Customers in the News: June 2008 Archives

Doug Spaw, network engineer for VSR Financial Services, wanted to achieve effective and efficient IT security and risk mitigation while ensuring regulatory compliance for the organizations 80,000+ clients and 300+ registered users.  

"We selected QualysGuard because of the simplicity of its SaaS model. You set it up, and it just works," stated Doug.  "We rely on QualysGuard Express to scan more than 128 IP addresses, which includes our internal servers and systems as well as all of the company's Internet-facing devices. The reports from these assessments are very detailed, which helps us to resolve any issues we find quickly."

QualysGuard will also keep VSR Financial Services prepared for all possible future regulations that will affect the broker/dealer industry. To read more about how Doug addresses threats without the substantial cost, resource demands, and deployment hassles associated with traditional software scanners, visit:
http://www.qualys.com/docs/customers/casestud/VSR.pdf

Information Security reporter, Neil Roiter speaks with the director of the information security architecture group, Victor Hsiang of TransUnion.  Victor shares how the Qualys Software-as-a-Service (SaaS) model has enabled TransUnion, a global consumer credit reporting bureau, to streamline and easily extend its vulnerability management program to many locations.

"The product approach requires individual purchases of the license at each location, purchasing a platform to load licenses on and administration of that platform, then the care and feeding of it," says Victor Hsiang, director of TransUnion's information security architecture group. "With the service approach, from a corporate perspective, we can pick up the cost of Qualys and absorb the business units into the whole process."

Hsiang will beta test the Policy Compliance module at TransUnion, and expects it to integrate with his group's program of using the vulnerability management service and a central database to certify systems through a cycle of vulnerability scanning, ticketing and remediation.

"We won't have to reinvent the wheel; the compliance module fits into the architecture we've developed for tracking and fixing vulnerabilities," says Hsiang.

Click here to read full interview.

"The biggest thing we focus on with all of this is control of the data," says Michael Mucha, chief information security officer for Stanford Hospital in Palo Alto, Calif., which uses several clinical applications that are delivered as a service, including transcription, and radiology and analysis systems. Given that health care is by far the most regulated industry he has worked in, Mucha has created a standardized checklist for his technical assessment of any application delivered via the SaaS model. Among the most critical of those items include whether or not the service provider complies with SAS 112 audit requirements (which applies to nonprofits), how it documents its procedures for handling a security breach, and how it handles requests for changes and customized features, Mucha says.

Even more important will be the simple policies that a SaaS provider uses among its staff to protect your data. "We have complete access to the data, and we are the only ones with control of the authentication," Mucha says. "The point is that you need a consistent approach to all these situations."

"SaaS opened our eyes to a new way of doing things. With QualysGuard, we didn't need to install any software or infrastructure. QualysGuard runs on Qualys' own secure global infrastructure, so we run security audits on-demand over the Internet with a standard Web browser. The application automatically finds all vulnerabilities on our local and remote network, provides directions to our IT staff for remediation, and submits PCI audit reports to our acquiring banks."

Mike Vizard of eWeek interviews Paul Simmonds of the Jericho Forum, and former CISO at chemical manufacturer ICI.

The case for managed security services is being made every day. Given the uncertain state of the economy, many companies are looking to security as a service to drive down costs and boost return on investment of security IT. In addition, according to Paul Simmonds, most IT managers don't have the time or the staff, and users don't exercise enough responsibility, to make managing security in-house an efficient and safe option. Managed security services may also help prevent spammers or Internet criminal organizations from compromising a company's desktops and servers.

Click here to listen to podcast.