Data Security Features

The QualysGuard Secure Operations Center (SOC)

High Availability: QualysGuard is a fully automated Web service that is available to customers 24x7x365, built upon a redundant and load-balanced architecture for its critical systems.
SAS-70 Audited: The QualysGuard service is hosted in a separate datacenter that successfully completed a SAS-70 audit concerning access methods and controls. The QualysGuard service infrastructure is isolated from other systems within Qualys and only designated employees have access to this infrastructure.
Multi-layered protection and monitoring: All QualysGuard service systems are protected with host-based and network-based firewalls, IDS, and integrity monitoring. A dedicated staff of qualified, fully screened Security Engineers monitor and maintain the QualysGuard infrastructure around the clock.
 

Storage and Communication Security

Data encryption: Customer vulnerability data is encrypted on a per-customer basis using a strong encryption public-key algorithm. Data can only be decrypted with the customer's unique password. The user password is not stored anywhere on the QualysGuard servers, and neither Qualys nor its employees have access to user passwords. The vulnerability results data is encrypted on a per-customer basis before it is stored in the database.
Transit encryption: All user interaction with QualysGuard requires strong-crypto HTTPS (SSLv3) connections from the user's Web browser to the QualysGuard SOC. Clear-text and weak crypto communications are not supported by QualysGuard.
 

QualysGuard Intranet Scanner Appliance Security

Hardened platform: The QualysGuard Intranet Scanner is designed as a client-only device, with no services or daemons exposed to the network. The appliance has a hardened operating system kernel designed to prevent shell-code and buffer overflow attacks.
Secure communication: All communication between the QualysGuard Intranet Scanner appliance and the Qualys Secure Operations Center is strong-encrypted using SSL outbound connectivity via port 443. Update packages are digitally signed by Qualys during the release process and validated before installation at the appliance. The QualysGuard appliance does not keep any scan results; instead, all data is transmitted and stored encrypted at the Qualys SOC.
Limited access: Initial installation of the appliance requires a QualysGuard account login. After setup, all appliance management is performed via the QualysGuard Web-based user interface. No Telnet or other connections can be made to the appliance itself.