Challenge
To empower non-security professionals to easily self-manage their offices’ cloud security, the university needed a frictionless deployment with an agentless security solution.
The university's previous security tooling was designed for traditional development and technology organizations, and the university wanted to find a solution that matched its federated, cross-account approach to security management while still being user-friendly.
With tens of thousands of users spread across different departments, the university needed to more clearly see which applications they were using to detect vulnerabilities.
Solution
The university deployed Wiz across offices without requiring their respective teams to manually install an agent to scan their environments.
To best support all of the university's employees with a wide range of technical knowledge, the team turned to Wiz to simplify their relationship with security and enable faster, more secure cloud-based research.
The university's security team can federate cloud security management to specific team leaders across offices, so each manager has insight into their team’s vulnerabilities.
Empowers 20k+
faculty and staff members to protect their IT infrastructure with self-service security
Equips 13-person
security team to manage security across seven campuses
Reduces critical risks
throughout the university ecosystem with improved visibility
Amplifying researchers and academics solving the world’s big problems
For more than 130 years, this private research university has stood as one of the leading academic institutions in the world. The colossal network of campuses, hospitals, accelerators, student organizations, restaurants, sports teams, and laboratories covers more than 13 square miles, serves more than 20k employees, and hosts more than 17.5k students.
The university’s cutting-edge research embraces this freedom to make a global impact. It’s 13-person cloud security team works to empower the communities driving changes, such as reducing fossil fuel emissions, understanding and translating ancient texts and developing healthcare technologies. “We’re here to enable,” says the Director of Cloud Security. “Many people see security offices as places where good ideas go to die, but the reality is that if we work together to use our cloud effectively, we can work faster and safer with cybersecurity built in from step one.”
The university's previous security solution was entangled with decades of legacy infrastructure and technical debt. It also required individual teams to deploy agents to monitor their applications. “We give our account holders free reign to do and build what they want, which is a blessing and a curse,” shares the Director of Cloud Security. “We would have to distribute software and expect an agent would be installed on every virtual machine. In practice, that’s nearly impossible. Those users want to get as much as they can from their resources and investments, so anything that saps from that is seen as a negative.”
Our small security team is here to enable our researchers, teaching staff, and alumni with secure systems. We’re building toward a zero-trust infrastructure, but that can’t get in the way of progress, so we need security solutions that support everyone’s work.
Director of Cloud Security, Private Research University
The university wanted to consolidate its security management into a simpler, federated security model to give the security team clearer oversight. It also wanted an agentless solution that would protect its wide range of end users without creating additional work. That’s when it found Wiz.
Adopting a security solution that works for anyone
The university's IT team needed to make security easy, understandable, and relatable to a broad spectrum of users–ranging from industry-leading engineers to staff–with little to no technical experience. “To accommodate everyone, we couldn't work with a security product that was narrowly tailored for modern CI/CD DevOps engineers,” he adds. “Wiz can produce reports and provide insights across our entire cloud, but most importantly, it gives our end users the information that matters without overloading them.”
While the university’s security rules have remained the same, the security team can now rely on Wiz to validate individual teams’ security statuses. “We’re trying to improve our security posture because we’re responding to what’s going on in the real world to protect our data and avoid multi-million dollar fines,” the Director of Cloud Security shares. “With Wiz, we can precisely measure degrees of risk to our data to validate which issues need to be addressed rather than trusting manual risk classification.”
With our previous solution, if people didn’t install the agent, their resources would be completely off our radar, which meant potential risks could be easily missed. Because Wiz is agentless, we don’t have to worry about anyone forgetting to install software—we have visibility into everything we need.
Director of Cloud Security, Private Research University
When the university deployed Wiz, it was quickly able to uncover vulnerabilities that were overlooked by its previous solution. “We significantly underestimated how much was missed because we’d relied on an agent-based solution,” the Director of Cloud Security says. “Wiz gives us context into where resources exist in longer chains of resources, so we can point teams toward the roots of their problems.”
The university has used this increased awareness to identify sources of critical vulnerabilities across its campuses and better target its security strategy. “As more users become aware of Wiz and adopt it, we’ve found that a small percentage of our users are responsible for a significant number of our criticals,” he says. “Once, we uncovered one account holder who had malware on 100% of their virtual machines. We turned those off and profoundly improved our security posture almost instantly.”
Federating project management to democratize cloud security
To support more than 20k employees, the security team has adopted a hands-off, self-service approach to security management. With Wiz, it can provide non-security employees with the education, training, and tools necessary to protect their projects while still being able to consolidate and monitor from a distance. “We have a few thousand cloud accounts across our multi-cloud environment, and in Wiz, we can cluster those accounts into projects across broad departments such as humanities or sciences,” the Director of Cloud Security says. “We then assign leaders for these projects and these ‘distributed IT’ leaders help us safeguard the whole university.”
This investment in collective cloud security continues to ripple across the university through growing API usage and new security champions who show their teams the advantage of collaborating on security. “We’re continuing to track logins, and we’re seeing ongoing, progressive adoption of Wiz,” he shares. “Improved security monitoring is accelerating our overall shift to the cloud because our users have the freedom and knowledge to self-service, address issues quickly, and resume their work.”
You never know what the next Log4J is going to be. With Wiz, I can monitor patterns before they get too big to handle. I can review top emerging vulnerabilities, see how many systems we have that may be impacted, and share my findings with our security champions through internal Slack channels to get ahead of threats.
Director of Cloud Security, Private Research University
These security champions give individual teams more skills and security awareness to manage their own security standards. By educating their colleagues about how security directly impacts their own research, teams are more incentivized to continue to learn about security practices to safeguard their innovative work. The distributed IT leaders can own security practices within their own project in Wiz and ensure their organization is safe, relieving the Cloud Security's team from micro-managing all of the university's security posture.
Since empowerment—driven by education—is the organization’s primary security goal, it’s currently measuring success based on teams’ responsiveness rather than vulnerabilities alone. The university designed a security scorecard that its distributed IT leaders can use to assess their teams’ work. These ratings consider information such as average age of issues and user login rates to give CISOs and CIOs insight into how their teams are responding to their security responsibilities.
Scaling the university's security community with automation
With Wiz, groups at the university are using APIs to build their own tools, reports, and dashboards to further customize their security management. A more customizable approach to security has helped attract more security champions from major organizations on campus. “Our security champion project has helped us connect with people interested in cloud security and build a community of practitioners sharing best practices and support,” he shares. “They’re regularly sharing suggestions for new integrations and apps or advice about which ones work best for our needs.”
Alongside this expanding community space, the team is currently developing executive dashboards to efficiently present security status updates to senior executives. “We want to help our executive leadership log in and see a simple smiley face or sad face to gut check our security health,” he adds. “With Wiz, our team of cyber problem-solvers is making this possible, and we can continue to elevate what cloud security means for the university.”
