Navigating the complexities of cloud security, especially in expansive and dynamic environments, is a challenge. Wiz’s approach mitigates vulnerabilities and identifies potential threats from code to cloud, extending from the development process and CI/CD pipeline through to the production cloud infrastructure and services.
Cloud security strategy: Wiz4Wiz From the earliest days of the product and company, the Wiz security team has used an internal instance of Wiz, called Wiz4Wiz, as the cornerstone of its cloud security strategy. This has enabled Wiz to protect its most sensitive assets – the systems and services that support our own customers – and to empower our security, operations, and developer teams to collaborate efficiently. Wiz’s agentless approach ensures that our security teams can maintain complete visibility over our cloud resources as our development teams quickly build and scale the platform and its features, never having to worry about coverage gaps or performance issues. Maintaining visibility and securing our resources with the Wiz platform works as a preventative measure as well, building security into processes early rather than applying patches as issues arise.
At a fast-growing startup, maintaining complete security tool coverage can be a challenge, but Wiz’s agentless design ensures that its cloud resources were secure from day one with minimal need for tuning, risk of coverage gaps, chance of performance or operational issues, etc. As a result, Wiz’s internal security team can spend more time testing features and providing feedback to product managers.
Enabling Wiz cloud security and innovationWiz’s back end is primarily hosted on AWS, but our platform also operates with connected customer cloud environments hosted on AWS, GCP, Azure, Oracle Cloud, Alibaba Cloud, and other providers. Wiz excels with diverse cloud platforms by abstracting certain cloud-specific features into universal security controls and detections, ensuring that security measures are applicable and effective across any cloud environment. Utilizing and normalizing all cloud environments simplifies multi-cloud complexity and enables building cloud security teams with diverse experiences across all cloud service providers. Aside from providing consistency, this also helps us quickly onboard new team members that may only have experience with one particular cloud service provider – enabling them to quickly map their knowledge and concepts to other providers. Additionally, Wiz primarily runs its workloads on containers that are managed and orchestrated through Kubernetes. Wiz supports Kubernetes as another cloud platform in and of itself and can surface Kubernetes-specific security risks and threats, regardless of the hosting platform. Wiz also enforces Kubernetes security policies.
Prior to deploying any feature or upgrade to customers, rigorous testing is conducted in pre-production environments utilizing Wiz4Wiz, allowing us to dogfood our own product and enable Wiz to be customer zero of Wiz. Wiz4Wiz also enables our teams to innovate and test emerging product capabilities, refining them before they’re ready for broader rollout to customers, and ensuring they work across various cloud environments. This fosters a powerful cycle of continuous improvement and collaboration with Wiz’s research team, developers, and product team.
Democratizing security across Wiz Wiz4Wiz serves as a shared platform for every team that builds and operates in our cloud environments. This encourages developers and DevOps team members to understand the security impact of their design and implementation decisions throughout their day-to-day work. When security works with teams to respond to events or mitigate vulnerabilities, everyone benefits from sharing the platform’s analysis of risks, toxic combinations, and attack paths. This fosters an environment where security is democratized and shifts the development process left – developers and DevOps are truly an extension of our security team. This increases efficiency, security, and the quality of our product. Through automation within Wiz4Wiz, and integrations with on call management and ticketing systems, security issues can be efficiently routed and escalated to the right teams for in-platform triage, avoiding bottlenecks and delays.