INDUSTRY: IT services
BUSINESS: Visma offers software, commerce solutions, retail IT solutions, and IT-related projects and consulting services.
SIZE: 5,500 employees
BUSINESS CHALLENGE: To support its cloud services transformation, Visma wanted to strengthen its defences against cyber attacks by identifying and remediating vulnerabilities effectively.
WHY THEY CHOSE QUALYS:
Headquartered in Oslo, Norway, Visma is a leading provider and integrator of accounting, payroll and procurement solutions, serving more than 600,000 customers across Northern Europe.
Hans Petter Holen, CISO, Visma, says: "We develop software to help our customers run their businesses, with a focus on accounting and payroll solutions. In the past, we delivered software for customers to run on premises—but as the cloud model matured, we saw an opportunity to transform into a software-as-a-service [SaaS] provider."
He continues: "Our cloud services transformation presented new challenges, especially around security. Before, we only needed to worry about the security of our own systems; today, we need to safeguard our customers’ data too. And with new and more stringent requirements such as the General Data Protection Regulation [GDPR] on the horizon, protecting sensitive customer data is critical to minimise our exposure to risk."
With the Qualys Cloud Platform, we're succeeding in making the business aware of what they need to do to keep their systems safe—it's a valuable layer of protection against potential threats.
To protect its business as its attack surface changed, Visma wanted a way to detect and remediate vulnerabilities fast—wherever they appeared on its network.
"Visma employs more than 5,500 people, of whom around 2,000 are developers—and the company continues to grow organically and by acquisition,” says Holen. “We manage a mixture of Windows and Linux servers hosted in our own data centres, and on third-party platforms including Amazon AWS and Microsoft Azure. Because our IT landscape is so large, we knew that automation would be vital to maintain robust security, and we looked for a way to deliver comprehensive vulnerability scanning across the network."
To secure its network against potential threats, Visma has embraced the Qualys Cloud Platform to deliver in-depth security scans.
"We initially deployed Qualys Vulnerability Management to support a new operations model for cloud delivery, based on agile and DevOps methodologies," Holen recalls. "The aim was to create a culture of security by making our development teams responsible both for writing secure code and—crucially—for deploying that code in secure environments.
"Using Qualys Vulnerability Management, we automatically scan our teams' development infrastructures and feed the results into the same JIRA backlog where they see vulnerability reports for their code. Each product manager is now measured and ranked against their peers based on the number of unresolved security vulnerabilities in the backlog, which creates an atmosphere of friendly competition and encourages our people to keep their environments up to date and correctly patched."
Based on the success of the Qualys solution in the development department, Visma decided to roll out the solution to deliver vulnerability insights across its entire global business.
"One of the things that impressed us most about Qualys Vulnerability Management is its ability to deliver a 360-degree view of vulnerabilities on our network, right down to the level of individual devices,” Holen continues. “Our positive experiences with the Qualys Cloud Platform gave us the confidence that it was the right choice to support our company-wide security strategy. Better still, because the solution is cloud-based, we knew that it would be fast to deploy and require minimal management."
Visma uses Qualys Vulnerability Management and Qualys Cloud Agent to scan all the servers in its data centres and all the devices on its network.
"We now have a comprehensive map of all 4,000 servers and 6,000 clients across our global IT infrastructure, and an accurate view of all the vulnerabilities and their severity," explains Holen. "By deploying Qualys Cloud Agent on our laptops and desktops, we can perform scans in the background even when a device is offline, and deliver the results as soon as it is reconnected to the network. When we detect a vulnerability, we deliver the findings to whoever is responsible for the machine—either via email to the local IT department, or via JIRA to the developer who owns the device."
To enhance its response to emerging threats, Visma uses Qualys Threat Protection to prioritise the most serious vulnerabilities for fast resolution.
"As Visma transforms into a cloud services business, IT's role is transforming too," comments Holen. "Our aim is to become trusted advisors to business users, rather than policing them: we want to offer them the guidance they need to make their environments more secure. With Qualys Threat Protection, we can automatically push critical fixes to the top of the backlog—empowering our people to take timely action on potentially serious threats."
With the Qualys Cloud Platform driving its security strategy, Visma is improving its ability to safeguard customer data and deliver dependable availability for its SaaS solutions.
"The biggest benefit that Qualys Vulnerability Management gives us is an understanding of where the most serious threats are in our network," explains Holen. "Now that we’ve started to empower our developers with these vulnerability insights, they are beginning to address potential issues more quickly—contributing to a stronger security posture."
Real-time updates from Qualys Threat Protection are already helping the company to get ahead of evolving threats.
"We recently conducted a proof-of-concept [POC] exercise for Qualys Threat Protection, which was extremely successful," recalls Holen. "During the POC, a significant vulnerability was discovered in a software library we use for several of our products. The next day, Qualys Threat Protection had automatically pushed it to the top of the backlog for our developers to resolve—without any need for IT to get involved in coordinating the new priorities. Without a doubt, the Qualys Cloud Platform has accelerated our response to critical vulnerabilities."
By gaining accurate, trusted information about patch compliance across all its endpoints, Visma is accelerating key update cycles.
"Every quarter, we patch all our Microsoft laptop and desktop clients using Microsoft System Center," says Holen. "Because it was difficult to determine if patches had been applied correctly, our IT operations team were forced to manually verify that the updates had installed correctly—a time-consuming process that could take as long as four weeks to complete. Today, the team can use reports from Qualys to perform the same work in as little as four days—80 percent faster than before."
He adds: "Qualys reports are also proving extremely valuable in service management conversations with customers. We can now demonstrate that the platform is under control, and that we have plans in place to fix any vulnerabilities that we’ve found—building their confidence in the security of our cloud solutions."
Looking to the future, Visma plans to extend its use of the Qualys Cloud Platform to deliver even greater visibility, control and efficiency around endpoint security.
"Security policies are only effective if people are following them correctly—and we are very interested in using Qualys Policy Compliance to quantify compliance across the organisation," comments Holen. "Currently, we are using the solution to monitor the complexity of local administrator passwords in sensitive systems, but ultimately we would like to extend the solution to monitor a range of policies across all 10,000 of our endpoints."
He continues: "Similarly, we have recently rolled out Qualys Security Assessment Questionnaire to support our security review process for new cloud solution architectures, and ensure that they adhere to our polices. We are confident that Qualys Security Assessment Questionnaire will streamline the review process, and ultimately enable us to apply a scoring system to quantify the relative security of each of our solution architectures."
Holen concludes: "Our customers trust us to drive some of their most important transactions, and as we move our business to the cloud, it's essential that we protect those services and minimise the risk of security issues. With the Qualys Cloud Platform, we’re succeeding in making the business aware of what they need to do to keep their systems safe—it’s a valuable layer of protection against potential threats."