Where did the operating system go? Security as a service
July 2nd, 2007 by admin Posted in Approved Scanning Vendor, PCI DSS, Service Provider, Vendors
A few weeks back I was invited to the Qualys annual conference in San Francisco. Their theme was Software as a Service (SaaS). No sooner had I returned than CIO Magazine has Software as a Service as their cover article. I think they are on to something here, that is bigger than just security or software.
While at the event I had a chance to speak with many on the Qualys team (some of whom I had met just days before in Tokyo.) One of the most interesting characters was Philippe Courtot, the Chairman and CEO. He is a consistent entrepreneur who, aside from being well connected, is well informed about the industry. He is French, a physicist in his prior life, and enjoys extreme skiing as a sport.
He purports that software is moving to a service (or subscription) based economy. For example, take Google with their online service based suite of office tools (word processor, spreadsheet, email, calendar, etc.) We made a bet on Windows Vista being the last operating system that Microsoft makes, with his argument being that all software will move to a service based offering. (Bill, please release another operating system or I loose the bet.)
Qualys has put their company where their mouth is by releasing QualysGuard. One thing you may not know is that Qualys is the approved scan vendor (ASV) of choice for most merchants. Why is this? Because the majority of companies listed on the ASV list actually resell Qualys. This means that Qualys scans a large percentage of all PCI compliant merchants. This new service offering of theirs delivers another type of SaaS — the Security as a Service.
I’m now wondering how many other companies will follow suit and offer Security as a Service and what other products can be delivered via this method. We already offer this (partially) via managed service companies. These would be your remotely managed IDS and audit log review providers. But managed services are still only partially on-demand security.
The question is: what, when, and how will the security industry move to a service based offering? Is this something we want, need, or could use?
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
One Response to “Where did the operating system go? Security as a service”
By dre on Jul 3, 2007
Define what you mean by `outsourcing’.
My suggestion would be to adopt a BPO strategy where individual capital is outsourced while infrastructure capital is not.
In other words, you consolidate your infrastructure in a data center (you’ll want to read this article by Richard Bejtlich) and then have a MSP (managed service provider) run the infrastructure with their people. I wrote a good set of comments on Anton Chuvakin’s blog earlier this year. The strategy I present is relatively solid, and certainly better than anything that Gartner or PCI will tell you how to do things.
Note that both my BPO strategy and the model I discussed are completely contrary to Qualys.
I think Qualys has become a major issue for PCI DSS and their relationship is a bit bothersome to me as it appears anti-competitive. Also - I just don’t like SaaS (Software as a Service), and it may become illegal to use SaaS due to other compliance issues (as described in Bejtlich above).
It is also clear in many scanner reviews that Nessus works well with Unix/Linux infrastructure, and that Foundstone works well in Windows environments. I urge every ASV to use BOTH of these tools, and to avoid Qualys. Other options such as Rapid7 Nexpose are possible, and additionally I think ASV’s should be running commercial exploitation engines to determine pivoting results as well as other types of scanners (automated static code analysis tools and web application security scanners especially).
During the PCI Self-Audit process, any company would be working against itself if it does not run BOTH Nessus 3 (which now offers a free .audit file according to a recent blog entry) and MBSA (Microsoft Baseline Security Analyzer, especially the HFNetChk mode). My suggestion is to also run every tool from the SecureDVD package and because of the whole TJX situation - an open-source WiFi auditing framework such as wicrawl would be a really good idea.
I don’t see how PCI Requirement 4 (which deals with WiFi) can be met without verification. How does the ASV process allow WiFi scanning audits to be performed? AFAIK, they don’t.