October 2009 Archives

Last night, Qualys was ranked number 362 on Technology Fast 500™, Deloitte LLP's ranking of 500 of the fastest growing technology, media, telecommunications, life sciences and clean technology companies in North America. Qualys has been ranked on the Technology Fast 500™ for the third consecutive year. Rankings are based on percentage of fiscal year revenue growth during the five-year period from 2004-2008. This ranking highlights Qualys' accelerated adoption of its IT security and compliance solutions, delivered in the cloud via a Software-as-a-Service (SaaS) model, by thousands of organizations and government agencies worldwide
 
"Being recognized as one of the fastest growing companies in North America for the third consecutive year is an honor that we share with our customers and we thank Deloitte for this ranking," said Philippe Courtot, CEO and chairman of Qualys. "We attribute this success to our customers who for the last 10 years believed in the Security-as-a-Service model and adopted our IT security and compliance solutions to secure their businesses and demonstrate compliance at a much lower cost than other existing enterprise software solutions."
 
"Technology Fast 500™ recognizes innovative companies that have broken down barriers to success and defied the odds with their remarkable five-year revenue growth," said Phil Asmundson, Vice Chairman and U.S. Technology, Media and Telecommunications leader, Deloitte LLP. "We congratulate Qualys on this accomplishment."

I believe that the SaaS and Cloud Computing revolution holds the potential to benefit everyone in the software industry, and all who rely on it for their business. For instance, we in the industry are well aware that software is evolving too quickly to keep up. It's a never ending process of software enhancements, upgrades, security fixes, and new installations. And, few would disagree that there are too many vulnerabilities affecting too many applications. In this disorder, most of the burden has fallen on the shoulders of organisations that have had to dedicate extraordinary resources to patch and mitigate the security holes. Here is an interesting statistic that reveals the magnitude of the challenge. According to Qualys' The Laws of Vulnerabilities 2.0 research, companies take an average of 59 days to patch their vulnerabilities. Five years ago, that number was 60 days. That's a reduction of one day in the past five years. When one considers all the effort and automation that has gone into patch management in the past five years, that's not much in the way of improvement. And this shows not just how steep the challenge is, but just how broken the current ecosystem of traditional software is.   

The SaaS approach  
Fortunately, the SaaS and Cloud Computing models are positive disruptions on the infrastructure of both private networks and the Internet. Unlike when individual organisations patch (work that must be duplicated for every installation), when SaaS vendors update their software applications, all of their customers are patched instantaneously as well. Because of this simple fact, many of the security problems that plague today's businesstechnology systems - such as patches and software misconfiguration issues - are solved. Thus, in this, and many other ways, the burden of maintaining a secure application largely is transferred from the software user to the provider. The effect of proper patching is amplified throughout all the IT systems the SaaS and cloud providers touch. For many years it was thought that SaaS would be destined just for SMEs, but today we know that this isn't so; the advantages of cost reductions in staff and infrastructure are as valuable to the large corporate as the small or mid-sized business, particularly in the current economic climate. Cloud Computing offers a delivery model that scales and can reach out to millions - that's the power of the Internet. Once the infrastructure or data centre has been built the cost of adding additional services is minimal and hence the service provider can offer aggressive prices because the overall cost of the infrastructure and the specialist personnel to man it can be amortised over a large number of users. Another massive advantage for customers of SaaS is that it puts the power in the hands of the buyer. They can 'try and buy' solutions with ease and of course they are at liberty to switch vendors if their services don't come up to scratch. What's more whilst vendors have traditionally focused on the enterprise as the customer for hardware and software, the data centre owners will gradually become key customers for the future.

Resistance is Futile
Some still are fighting the shift to SaaS and Cloud Computing. But, I don't believe that resistance to the transformation of onpremise business IT to cloud-based computing is a viable option. Not for long. The business benefits, cost savings, and reduction in complexity are just too compelling for businesses to overlook. Actually, today, the strongest resistance we see is emanating from IT departments, and IT security staff - mainly out of fear of what might happen if one were to lose control of data. But the reality is that businesses have already lost control of data, as evidenced by the constant security breaches that we read about in the media on an almost daily basis. By putting the data in one place it is easier to control access to it. Security in the cloud will follow the pattern of banking where we are comfortable to withdraw our cash from the convenience of an ATM, over the Internet or via our mobile and leave its security to be dealt with by the experts. Nevertheless, despite reservations from IT, businesses will march forward, because the business has no choice but the path that simplifies many of today's IT complexities. And in this, the primary - and strategic - role of IT security will be successfully and securely managing the privacy and security risks associated with data living in the cloud.

While the visible shift to Cloud Computing to date has been the movement of applications and data to the cloud, it's not going to stop there. Soon, the day will come when companies outsource not only their software but their network infrastructure, as well. One day, almost everything we do on private networks - manage information, applications, infrastructure, and services - will be accessible instantly and securely from anywhere and from any Web browser. It's time to prepare.

Full Article

At this years 7th Annual Qualys Security Conference, Qualys customers and security professionals from around the world convened at the Palace Hotel in San Francisco to discuss IT security and compliance best practices. The event went for 3 days (October 5-7) and it included a day of QualysGuard training.

Keynote presentations included:

• Mark Nicollet, VP and distinguished analyst at Gartner, who discussed the importance of aligning security assessment with business objectives in order to succeed in securing the enterprise.
• Bob Russo, GM of the PCI Council, who gave an update on PCI DSS and the objectives of the council in 2010.
  

Over the course of the two days, several Qualys customers presented talks and best practices on their use of vulnerability and compliance management solutions. Presenting customers included: Brad Freeman, global security services leader, General Electric; Doug Dexter, audit team lead, Cisco; Robert Wagner, security architect, TransUnion; Tim Larson, security consultant, Nokia Siemens Networks and Steven Elefant, CIO of Heartland Payment Systems. Customers also got a chance to meet Qualys engineers and hear about Qualys' roadmap, participate in round tables and provided direct feedback and suggestions.

"I just wanted to say this was one of the most information conferences I have ever attended.  The information presented was both informative and beneficial. Meeting the folks at Qualys really helped since I am brand new with using the product," said Allstate, Security Consultant.

"I'd like to thanks Qualys by the way for putting together another great seminar and presentation, as a user of your products it's appreciated that you are customer focused," said Judicial Council of California, Supervisor of Technical Services Groups.

Lastly, Qualys celebrated its 10th year anniversary with customers at the stunning Julia Morgan Ballroom for a night of fine dining and entertainment.

Pictures of the conference can be seen at:
http://www.flickr.com/photos/27063400@N03/sets/72157622537337112/

Qualys has been ranked the 39th fastest growing company by the Silicon Valley/San Jose Business Journal's Top 70, a ranking of private companies in the Silicon Valley based on percent revenue growth from 2006 to 2008. This ranking highlights Qualys' continued growth and its customers' adoption of QualysGuard's IT security and compliance solutions, delivered in the cloud.

"We are honored for this acknowledgment by the San Jose Business Journal for the second consecutive year," said Philippe Courtot, CEO and chairman of Qualys. "We attribute this success to the opportunity our customers gave us to work with them, and to the SaaS model which allows us to respond to their specific security and compliance needs much quicker than enterprise software solutions."

The "Fast Private" represents the third industry recognition Qualys has received during the second half of 2009. In September, Qualys received the Information Security Magazine Readers' Choice Gold in the vulnerability management category and in August Qualys was named one of America's fastest-growing companies by Inc. Magazine for the third consecutive year.

Read More

Cloud Cover by Matt Vilano

Data security used to be all about spending big bucks on firewalls to defend data at the network perimeter and on antivirus software to protect individual computers. Internet-based computing, or cloud computing, has changed all that, at the same time expanding exponentially the chances for data thieves and hackers.
 
The cloud creates other opportunities too: a handful of security vendors now deliver security as a service--a one-two punch of hardware and software that monitors and manages an enterprise's data security and bills customers only for the computing power they use. "For years, security was about big companies pushing technology to their customers," says Qualys CEO and founder Philippe Courtot. "Now it's about the customers pulling precisely what they need and providing them with those resources on demand."
 
Under the old paradigm, according to Courtot, enterprises overspent for stand-alone security devices that became unruly and difficult to operate over the long term. He says Qualys attacks the flaws in this strategy by streamlining security and tackling most of the service delivery through the cloud. "We control the infrastructure, software updates, quality assurance and just about everything in between," he says.
 
Much of the company's current revenue--sales topped $50 million last year--is being driven by a set of standards established by the Payment Card Industry Security Standards Council (PCI SSC), a trade organization composed of credit-card companies. The standards were created in 2006 to help organizations that process card payments prevent fraud by tightening controls around customer data. One of those controls: a quarterly audit for network vulnerabilities by a firm from a list of approved vendors that includes Qualys. Analysts estimate that the PCI standards have generated at least $2.5 billion for security vendors in the U.S. "It's been a major driver of business for all of them, especially Qualys," says Avivah Litan, a vice president and analyst at market-research firm Gartner. "When everyone has to comply, there's a lot of work to go around."
 
Qualys aims to increase the depth of its vulnerability-scanning services, reaching further into networks by auditing servers that host and operate certain Web applications for self-propagating virus programs known as malware. It released a special QualysGuard module in April 2008 to achieve this objective. After a series of acquisitions this summer, an improved version will probably be forthcoming in the next 12 to 18 months. "Because of the Internet, the enterprise network is disappearing, and companies need to be ready to protect what's left," Courtot forecasts. Security as a service, it turns out, is a pretty legit business.

Full Article