Since the beginning of Wiz, our security team has been using an internal instance of the product, called Wiz4Wiz. It gives greater visibility into our resources and enables a shift left atmosphere that focuses on security principles – from design to implementation.
The democratization of security does not stop there. The goal of our Governance, Risk, and Compliance (GRC) function (part of the Wiz Security Team) is to ensure that we follow regulatory requirements, industry standards, and internal policies. Head of GRC Max Anand stresses the importance of using Wiz4Wiz to gain real-time visibility into Wiz's Security and Compliance posture, so teams can validate various requirements.
Enabling Security Across the BoardOne of Wiz's primary goals is to have a security-first mindset, in which each individual and team carries responsibility.
Security is often seen as the purview of a focused security team, or a subset of engineers – at Wiz, it’s a collective accountability. This embeds security earlier in the design lifecycle, and allows more focus on preventative measures and new features, instead of mitigating risk as an afterthought. As a function of this, the GRC team at Wiz can self-serve and use Wiz4Wiz to answer urgent and often time-sensitive customer questions.
One unique feature of Wiz is that role-based access control (RBAC) can be configured by projects. Rather than each role being individually assigned to a user, the scope is defined by what is needed for the project. It’s a method that keeps engineering teams comfortable with access and security, but also allows them to have access to everything that they need while working within certain projects. Scoping is important for GRC because they have access to Wiz4Wiz which allows Max’s team to pull up relevant information surrounding production environments and cloud configurations quickly, without access roadblocks.
For example, for quarterly access reviews or audits, the GRC team may need Wiz's configurations for services used, or to view inventory for information gathering. They can pull it directly from Wiz4Wiz. Since there are often hundreds of controls that evidence is needed for, this can save days of work rather than having to go through all the access hoops of collecting information from the cloud provider. Additionally, as a compliance team GRC does not want the results of a development environment. The ability to scope by projects allows them to reach into production efficiently for what is needed.
One of the core components of Wiz is enablement for everyone who has a stake in security. The platform benefits many individuals, including those outside of engineering. Using features that reduce the level of access to the cloud environment, create specific RBAC controls, and offer reporting allows Wiz admins to be more efficient and avoid getting sidelined with information requests.
SBOM to the RescueThe software bill of materials (SBOM) is a list of ingredients that make up components for modern-day software. It has become one of the most critical components of software and supply chain security, and Wiz has incorporated an SBOM inventory feature to make it easier. (Read more about how Wiz supports SBOM and enables customers to easily search and analyze artifacts here.)
The SBOM is an important mitigating factor, especially in cases of possible breaches. For example, in March there was a massive vulnerability discovery called XZ Utils. This malicious backdoor, CVE-2024-3094, existed in the software library XZ in certain instances of Linux. Under specified instances, an adversary could exploit XZ Utils and remotely bypass authentication to access these systems running the Open SSH. Understandably, many customers were worried about the integrity of their systems. Because Wiz4Wiz has an SBOM feature, it creates an extra layer of protection in that the Wiz GRC team can readily access. This enables the team to be more proactive with customer requests by having responses ready, and enabling artifacts in Wiz’s Trust Center. It also empowers our engineers to more easily determine whether Wiz uses the affected software, and how – without having to wait on each customer or third party to clarify their dependencies and components.
Using Wiz4Wiz, Wiz released this query that enables customers to find all their resources affected by CVE-2024-3094. This way, each customer can quickly search their own instances without having to worry about a bottleneck. They can immediately know – and let Wiz know – if there is a problem that needs to be addressed. These queries are quickly written by Wiz’s threat research team for any suspected breach. Wiz4Wiz SBOM allows us to work with vendors without taking on risk.
Compliance FrameworksCompliance frameworks change over time. On top of that, new regulations and technology shifts create a need to ensure that cloud configurations and components are maintained and securely configured. Each change has an effect downstream. It makes things difficult, given the complexity of the environment without a top-level view.
As Wiz grew, so did attestations and compliance audits. On top of that, customers requested to audit Wiz for their own due diligence purposes. Luckily, the GRC team was enabled by the Controls Policies within Wiz4Wiz, which allowed the team to scope resources to specific regions or products and run a variety of different controls. They were able to show that the infrastructure was abiding by the latest security configurations, that the status was recent, and that the evidence can be quickly shared with the customer’s assessor or the external security auditor.
Wiz offers many ways to show controls and meet frameworks like SOC 2, PCI-DSS, and NIST SP 800-53 Rev 5, among others. Granting the user the ability to show how different aspects of the infrastructure meet the control gives the security peace of mind. It also gives the auditor solid evidence that depicts the controls in place. For example, SOC 2 control CC6.7-3 uses Encryption Technologies or Secure Communication Channels to protect data. It is displayed across 21 different policies between different cloud environments. This includes policies such as App Service should use TLS version 1.2 or higher and Network Load Balancer should use TLS version 1.2 or higher. Additionally, when Wiz is looking to implement new frameworks – whether for customer requirements, expansion into new countries, or upgrading a given framework – Wiz4Wiz lets the GRC team conduct a quick gap assessment. That allows Wiz greater insight and speed to apply the necessary controls within our systems and ensure that we are meeting customer needs.