Amrit Williams, BigFix CTO, discusses Cloud Computing and other trends with Philippe Courtot, CEO of Qualys Inc. at the 2010 InfoSec Conference.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter’” and today I am joined by Philippe Courtot, Founder, CEO and President of Qualys.

Philippe, thanks for joining me today.

Philippe Courtot: Thank you for inviting me.

Amrit Williams: We’re sitting here in Infosec Europe, and there’ll be a bunch of these podcasts coming up; but Qualys, you know, one of the things that I found interesting, Philippe, about Qualys was the drive that you guys had for moving things into the cloud. And when it was first introduced, I think there was a lot of resistance to it, and you must be feeling a little bit of vindication that cloud computing and these types of approaches to securing infrastructures are becoming much more accepted.

Philippe Courtot: I would not say vindication, but what I would say is today that we have a significant market adoption. In fact, today more than 40% of the Fortune 100 companies have standardized on the Qualys VM platform and are all very excited with the fact that we have brought now PCI as really one of the most powerful platforms. 62% of the VHVs are now using Qualys, 48% of the QSAs. And then, of course, we have our policy compliance that we have introduced about a bit more than a year-and-a-half ago and which is now starting to be mature and taking traction; same thing for the web-application scanning. And of course, we now have the malware detection service, which will be free for all and for every website on the planet.

So people start to see that we have really built a platform today which can essentially simplify and abstract the complexity of security which is, obviously as we very well know, building security application is very hard. And delivering them at the scale, it’s even harder. I think that’s what Qualys has done.

So the support of our customers, to answer your question, is really… what customers which have followed us, most of our customers, in fact, have followed us since ten years so we have very little erosion of our customer base and, in fact, are really welcoming business services.

Amrit Williams: Those three services that you mentioned, I’d like to focus a little bit on the one, the free malware-scanning technology. Can you talk a little bit about the details of that? I mean, what does the service actually provide, and how do people get exposed to it?

Philippe Courtot: Yes, absolutely. So what the service provides essentially if you subscribe to the service, which is free — and will be, by the way, free forever; we have absolutely no intentions of charging for that service, and I would explain to you why after that.

So if you subscribe to the service and then want them to scan daily your website to detect, to ensure that that website is not being compromised and therefore is not serving malware to the visitors to your website. What is also very unique with that technology is that the way it’s done and built, it has no false-positives.

So we may still have some false-negative, missing some malware which has been very cleverly hidden into some deep down into your website; but we will not generate essentially false-positive because of the very nature of the implementation of our solution. And that is what allows us to really make it available for a large population; in fact, we built it to the scale of the planet, as everything that we have done at Qualys. In fact, we do more than 500 million IT scans per year today. And so now we could essentially scan every website on the planet. Currently we do 5 million URLs per day and could do 20, 50 million URLs.

So by now I think you realize the difficulty if you’ve got a lot of websites and you receive all these phone calls for false-positive, you would drive everybody nuts to start with; and second, you have a huge support cost behind that. So the fact that the technology itself doesn’t generate false-positive, or at least it’s very, very rare, and if it is, we can go immediately back into our code, understand where the problem was and then fix it for everybody at the same time. That’s the power of the model of this technology.

Amrit Williams: And how often are you scanning these websites?

Philippe Courtot: Every day.

Amrit Williams: Oh, okay, on a daily basis?

Philippe Courtot: Yes, because I think with malware, if you want to have that, we probably may have some paid services if you want to scan every hour, because some companies are in such a sensitive market that they would want to really know every time. So the reason why we make it for free is the obvious reason: it’s publicity brand recognition; but more importantly, it’s because what that service is is essentially a huge 4:42 on the Internet. And so the more people we have and the more website we scans and the more we look at the malware, the more knowledge of the malware we’re going to have. And then our intent, and we’ve already started to do that, is to share that malware knowledge with other companies which would want to share with us.

(00:05:02)

So with that we create for the community a much better understanding of the type of malware, its evolution, et cetera, et cetera. As you very well know, we are competing against extremely organized individuals, and they share that information between themselves. The Security industry has not had the habit of sharing. It has been much more about “Oh, I’ve got more knowledge than my competitor; therefore, you should buy from me”. And I think that was working well in the past. Today, against the threats that we all have to cope with, that model doesn’t break when you have a much more community approach. Then, of course, except for the people to have the derivative, if you prefer, business models whereby you can obviously recoup the costs.

Amrit Wiliams: It seems like that would be a very natural tie-in for the data that you guys might be able to collect on potential malware, in fact, stations and then feeding that into something like the Trend Smart Protection Network, right…

Philippe Courtot: Absolutely.

Amrit Wiliams: … and allowing them to send it out into their web reputation services.

Philippe Courtot: Absolutely. And you have also additional synergies, like immediate synergies with our web-application scanning, which now also is becoming mature and can essentially scan all of the applications on an enterprise. So we have that scalability again that our model is. So then when you start to realize that obviously, we have now the knowledge of the malware, we have the knowledge of the vulnerabilities on the website, the other PCs is the web-application follow-up. So today we are also like everything that Qualys does, also we interpret; in other words, we always pass our data to others. So in this case, specific case, we are creating integration with Imperva, and we’ll do the integration with other passing of data. So now you have that trilogy of trinities, if you want to call it like that. And then we also will be starting working on building a the web-application follow in the clouds, as well.

Amrit Williams: And folks interested in receiving a service, they can get it from the Qualys website?

Philippe Courtot: Absolutely. So you go to the Qualys website. And then we have not still — it’s in there as of today. So we have not been broad mass distribution yet; it will 7:13 hours a day. We are going to go production mostly likely in June, and then we are going to make it even more broadly available through our partners, et cetera; so make sure that almost, you know, collecting as much malware as we can essentially.

Amrit Williams: So Qualys has been in the business of providing vulnerability assessment and management data for quite some time.

Philippe Courtot: Correct.

Amrit Wiliams: What have you noticed changing, if anything, radically over the past three to five years?

Philippe Courtot: So this is here you go into my favorite subject here. So this is something that I’ve addressed of the keynote that I gave at RSA, in fact, last year and even the year before. The fact that fundamentally today securing the current computing environment, which is your network and the enterprise, as we all know — and I call that “the inconvenient truth in security” — has been and is continuing to be harder and harder and harder. And this is by the very nature of the network itself, the fact that for the business having to open up the network even more. So locking down things becomes impossible either, and then the technology is moving so fast. In the enterprises of today, totally how could you add the talent and even attract and retain the talent who has to understand all these many different facets of security? So everybody now is conscious that the problem is getting bigger.

At the same time, you have now more regulations, which forces you to disclose the averages, which forces you to in fact pay more attention to compliance. So it’s becoming almost impossible to solve. So Qualys, obviously we have a large customer base of very large companies and very small companies, as well.

So we have been, in fact, helping to cope with that by bringing security and compliance together and delivering that as a service, which facilitates the task. But this being said, this is still not fundamentally enough, and I personally believe and I always believe that, in fact, cloud computing is offering a huge opportunity to the Security industry and I would say to the Security professionals through the practitioners to build the security into the infrastructure of the cloud — which is something, by the way, that we, Qualys, as you have had to do early on, because our customers — if you discuss with Marc Benioff, the CEO of Salesforce.com, when he launches his CRM in the cloud model, Salesforce.com, the resistance was coming not from the businesspeople who all wanted to adopt that form of facility, the deployability, the fact that you could connect with your suppliers, with your customers, with everybody into one single place in the cloud; but the people who were resisting were the IT people, who say, “Wait a minute, I don’t have anything anymore to do here”, and then the Security people say, “Wait a minute, my job is to protect the data inside the company, the data is going out”.

Amrit Wiliams: Right.

Philippe Courtot: So these were our customers. So in order to satisfy the very natural, if you prefer, requirements of our customers, the Security people want to essentially not only build the security into the fabric of what Qualys has done, but also demonstrate and be very open and transparent about how we are taking good care of the data. So we have learned that since the very beginning; if we would not have done that, we would have not be where we are.

But this being said, I maintain that today securing the cloud, which we have experience obviously of, is much easier to do than securing the enterprise. The reason is because you have the data in one place. You can therefore control the access. The cloud-computing vendors like Qualys and others can attract and retain the specific talent, and we can amortize a significant cost of building the security into the fabric of what we do across our many, many users. And furthermore, if we are breached, this is a huge threat to our business.

Amrit Wiliams: Right.

Philippe Courtot: So we have absolutely a significant business interest of doing the best we can. So as we see more and more companies moving their application to the cloud, that’s the good news, because it means that the complexity to secure the current networks will be reduced while you pass the responsibility of securing to others.

Amrit Wiliams: To third parties, right.

Philippe Courtot: So we are going, I believe, at some point in time, which I think will be probably in a couple of years now that there is more and more Software-as-a-Service or cloud-computing offerings available in the marketplace, we’re going to start to see that shift accelerating and then at last be in a position where we can gain ground against the bad guys, where today it’s very clear that if you look at the Aurora attack and others, we are losing the battle.

Amrit Williams: Have you seen, because I know that we’ve had lots of conversations in the past, Philippe, and I know maybe 2003, 2004 I made some comments to you that a lot of companies would be resistant to allowing data to go to a third party, and I think you guys have done an excellent job of providing that transparency. Do you still get that type of resistance, or is there much more acceptance that this is really the natural path and the way that things are evolving? Is the resistance dying down? Do you still deal with that in terms of adoption?

Philippe Courtot: We still have to deal with the resistance; however, we see two things that in the past before — I think the turning point for us was about two years ago, so I would say 2009, end of 2008 — where before that, we were not invited to the dance, if I may say so, for many –

Amrit Williams: Just because you were a cloud?

Philippe Courtot: Just because we were a cloud.

Amrit Williams: Yeah, yeah.

Philippe Courtot: Since then, we have been invited and only invited, and those who didn’t have a cloud solution were not invited. So we saw that change.

Amrit Williams: That’s interesting, yeah.

Philippe Courtot: We still see the resistance; however, what it’s doing now — and I think it was very clear at the RSA 2010, and then I went to the CSA Conference in Barcelona in Europe, and then I recently went to the European Commission in Brussels — you could see today that I think the Security people have understood that that movement into the cloud is absolutely inevitable.

Amrit Wiliams: Right.

Philippe Courtot: So even they are still reluctant fundamentally because of their culture, if you prefer, they know now that resisting, in fact, is becoming dangerous, because the business now, again especially with again more regulation, more data breach disclosure, now certainly Security has been elevated at a much higher level. So now it’s not anymore “You don’t tell me I cannot go to the cloud here, because I have to do that for business reasons; so you better now tell me and show that this is going to be secure. And by the way, you still have to secure your enterprise”.

So I think the debate has elevated, which I think gives a very fundamental opportunity again to the Security practitioners. If they elevate themselves so and adopt the cloud, then certainly they’re going to become the ally of the business.

(00:14:55)

I would not say that it’s good news of moving the cloud for the IT people, because they are the ones which are essentially going to be dislocated as more and more of the cloud computing takes very similar — if you look at that cloud-computing phenomena, it’s nothing new. This is exactly the Internet doing to the high-tech industry and the Security industry in particular what it has already done for many other businesses, like the publishing industry:  totally dislocating the business.

Amrit Williams: And it means the practitioners need to evolve.

Philippe Courtot: Absolutely. So those who will evolve will thrive; those who don’t want to evolve, it is going to be harder and harder for them to fight that battle.

Amrit Williams: Yeah, I absolutely agree. So what’s on the horizon? Anything interesting coming that you’re willing to talk about with Qualys?

Philippe Courtot: Oh, I mean, there’s one thing which we are already pushing more and more, as you saw with that initiative with the malware-detection services, that I really believe that we have to really build a much stronger community of Security professionals. And so that I think is a kind of a mission that Qualys has embarked on. I think we want to really show that by bringing more minds into the problem and really creating a kind of an openness, as opposed, if you prefer, to the… I would say that old high-tech industry which essentially was very proprietary, we have seen since the very beginning where the 16:31 APIs when I look at the data that we have, this is not our data. The way we look at it is that this is the data of our customers, and it is our responsibility to do two things:  one is to ensure the security of the data and, the second, make that data available to them to do whatever they want with it. So we use that data to create some application; but we have no reasons of preventing these customers of doing what they want with that data; after all, they pay us to collect that data.

So it’s a very different mindset, and the mindset difference is fundamentally because we are not a product company. When you’re a product company, you’ve got to put your gears there first, because once you have put them there you cannot be displaced, or if yours are not there you cannot displace easily others. When you’re a service, you can interestingly significantly much more easily be switched. It’s like when you rent a car:  if Avis doesn’t give you a good service, you can go to Hertz or vice-versa. So you’ve got to have that security in mind. In other words, you have to have the customer in mind.

Philippe Courtot: So we are not product-centric, so we are a service-centric company, and that’s the fundamental difference that cloud computing also brings, you know, to the market.

Amrit Wiliams: Yeah.

Philippe Courtot: So the Security vendors will have to start to think about service, not about product. And those who don’t evolve, so if you look back, interesting enough, at IBM, what happened with IBM. IBM survived the mainframe, and the only company when you look at it — there’s a lot of very big, powerful companies which were delivering mainframes; none of them survived. And people believe that IBM survived, because they were the biggest. That’s not true. They survived because they evolved, and how did they evolve? Essentially, Steve Mills, which is in my book the unsung hero of IBM, did the technical revolution by embracing Linux $1.5 billion that IBM invested 20 years ago — I don’t remember the date exactly — and everybody thought IBM had gone totally crazy to invest in what? That kind of open-source thing? And, yes, but they were using Linux to capture all their old mainframes and architecture and then emerged as a media ware and a service company. So from a product company, they became a service company.

And then the second hero, obviously, which everybody knows, is Lou Gerstner, which did the cultural revolution and essentially eliminating a lot of the old management of IBM which were product-centric to replacing them by people coming from bottom up and also adding new talent, which were more like him as service-minded people. And that’s why IBM is what is IBM today. If they would not have done that, IBM would have disappeared like everybody else.

Amrit Williams: And it’s interesting. The IT industry, Security specifically, really requires these companies to evolve and evolve quickly, because there’s so much change and it is so dynamic.

Philippe Courtot: Correct, correct, and that’s a very good point that you have. That’s the big difference. It took –

Amrit Wiliams: Yeah.

Philippe Courtot: In fact, I had a discussion on this very subject with Bill Gates like five years ago at the speed of change, because, yes, it took 25 years to have the mainframe-to-enterprise computing revolutions. Today, the argument I was making then was, “It’s not going to take 25 years; it’s going to take 10 years”.

Amrit Wiliams: Oh, yeah.

Philippe Courtot: So that was about five years. So if I’m relatively right, then in five years look at where we are going to be. And some of the arguments that I’m giving to highlight that is if you look today at the cost of mail, it costs about         $84 billion a year to maintain 400 million Microsoft Outlook clients. It doesn’t cost a few millions to Google or Yahoo! to maintain 200 million each, I think, of web-based clients, and it’s not the cost of the software. Even if Microsoft will give away, you know…

Amrit Williams: It’s the cost of the infrastructure.

Philippe Courtot: … it’s the cost of the infrastructure: the servers, the people needed to maintain that 24×7, et cetera, et cetera. And people make a false argument in saying, “Oh, but my mail is not secure at Google”.  Is your mail secure in your company?

Amrit Wiliams: Yeah.

Philippe Courtot: In reality, the mail that goes across the Internet is not encrypted, because encrypting mail is very difficult. In fact, Google could very easily if they wanted to essentially provide a totally encrypted mail as a solution, because the mail is in one place, and then they could encrypt in the similar type of encryption scheme so the user would login essentially; the mail stays encrypted and the user, in fact, when he connects decrypts with his key.

So that I think is one of the examples I think of how disruptive to cloud computing it is, and this is going to be more and more visible every day. You look at the iPod and iPad, iPhone, et cetera, this is a perfect example of a cloud-computing application. Now certainly, who would have believed that Apple would bring thousand-plus applications on the iPhone, which overnight are going to be enhanced significantly because of the new format of the iPad, and it’s the delivery.

So the Internet, what it brings to you is that it’s a fantastic delivery mechanism to deliver technology. So you have that, as long as you balance that Qualys did the resources that you need, the computing power that you need in the cloud, with whatever computing power you need at the client side. So in our case we have appliances totally remotely managed; then that’s the power of distribution that cloud computing has.

Amrit Williams: Yeah. Well, Philippe, I really appreciate you spending time with me today, and hopefully I’ll get a chance to talk to you again on the podcast soon. Thank you so much.

Philippe Courtot: Absolutely. Thank you very much.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!