Cloud Platform
Community
Support

Out-of-Band Configuration Assessment.

Extend security and compliance to inaccessible assets.

Cloud solution for detecting vulnerabilities and misconfigurations in isolated and hard-to-reach assets

451 Research

Qualys Out-of-Band Configuration Assessment helps to eliminate blind spots by securely gathering and managing asset and configuration data from high-sensitivity assets and assessing their security exposure.

Robert Ayoub Scott Crawford Research Director, Information Security, 451 Research

Highlights

Customized data collection for isolated devices

Most organizations have critical assets, which for technical or policy reasons, can’t be actively scanned or monitored with an agent. In these cases, customers make manual assessments, create ad hoc scripts or use ineffective products — making the process difficult, time-consuming, and inexact. With OCA, customers can easily collect metadata and configuration information from such devices, controlling how, when, and what data is accessed and by whom. They can then upload the data to Qualys Cloud Platform.

Multidimensional and global view of data

Once in the Qualys Cloud Platform, data collected via OCA is shared and leveraged across Qualys apps, including Asset Inventory, Policy Compliance, and Vulnerability Management. This simplifies visibility and analysis of the evaluation data from different perspectives. OCA data is also consolidated with the data gathered by Qualys scanners and agents, giving organizations a complete view of their assets’ security and compliance from a central “single-pane-of-glass” dashboard.

Flexible data extraction, uploading

OCA helps you extract IT, configuration, and vulnerability data from these assets and upload it to the Qualys Cloud Platform via various methods. For example, you can automate these tasks using OCA’s APIs, or carry them out more granularly using the product’s simple user interface. With this flexibility, you can easily eliminate blind spots, complete your asset inventory, and obtain full security and compliance coverage.

Streamlined, consolidated reporting for IT GRC programs

In the context of an IT GRC (Governance, Risk and Compliance) program, OCA helps speed up and streamline the process of gathering data from various end-points and creating assessment reports. OCA provides automated data collection, parsing and analysis, readily available benchmarks and reporting templates. This gives audit teams and asset owners a holistic view of their devices’ GRC posture.

Broadened security and compliance scope

OCA easily gathers security and compliance information from IT assets that can't be monitored with scans or agents. These may include:


  • Assets deployed on disconnected (air-gapped) networks
  • Legacy or uncommon network devices, apps, hardware appliances, and others
  • Locked-down systems hosting highly sensitive data and subject to strict policies and regulations

In this way, OCA helps organizations broaden the scope of their security and compliance efforts to these inaccessible or sensitive assets, for more complete and effective vulnerability management, policy compliance, and asset management.


Many of these assets such as network or storage appliances are on platforms that are not covered in various compliance benchmarks and standards. All these platforms are researched by Qualys’ dedicated team of security experts, to come up with OCA’s out-of-the-box policies.

Platforms supported by OCA

The following platforms are either currently supported or will be supported soon by the OCA app for policy compliance:


  • Acme Packet OS
  • Brocade Fabric 7.x
  • Brocade Fabric 8.x
  • Data Domain OS 5.x
  • FireEye CMS 7.x
  • FireEye CMS 8.x
  • Imperva Web Application Firewall
  • Juniper IVE 8.x
  • ArubaOS 6.x
  • Cisco Firepower Threat Defense
  • Cisco Wireless Lan Controllers
  • Cisco Viptela
  • Bluecoat Proxy
  • Bomgar appliances
  • Cisco UCS server
  • IBM Mainframes
  • Hitachi Content and Protection Platforms
  • McAfee Email Gateway
  • Oracle Tape Library
  • RSA Authentication Manager
  • Lancope Stealthwatch Appliances
  • HPE 3PAR StoreServ
  • HPE Comware 5.x/7.x
  • Riverbed Load Balancer
  • Sonic Firewall

Automation of workflow with APIs

In order to assess crucial configurations and vulnerabilities, OCA identifies important configuration files and/or commands in these hard-to-reach assets. Customers need to fetch these files or the output of commands from each asset in a manual or automated way. Once the data is uploaded to the Qualys Cloud Platform, assessment reports are generated according to the selected policies.

The APIs that are provided by OCA app help customers automate the process of bulk-provisioning as well as uploading the assessment data for the assets to the Qualys Cloud Platform. These APIs can be invoked through curl calls to automate the configuration or security assessment workflows.

OCA exposes REST APIs for carrying out following tasks:

  • Provisioning of OCA assets for vulnerability management or policy compliance

  • Editing of few asset attributes after provisioning

  • Listing of commands for OCA technologies

  • Uploading of configuration data/command output for each asset

  • Revoking the assets

Integrated view of data from OCA and other Qualys sensors

Similar to Qualys’ other sensors such as active scanners and Cloud Agents, OCA collects asset data that is then displayed in Qualys AssetView – a single-pane-of-glass interface. This data has an “OCA” tag, which differentiates it from the data gathered by the other sensors. Once the configuration data is uploaded for OCA assets, scan reports are generated and displayed in the same manner as those containing asset data collected by other Qualys sensors. This gives organizations a consolidated, unified view of the security and compliance of all their assets, not just the ones that can be scanned and monitored with agents.

Comprehensive reports

After the signature evaluation on the collected data is completed, the assessment reports are fetched in a similar way to the Qualys agents or traditional Qualys scanners. The evaluation report displays the OCA assessment in the same format as that of other assets in the environment. The reports can be generated according to different frameworks. All the controls added for OCA supported technologies are mapped with mandates such as GDPR, PCIDSS, HIPAA, etc. This enables customers to fetch mandate-based reports as well.

Powered by the Qualys Cloud Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all of their IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption & strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

See for yourself. Try Qualys for free.

Start your free trial today. No software to download or install. Email us or call us at 1 (800) 745-4355.