Simplifying Cloud Asset Identification in a Multi-Cloud Environment

Enterprises struggle to get an accurate asset inventory in multi-cloud or hybrid cloud environments. Qualys enhances the metadata for cloud assets while simplifying the collection process. This blog explains how this functionality expedites the identification process, easily identifies vulnerable assets, and speeds the remediation process.

The adoption of cloud technologies has evolved significantly over the past two decades. Today most enterprises are adopting a multi-cloud or a hybrid cloud strategy. According to Global Channel Chief at Google, Carolee Gearhart, “Gartner is estimating that by 2021, 75 percent of midsize and large organizations will have adopted a multi-cloud or a hybrid strategy”.

Why? Because a multi-cloud approach eliminates crucial challenges like vendor lock-in and latency. What’s more, it provides better cloud cost management for enterprises. That said, it brings its own set of challenges, such as how to uniformly identify assets across the infrastructure and assess the risk they pose to the organization.

Let’s take a closer look at a couple of these challenges:

By design, each cloud provider identifies assets with its own proprietary set of attributes, and there is little commonality in how some of the key attributes are named. For example, to identify an instance: AWS uses “Instance ID “; Azure uses “VM ID”; and GCP uses “VM Instance ID”.

For an organization employing a multi-cloud strategy, this quickly becomes challenging from a reporting and analytics perspective. To make sense of the asset data, they must run multiple queries (one for each provider) to collect the data, resulting in data silos for each cloud provider’s asset attributes. They must then perform post-processing on the data to arrive at an accurate inventory of their cloud infrastructure.

Once each asset is identified, it is equally important to understand the security risk it may pose to the organization by mapping the asset to its possible vulnerabilities and misconfigurations. Due to these extra mapping efforts, time better spent on remediation of the affected assets is delayed.

Here at Qualys, our customers routinely ask us to enhance their metadata for cloud assets so that they can efficiently identify and map security issues related to them.

Simplifying Cloud Metadata Collection in a Multi-Cloud Environment

Over the last few years, Qualys Cloud Platform has continued to add metadata related to cloud assets. With our latest release, we have added a few additional capabilities that enable organizations to identify their cloud assets or map cloud asset scan reports with their cloud asset inventory.

One key enhancement is the addition of generic Cloud Provider Metadata Fields that apply to all cloud providers — including AWS, Azure, GCP, and additional providers that we will support in the future. These attributes are now included in our host-based scan reports. This helps to expedite the mapping process, easily identify vulnerable assets, and speed the remediation process.

Here’s how it works:

Configuring the Host-Based Scan Report

Qualys customers can choose to include generic cloud provider metadata in their reports. You can choose whether to display Legacy EC2/Azure Fields, Cloud Provider Metadata Fields, or both sets of fields in Host-Based Scan Reports.

From the UI, edit the scan report template and make your selection on the Display tab, as shown here.

API Changes

Organizations can also get the same information via the API when creating/updating scan report templates. By specifying the new input parameter as “cloud_provider_metadata=1”, Cloud Provider Metadata fields are displayed in your report.

Cloud Metadata Details

Identifying and Mapping of AWS and Azure Cloud Assets

AWS and Azure cloud assets can be easily identified and mapped through Cloud Metadata details in the host-based scan report PDF.

Here are the Cloud Provider Metadata general fields that apply to all cloud providers and are added to the host-based report:

  • Cloud Provider (AWS or Azure)
  • Cloud Resource ID
  • Cloud Resource Type
  • Cloud Account ID

Note: You need to have a connector configured in Asset View to collect Azure metadata.

Identifying and Mapping of GCP Cloud Assets

GCP cloud assets can be easily identified and mapped through Cloud Metadata details in the host-based scan report PDF.

The following fields include Cloud Provider Metadata general fields that apply to all cloud providers as well as GCP-specific fields. All of these are newly added in the host-based report.

  • Cloud Provider (GCP)
  • Cloud Provider’s Service (Compute Engine)
  • Cloud Resource Type (VM Instance)
  • Project Id
  • VM Instance Id
  • VPC Network
  • Machine State
  • Machine Type
  • Zone
  • Private IP Address
  • Public IP Address
  • Hostname
  • MAC Address

Qualys cloud metadata enhancement is available in almost all report formats – CSV, PDF, XML, Doc, and HTML/MHT. In addition, the corresponding API changes are released. For more details, please refer to our API release notes.

Cloud Asset Metadata Details in CSV Format

The table below lists which cloud asset metadata columns will appear in your CSV reports based on your report template settings. Columns will appear in the order shown.

Legacy EC2/Azure Fields Cloud Provider Metadata Fields All Fields
EC2 Instance ID Cloud Provider Cloud Provider
Public Hostname Cloud Provider Service Cloud Provider Service
Image ID Cloud Service Cloud Service
VPC ID Cloud Resource ID Cloud Resource ID
Instance State Cloud Resource Type Cloud Resource Type
Private Hostname Cloud Account Cloud Account
Instance Type Cloud Image ID Cloud Image ID
Account ID Cloud Resource Metadata Cloud Resource Metadata
Region Code EC2 Instance ID
Subnet ID Public Hostname
Image ID
VPC ID
Instance State
Private Hostname
Instance Type
Account ID
Region Code
Subnet ID

Important note about the Legacy EC2/Azure Fields in CSV

These fields were initially introduced for AWS cloud assets and will be populated with the metadata for your AWS EC2 assets.

All Legacy EC2/Azure columns will appear blank in the CSV report except for the EC2 Instance ID column for Azure and GCP assets. We will continue to populate the EC2 Instance ID column for all cloud assets (AWS, Azure, GCP). The EC2 Instance ID column is replaced by Cloud Resource ID and will be deprecated in a future release.

Cloud Asset Metadata Details in XML Format

The table below lists which cloud asset metadata tags will appear in your XML reports based on your report template settings.

Cloud Provider Legacy EC2/Azure Fields Cloud Provider Metadata Fields All Fields
AWS CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE CLOUD_SERVICE CLOUD_RESOURCE_ID CLOUD_ACCOUNT EC2_INSTANCE_ID EC2_INFO CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE, CLOUD_SERVICE CLOUD_RESOURCE_TYPE CLOUD_RESOURCE_ID CLOUD_ACCOUNT CLOUD_IMAGE_ID CLOUD_RESOURCE_METADATA CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE, CLOUD_SERVICE CLOUD_RESOURCE_TYPE CLOUD_RESOURCE_ID CLOUD_ACCOUNT EC2_INSTANCE_ID CLOUD_IMAGE_ID EC2_INFO CLOUD_RESOURCE_METADATA
Azure CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE CLOUD_SERVICE CLOUD_RESOURCE_ID CLOUD_ACCOUNT EC2_INSTANCE_ID AZURE_VM_INFO CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE, CLOUD_SERVICE CLOUD_RESOURCE_TYPE CLOUD_RESOURCE_ID CLOUD_ACCOUNT CLOUD_IMAGE_ID CLOUD_RESOURCE_METADATA CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE CLOUD_SERVICE CLOUD_RESOURCE_TYPE CLOUD_RESOURCE_ID CLOUD_ACCOUNT EC2_INSTANCE_ID CLOUD_IMAGE_ID AZURE_VM_INFO CLOUD_RESOURCE_METADATA
GCP CLOUD_RESOURCE_ID EC2_INSTANCE_ID CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE CLOUD_SERVICE CLOUD_RESOURCE_TYPE CLOUD_RESOURCE_ID CLOUD_ACCOUNT CLOUD_IMAGE_ID CLOUD_RESOURCE_METADATA CLOUD_PROVIDER CLOUD_PROVIDER_SERVICE CLOUD_SERVICE CLOUD_RESOURCE_TYPE CLOUD_RESOURCE_ID CLOUD_ACCOUNT EC2_INSTANCE_ID CLOUD_IMAGE_ID CLOUD_RESOURCE_METADATA

For more details of XML tags, please refer to this doc.

These Cloud Metadata enhancements are now available to all Qualys customers having the VM/VMDR subscription. Contact your Technical Account Manager (TAM) or Support to get this functionality enabled for your subscription today!

Learn more about VMDR and sign up for your own trial.

Frequently Asked Questions (FAQ)

What is the timeline for this functionality to be available?

This functionality has already been released in QWEB 10.16.0.0.

Do I need to reach out to my Technical Account Manager to enable this feature?

No, the dependency on the EC2 add-on and “Enable Cloud Perimeter Azure VM Scans” preference settings are removed.

How do I enable the cloud metadata in Host-based scan reports?

Please refer to the “Configure the Host-Based Scan Report” for configuration details.

I am not able to see the cloud metadata in Host-based scan reports. What should I do?

Please ensure that you have configured the “Cloud Provider Metadata” checkbox in the Display tab in the scan report template.

Do I need to enable cloud metadata individually for each cloud provider?

No, you only need to configure the “Cloud Provider Metadata” checkbox in the Display tab in the scan report template, and it will take care of all cloud providers.

This post was first first published on Qualys Security Blog’ website by Swapnil Ahirrao. You can view it by clicking here