Effective Risk Reduction

When this service provider needed a more effective way to help its clients maintain regulatory compliance and reduce IT risk, only one solution met the company’s high standards.

Oslo, Norway-based IT services provider Cartagena delivers IT products and services to the most demanding of small and mid-sized enterprises. And its focus on helping businesses improve their own efficiency is one of the reasons for its continued growth and success.

“Qualys provides us a way to help prioritize the remediation efforts of our clients, and to make sure they can attain a level of acceptable security quickly.”

Maurice Wörnhard,
Security Architect,
Cartagena

Maurice Wörnhard

Many of Cartagena’s customers have only a small number of IT-personnel or don’t have IT departments of their own, which means they need support for everything from product and service selection to the deployment, management, and even security of those systems. Such a crucial aspect of IT governance as security needs the right expertise and vigilance to succeed. In that effort, Cartagena helps its customers deploy and manage their network firewalls, maintain secure access of business systems, protect servers from attack, and help maintain an effective vulnerability and risk management program.

Small business security challenges

The IT security risks to small and mid-sized enterprises are high. First, the same vulnerabilities that affect large enterprises – at the rate of nearly 80 a week – also affect small business Web applications, browsers, and client-side applications such as media players and office productivity applications. While large companies often have teams of IT operations workers and dedicated security staff to assess and mitigate IT security holes, that certainly is not true for smaller businesses. Yet, small businesses face the same risk of attacks and regulatory mandates as their larger counterparts. “That’s where we help our clients,” says Maurice Wörnhard, security architect at Cartagena. “We help to train and equip them, and provide the ongoing services they need to secure their networks, servers, and data.”

For years, to help its clients find and fix the software vulnerabilities that place systems at risk to attack, and of falling out of regulatory compliance, Cartagena’s service technicians performed on-site assessments using a number of open source vulnerability assessment and network mapping tools. Over time, the service provider outgrew its ability to service its clients using those tools.

“We always have very limited time onsite with a customer. And the scanners we were using either only enabled us to scratch the surface and did not provide the in-depth security assessment we needed, or gave us an overwhelming amount of data to analyze” he says. We decided it was time to do something much more professional.” Another challenge was the steep learning curve required to use those network assessment tools properly, he explains.

Cartagena wanted to find an accurate and highly automated way to help its clients secure their systems, and find a world-class vendor dedicated to security. “We wanted to be able to show the customer accurate assessment results based on a trusted third-party,” he says.

How Cartagena helps reduce client risk with Qualys Express

Ultimately, only Qualys Express met all of Cartagena’s requirements. Qualys’ on-demand software-as-a-service delivery enables Cartagena to help manage its clients’ vulnerabilities and regulatory compliance more successfully, while cutting associated costs through streamlined operations. Qualys’ vulnerability and security check database is updated continuously, without ever requiring users to conduct software or manual updates.

Currently, ten of Cartagena’s clients subscribe to its Qualys security assessments. “We analyze these assessments for them, and talk through the risks and vulnerabilities with the companies,” he explains.

That’s a service that is most appreciated, as many of Cartagena’s customers don’t understand the risks faced by their business-technology systems. “We have prospects that still wonder what an assessment does for them, and wonder why they need it,” Wörnhard says. “We often explain the risks associated with attacks, and how that can jeopardize their data and operations. Then we tell them how, for the relatively low cost of a scan, they can reap the benefits of significant risk avoidance,” he says. A number of Cartagena’s customers must comply with government and industry regulations, such as the Payment Card Industry Data Security Standard or Sarbanes-Oxley.

Through its flexible on-demand assessments and customizable reporting capabilities, Qualys Express fills those needs as well – whether just for checkups or for regulatory compliance. “Some of our clients rely on Qualys Express as a way to check up on their efforts and to attain third-party validation, while others need in-depth reporting and consultations on remediation,” he adds.

Qualys Express also allows Cartagena to help its customers focus on the risks that matter. Prior to its turning to Qualys, Cartagena had no real way to help its clients prioritize their vulnerabilities, based on real-world business risk. “Qualys provides us a way to help prioritize the remediation efforts of our clients, and to make sure they can attain a level of acceptable security quickly,” he adds.

Another way Qualys aids Cartagena’s clients: the accuracy and detail provided in the assessment results. “The accuracy is a real time saver for us. Few false positives means less time researching vulnerabilities that don’t exist,” he adds, while the effective Qualys reporting means that customers always understand, regardless of their technical competence. “They still are able to grasp what the issues are to their systems, and what it will require to fix them,” he says.

Future Use: Securing Web applications

While the majority of Cartagena’s client assessments are of external systems, the service provider soon will add additional services from Qualys to reduce risk and the likelihood of successful attacks. “We are working with some customers to evaluate their need for Web application scanning. Some develop their own Web applications, and it would be very helpful for them to know that they don’t have serious flaws. That can be accomplished by use of a Web application scanner such as Qualys,” Wörnhard says.

The capabilities he's referring are within Qualys’ Web Application Scanning (WAS) module. WAS enables companies to assess, track, and remedy Web application vulnerabilities through application "crawling", the performance of authenticated and non-authenticated scanning to identify cross-site scripting and SQL injection vulnerabilities and detect sensitive content in HTML pages.

“We see a strong need for scanning Web applications on a regular basis, and at crucial times, such as when an application is being readied for release. By running a Qualys WAS assessment, Cartagena helps the application developers to deliver a secure application,” Wörnhard says.

There once was a time when occasional vulnerability assessments were enough to maintain systems at a reasonable level of security – but no more. Vulnerabilities are announced too often, and attackers move too swiftly. Enterprises need vulnerability assessments that are accurate, flexible, and provide the detailed reporting and remediative insight needed to ensure that systems remain secure and in compliance. And that’s exactly the level and type of service Cartagena delivers today through Qualys. “It’s very important for us to have this service in our portfolio – and our services portfolio would be lacking without Qualys,” he says.