Extend security and compliance to inaccessible assets.
Cloud solution for detecting vulnerabilities and misconfigurations in isolated and hard-to-reach assets
Qualys Out-of-Band Configuration Assessment helps to eliminate blind spots by securely gathering and managing asset and configuration data from high-sensitivity assets and assessing their security exposure.Scott Crawford Research Director, Information Security, 451 Research
OCA easily gathers security and compliance information from IT assets that can't be monitored with scans or agents. These may include:
In this way, OCA helps organizations broaden the scope of their security and compliance efforts to these inaccessible or sensitive assets, for more complete and effective vulnerability management, policy compliance, and asset management.
Many of these assets such as network or storage appliances are on platforms that are not covered in various compliance benchmarks and standards. All these platforms are researched by Qualys’ dedicated team of security experts, to come up with OCA’s out-of-the-box policies.
The following platforms are either currently supported or will be supported soon by the OCA app for policy compliance:
In order to assess crucial configurations and vulnerabilities, OCA identifies important configuration files and/or commands in these hard-to-reach assets. Customers need to fetch these files or the output of commands from each asset in a manual or automated way. Once the data is uploaded to the Qualys Cloud Platform, assessment reports are generated according to the selected policies.
The APIs that are provided by OCA app help customers automate the process of bulk-provisioning as well as uploading the assessment data for the assets to the Qualys Cloud Platform. These APIs can be invoked through curl calls to automate the configuration or security assessment workflows.
OCA exposes REST APIs for carrying out following tasks:
Provisioning of OCA assets for vulnerability management or policy compliance
Editing of few asset attributes after provisioning
Listing of commands for OCA technologies
Uploading of configuration data/command output for each asset
Revoking the assets
Similar to Qualys’ other sensors such as active scanners and Cloud Agents, OCA collects asset data that is then displayed in Qualys AssetView – a single-pane-of-glass interface. This data has an “OCA” tag, which differentiates it from the data gathered by the other sensors. Once the configuration data is uploaded for OCA assets, scan reports are generated and displayed in the same manner as those containing asset data collected by other Qualys sensors. This gives organizations a consolidated, unified view of the security and compliance of all their assets, not just the ones that can be scanned and monitored with agents.
After the signature evaluation on the collected data is completed, the assessment reports are fetched in a similar way to the Qualys agents or traditional Qualys scanners. The evaluation report displays the OCA assessment in the same format as that of other assets in the environment. The reports can be generated according to different frameworks. All the controls added for OCA supported technologies are mapped with mandates such as GDPR, PCIDSS, HIPAA, etc. This enables customers to fetch mandate-based reports as well.