I am frequently asked for recommendations around how to design an activation key strategy for Qualys Cloud Agent, and sometimes see customers who are buying a lot of future work for themselves by not considering their activation key strategy before deploying agents.
What are Activation Keys and Configuration Profiles?
Activation keys are keys that you create in the Qualys platform (GUI or API) and then provide to each agent when it is first installed (using automation, a build package, script or recipe). The agent uses the key along with your customer ID to register itself to the Qualys platform. Both of these are in GUID format. In addition to creating the key itself you will also define which modules agents activating with the key will have enabled (VM, PC, IOC, FIM etc) and optionally some tags that are applied to all assets activating with the key.
Creating activation keys is one of the first steps in deploying the Qualys Cloud Agent. Without at least one activation key you cannot activate any agents. However, there are many reasons to use more than one activation key.
Configuration profiles, also defined through the Cloud Agent module UI or API, define how the agent behaves on the asset. This includes things like performance settings, scan intervals, blackout windows, IOC and FIM behavior, and a set of include/exclude tags that define which assets have the configuration profile assigned. In general configuration profiles are not assigned directly to assets (this can be done manually one at a time, but this is not manageable for large populations), instead configuration profiles are assigned to assets based on the assets tags, and the tags are assigned to the asset by (among other things) activation keys.
In summary, activation keys do three things:
- Define what modules are enabled on assets that activate with that key
- Define what tags are assigned to assets that activate with that key
- Indirectly, via the asset tags, determine which configuration profile is associated with agents that activate with that key
Things to Consider
When you are considering your activation key strategy, remember activation keys are about grouping populations assets. The way your organization needs to group cloud agent assets for module activation, configuration profile assignment, asset management, scanning, assigning tickets, reporting risk, and driving remediation work will all help to define your activation key strategy. Considerations for your design of your activation key and tagging strategies include:
- Do you have separate populations of assets that will require different agent modules? (VM, PC, IOC, FIM, Patch Management…) If so, this implies separate activation keys
- Do you anticipate the need to stop, start, pause, manage different blackout windows (agent blackouts are in the system time of the asset), or manage auto-update differently for different populations of assets? If so, this implies different configuration profiles, which in turn implies separate activation keys
- Do you have separate populations of assets that will require different performance settings? (servers, workstations, cloud assets…) If so, this implies separate configuration profiles, implying a unique tag or combination of tags
- How do you need to group cloud agent assets for reporting? (Physical location, facility, type of platform, line of business, function, network location, application supported…) Some of these features may be defined by tags assigned by the activation key.
When creating/editing the configuration profile assignment using include and exclude tags, you can include system created tags (e.g. asset groups and business units), static tags, and dynamic tags based on many characteristics of an asset. Remember, however, that there is a chicken-and-egg scenario here. We cannot assign a configuration profile based on a tag rule written for a characteristic of the asset that we do not know about. During the agent activation process a simple initial inventory manifest is used. This contains some basic information about the asset that may allow the use of some select dynamic tags, for example IP address range or operating system tags, to select a configuration profile. Readers are cautioned against tricky configurations that depend on an order of operations and things happening during the activation process.