation.
Shimel: Absolutely. Sumedh, I want to thank you for joining us. Thanks, Qualys, for making this available to everyone for free. We’re about out of time. Stay well, regards to all of my Qualys friends, and hopefully, we’ll follow up soon.
Thakar: Absolutely. Thank you, Alan. Always a pleasure.
Shimel: Thank you.
Thakar: Stay safe.
Shimel: You, too, my friend. Sumedh Thakar, President of Qualys, announcing free endpoint security of the Qualys suite for the next 60 days. Check it out at Qualys.com/remotepatching, and you can get it all there, no questions asked.
This is Alan Shimel for DevOps.com, Security Boulevard—you’ve just listened to another DevOps Chats.