Qualys is launching what it claims is the first security and compliance software-as-a-service suite on the market.Qualys, the company most known for its on-demand approach to security and compliance, has released what it says is the first software-as-a-service security suite.
The QualysGuard Security and Compliance Suite, which will be delivered to companies as a hosted service, is designed to combine security monitoring with compliance challenges by marrying the two.
“We’re basically adding a new policy compliance application to our vulnerability management and PCI applications,” said Amer Deeba, chief marketing officer of the Redwood Shores, Calif.-based company. “So a company can first collect system information and then map that information into standards or regulations. Then they can build around whatever framework they use and use the results to determine where they are in compliance and where they aren’t.”
Unlike a managed security services offering, where everything is provided for the customer and run by the provider, Qualys’ model provides organizations with the application. Internal staff then run scans and take appropriate actions themselves.
The suite is offered in three pieces, and customers can buy one or all of the pieces.
QualysGuard Policy Compliance 1.0, the new SAAS-based compliance portion of the suite, allows users to set automated compliance scans with controls based on industry and government standards and maps to major industry regulations, such as Sarbanes-Oxley, HIPAA, CoBIT, ISO and NIST. The offering also offers automated compliance reporting, allowing users to map compliance to policies by asset group or by host.
The second part of the suite is the QualysGuard Vulnerability Management, an on-demand Web-based offering that helps companies discover all devices and applications on the network and prevent vulnerabilities. The third part of the triumvirate is QualysGuard PCI Compliance, which helps companies comply with the PCI (Payment Card Industry) data security standard, including conducting network security scans to identify and eliminate security vulnerabilities. It is also Web-based and on-demand.
The suite is offered in two configurations: the Enterprise edition, with unlimited vulnerability and compliance scans and unlimited users; and the Express edition, aimed at small and midsized companies. The Express edition, with annual subscriptions starting at $2,500, includes unlimited vulnerability and compliance scans but limits users to six. There are no distributed capabilities, and the reports are simple and easy to read.
“The other details are there if they want to drill down, but we wanted to make it simple and easy to use,” Deeba said.
Time will tell whether customers will be comfortable receiving security and compliance monitoring and testing via the SAAS model, said Mike Rothman, president of Security Incite, an Atlanta-based consultancy.
Customers want to be able to check a box and make the problem go away, so this seems like a natural solution. But there is nothing easy about security, and nothing easy about getting to the position of compliance,” he said. “To date, most customers have been pretty resistant to putting these things in the clouds.”
QualysGuard Policy Compliance will be available in the United States on April 22. QualysGuard Vulnerability Management and QualysGuard PCI are currently available.
/ 1 
