Challenge
Datavant’s security and development teams experienced visibility gaps in the company’s infrastructure and processes.
The company’s software development life cycle (SDLC) was overly complex; individual teams used different tools and processes, which created inconsistent security and risk remediation processes.
The decentralized approach caused security tools to proliferate and increased team information gathering and reporting challenges.
Solution
Datavant can now see all of its resources across its multi-company, multi-cloud environment, leveraging the Wiz Security Graph to depict interconnections and risk down to a container level.
Datavant leveraged Wiz Admission Controllers coupled with Wiz CLI pipelines scanning and has added integration and deployment security checks, empowering developers to proactively identify, prioritize, and remediate risks, continually improving the company’s risk posture.
The company is now using Wiz as a single enterprise security platform to streamline critical risk processes and reporting.
Holistic visibility
across six-company infrastructure, enabling teams to remediate risk more efficiently
51% reduction
in vulnerabilities and prevented net-new critical/high vulnerabilities from being introduced to the running environment.
Consolidated 7 security tools to 1
increasing savings by 50%, which will increase as other contracts end
Modernizing security management across a complex IT infrastructure in a regulated industry
Datavant, a healthcare company that provides a digital ecosystem for anonymizing and securely exchanging patient data, is used by more than 70,000 hospitals and clinics, 70% of the top 100 largest health systems, pharmaceutical companies, and others. Datavant anonymizes and de-identifies data, leveraging technology like data clean rooms to make it accessible to partners. These organizations then use this data to develop new drugs, therapies, and services that improve patient care and outcomes.
Datavant brought together six sibling companies over several years. Merging their infrastructure created a complex IT environment, spanning AWS, Azure, and VMware Flex Cloud Storage, and numerous IT operations and development tools, such as Terraform, Kubernetes, GitHub, and GitLab. In addition, Datavant operates both a commercial IT environment for private sector firms and a FedRAMP® environment for its government clients.
Due to the company’s decentralized organizational structure, development pods/teams used their own tools and were individually accountable for the security of their product lines. This led to overlapping solutions, high software costs, and inconsistent code security policies. As a result, Datavant lacked a centralized view of its infrastructure and application risks and couldn’t enforce security and risk management best practices.
We wanted to move from a security model of operating as a walled garden to one where our development teams participate in proactively evaluating and remediating risks. Security should be built-in, not bolted on to our products
Nick Waringa, Head of Secure Product and Infrastructure, Datavant
Moving from decentralized to integrated security processes
“Datavant is a high autonomy company, but our decentralized approach meant that our software development lifecycle (SDLC) toolchain was all over the place,” says Nick Waringa, Head of Secure Product and Infrastructure, Datavant. Teams relied on 7 independant commercial and open-source security tools, providing different capabilities and views.
“Our teams were using inconsistent scanning and remediation processes, meaning that risks had a chance of going unaddressed. Development teams were also spending time gathering information for reporting back to leaders that they could have focused on risk remediation instead,” says Jonathan Pautz, Senior Engineering Manager, Cloud Security, Datavant.
The Secure Product and Infrastructure team leaders saw an opportunity to modernize our company’s security strategy: creating holistic visibility across its six companies and shifting left to empower developers to dentify, prioritize, and address risks earlier in the development pipeline. Datavant’s security team evaluated four platforms in-depth and selected Wiz because of Wiz’s continual capability innovations and the team’s deep familiarity with the platform. “The well-roundedness of the platform made it an easy choice. Wiz was the first tool deployed enterprise-wide across all six of our sibling companies. This includes all of your assumed tools likes HR, finance, chat, and identity.” says Waringa.
Datavant rapidly adopted Wiz CNAPP functionalities, beginning with Wiz CSPM and Wiz DSPM, which it rolled out across its AWS and Azure environments to easily identify personal healthcare information and detect and remediate misconfigurations. The company then leveraged the Wiz Terraform provider to add checks to Terraform pipelines and deployed IaC Scanning to run tasks and detect secrets, vulnerabilities, and misconfigurations in Terraform plans and Kubernetes clusters. Datavant leverages so much of the Terraform provider that they Terraform the entire Wiz instance (users, projects, and rules).
The company also began using Wiz Kubernetes admission controllers and Wiz Runtime Sensor to enable real-time detection and response of vulnerabilities in over 1,700 Kubernetes, containers and other cloud workloads, and the Wiz VMware connector to scan and remediate its virtual machines. “Our developers now have complete visibility across these environments, they see risks within context, and take proactive steps to reduce them,” says Pautz. The team deployed container checks with the Wiz CLI during the code promotion process. “We currently wrap the Wiz CLI in Golang to provide a custom PR approach that provides rich Wiz CLI data catered toward our development staff.” says Pautz.
Security and development teams now use Wiz Secret scanning to run automated scans on code repositories, execution pipelines, configuration files, commits, and other data sources to prevent potential security threats posed by exposed secrets. To streamline development workflows, the security team tags assets and projects with pod/team names in the Cloud providers with Terraform. These identifying tags are then Terraformed into Wiz so it’s easy for developers to find projects associated with their pod/team. The security team further wrote a custom rule that notified teams of infrastructure containers that do not adhere to tagging policies, ensuring Wiz project dashboards accurately reflect vulnerability load to the decentralized pods/teams.
“By centralizing visibility, automating scans, and enabling tagging, Wiz has made it easier for our cross-functional teams to identify and prioritize risks,” says Waringa. “We’ve also used rules to enforce security best practices, including misconfigured containers.”
We’ve used Wiz at two other companies. What made us choose it again is all of the technology choices Wiz keeps making and the rate that they deploy new features. The choices they make on the backend really improve the protection of the environment on the frontend.
Nick Waringa, Head of Secure Product and Infrastructure and Jonathan Pautz, Senior Engineering Manager - Cloud Security, Datavant
Proactively addressing vulnerabilities to reduce risks and costs
With visibility across six companies’ infrastructure and automated risk processes, Datavant now has the ability to move risk remediation earlier into the development lifecycle. “By working together, our security and development teams have reduced container vulnerability counts by 51%,” says Pautz. That enables the teams to focus on continuous improvement, focusing on medium and low risks and improving the company’s risk posture. Today, Datavant prevents all net-new Critical and High vulnerabilities outside of SLA from being introduced to its running environment.
“By blocking vulnerabilities as they occur, developers can fix issues when they’re easiest and cheapest to fix, before their code is running in production and has any hooks, integrations, or other problems that could require a multi-team collaboration to address,” says Waringa.
Being able to see and understand all of our infrastructure and how it works has made our security and development teams more efficient. We use Wiz like Google: If we need to know what’s going on in our environment, we just open it and use the Wiz Security Graph to query those resources.
Nick Waringa, Head of Secure Product and Infrastructure, Datavant
Partnering to improve security capabilities for the market
Datavant maintains a close relationship with Wiz, proposing new functionality and beta-testing new features. The company deployed admission controllers the first week they were released and did a one-day deployment of its Federal tenant leveraging their strategy to “Terraform to tool” soon after Wiz achieved FedRAMP® Moderate authorization.
“As a customer, you can’t ask for anything more than being able to talk to a partner that shares our perspective on what the future of security looks like, understands the business case we’re trying to achieve, and can move mountains behind the scenes,” says Waringa. “I’ve never seen a receptive product team that listens as well as the Wiz team does.”
