Challenge
This Fortune Global 500 financial services organization’s DevSecOps needed to identify potential vulnerabilities and poor infrastructure configurations before they’re deployed, and it wanted to design a connected, cloud-first pipeline.
The team also sought to automate platform maintenance, posture management, and remediation to more effectively catch vulnerabilities before they became problems.
As risks were detected, the company needed to effectively contextualize them so the relevant stakeholders could understand and prioritize remediation.
Solution
The organization is democratizing access to its security management and encouraging teams to handle security policy for their own products, using Wiz to create a connected development and deployment pipeline.
By building automated workflows in Wiz, the company can manage onboarding, controls, rules, and platform configuration, freeing up developers, analysts and operations to work on other projects and refine security posture.
The team gains context and better understands which environments, accounts, and subscriptions are impacted by risks using information from Wiz and has a universal metric to consistently measure threats against one another.
Reduced deployment risks across the development lifecycle
with a single source of truth for managing security rules
Eliminated critical vulnerabilities
across the company’s entire cloud environment
Automated platform maintenance tasks
so security personnel can focus on controls and policy development
Reinforcing the cloud infrastructure that supports a global institution
As a large financial services provider in the United States, as well as a Fortune Global 500 and Fortune 500 company, this organization sought more standardized controls and better observability by migrating its legacy infrastructure to the cloud. It knew that this change would introduce new complications such as cloud-specific configuration risks that would then need to be managed by globally distributed teams. To best safeguard its expanding cloud, the organization sought ways to better interconnect those siloed development teams.
“Integrations and policy effecting our development pipeline were owned by different business units,” says the VP of Cloud Security at the company. “Everyone owned their own piece of the SDLC process, and it worked well, but we’ve had to completely overhaul the process in the cloud to stay competitive.” For the VP and his team, this overhaul has involved balancing competing directives: Security standards being enforced are opaque to developers, making pipeline deployment trial and error. At the same time development teams sought more flexible access to these controls to accelerate time to market.
Consolidating security within a single pane of glass helps our security teams figure out what's going on in one location and allows them to share that information easily. By identifying and sharing details more quickly, our business units and application users can deploy faster
- VP of Cloud Security, Fortune Global 500 financial services company
The company’s security team is partnering with application teams to shift left, more closely integrating security into pre-deployment stages in order to enable faster, more secure development. Making this transition required building automated assistance to ensure infrastructure and code are compliant before they reach production.
For any common vulnerabilities and exposures (CVEs) that make it to production, the team also needs context to better prioritize remediation, rather than spending time on issues detected by its previous CSPM. “We could have critical CVEs like Log4Shell, but we need to be able to explain to our developers why they’re urgent,” the VP says. “If we see a ‘critical’ exposure in an old, unused Kubernetes container, then immediate remediation may not be necessary. It’s all about prioritizing actual risk, to optimize our security operations and developers time.”
Quickly implementing a cloud-first approach to security
Shifting left and unifying its separated pipeline stages led the organization to search for a CSPM solution with an easy-to-use, developer-friendly API interface. “We wanted a solution that would give us a complete inventory of our cloud environment, improve our detection and accuracy, and provide more context into our security posture,” shares the Vice President. “Wiz’s native capabilities provide that. We can tell which environments, accounts, and subscriptions are impacted, the risk of those impacts, and review all of that with a consistent metric to prioritize remediation.
With better visibility and being able to prioritize risk remediation with Wiz, we can better focus on the work we’re good at. For example, our container platform engineering team can now focus on delivering a managed container solution without needing to also manage a container security product and the associated security posture.
- VP of Cloud Security, Fortune Global 500 financial services company
The organization used a Wiz outpost deployment, which allowed them to run Wiz on infrastructure within their own cloud environment. Given their highly regulated industry, this option drastically decreased time to value by accelerating testing and deployment and minimized the scrutiny from a risk and legal perspective for SaaS product review. “We were able to go from negotiation to launching to general availability with Wiz in less than five months because of Wiz Outpost,” the VP says. “We saved so much time on additional risk assessments with our legal team by keeping the scanning within our internal systems.”
Since deploying Wiz, the company has refined its cloud security posture management by improving visibility across its cloud environments. “Across our cloud infrastructure and with Wiz serving as a single pane of glass, we’ve had the opportunity to more quickly resolve and operationalize issue remediation because issue owners, operations & security analysts all have visibility to the issue details,” the VP adds.
The company has also created an automation framework that enables each security vertical the ability to administer what controls are apart of their alerting/observability workflows. Each team has their respective array of controls, and they’re only notified of issues that relate to their domain. This way, they can incorporate alerting and remediation into their existing workflows and determine their own service level agreements for addressing issues.
Operationalizing cloud security through automation
Relying on this self-managed and automated approach to cloud security, teams have been able to augment and optimize their work. “Our developers use Wiz’s strong GraphQL API layer to build powerful automation pipelines capabilities that control platform, RBAC, framework and rule configuration,” the Vice President says. “We built a Python SDK around it, so more users can lean on Wiz. With just three or four devs, we can automatically curate deployment configurations via infrastructure as code for Wiz, which is a massive accelerator and maintenance reducer.”
The company has built nearly 65 API queries with GraphQL and Wiz to further automate platform settings, configurations, and deployments throughout its pipeline. Since changes to these functions are done through code commits, the business has also safeguarded its infrastructure from any risk of a single person from permanently breaking its platform, deleting, or modifying controls. Including a safety mechanism to reset any changes that are made outside of the SDLC process.
Since we can grant users access to resources in Wiz, our developers can manage security findings for their own products. We can continue to shift left by democratizing access in this way, which enables us to better protect our cloud environment by providing clear security transparency to application teams
- VP of Cloud Security, Fortune Global 500 financial services company
Through its expanding automation suite, the organization has reduced critical vulnerabilities. “Resolving criticals was a huge step, and once we got them down, it was important to stay on top of Issues to keep it that way,” says the Vice President. “Our team has a person on call every week to pursue new criticals. We can easily share information, let relevant teams know what’s at stake, and resolve issues more quickly when we escalate verbally because we can all trust in Wiz’s observability in our Cloud environment.”
Prioritizing prevention over resolution
The next steps in the company’s cloud journey are all about implementing more preventative security measures, via Wiz’s IaC Matchers. “We’re building preventative controls for misconfigurations, ranging from Criticals, Highs and Mediums. This reduces risk with cloud deployments that do not adhere to our infrastructure standards,” the VP shares. “Preventing existing systems from getting worse means we can eventually get ahead of potential exposures requiring a more nuanced investigation, rather than spending time hunting down simple misconfigurations.” By continuing to automate processes earlier in the pipeline and shift left, the organization will further reduce risks downstream and better protect its growing infrastructure.
Seeing the results of this automation has led the organization to expand its Wiz use and consolidate its other security tools. “We’re currently monitoring our containers with a separate solution, but we want to rationalize overlapping security tools on top of Wiz. We’ll save on our licensing costs, simplify auditing, automate more, and better secure our infrastructure,” the VP adds.
