Challenge
Thoughtworks, a cloud-native software development firm, was seeking to gain greater visibility into its complex, fast-changing multi-cloud environment.
Hampered by a legacy tool, developers didn’t get timely insights on contextualized risks they could use to remediate them early in the product development lifecycle.
Developers must address data and other risks to meet internal and customer compliance requirements before deploying innovative software solutions.
Solution
With the Wiz Security Graph, Thoughtworks security, IT, and development teams gained greater visibility to help identify and remediate risks.
Developers can also see potential attack paths with Wiz DSPM, enabling them to prioritize remediations and execute them proactively.
Thoughtworks uses Wiz to build products that are highly secure by design, which helps it attract and retain more clients.
Create holistic and granular visibility
across 1,000+ cloud workloads
Eliminate high and critical risks
before deploying client and internal solutions
Rapidly evolve cloud security maturity
and create scalable development processes
Thoughtworks scales security processes for its cloud-native software development business
Thoughtworks is a technology company that provides strategy, design, and engineering services, building custom software solutions for its global business and clients. As a digital innovator, Thoughtworks began its cloud journey in 2013 and was operating its business entirely in a multi-cloud environment by 2020. Developers use services from AWS, Databricks, Google Cloud Platform, Microsoft Azure, and other partners to build cutting-edge cloud-native solutions that solve complex business challenges for global industry clients.
The company’s security strategy prioritizes protecting core systems, data, and new products and empowering cross-functional teams to identify, prioritize, and remediate risks. Thoughtworks leaders wanted to equip developers with the visibility and insights they need to remediate risks earlier in the product development lifecycle when it is easier and more cost-effective. The company’s brand is also reliant on its ability to build and deploy solutions that are highly secure by design.
The security team’s role is to support and guide our development teams as they build products with advanced security for our global business and enterprise clients. While we would have been seen as gatekeepers years ago, now we truly operate as one collaborative team.
Nitin Raina, Chief Information Security Officer, Thoughtworks
Creating visibility across a fast-changing multi-cloud environment
Thoughtworks security, IT, and development teams collaborate to protect the business and solutions against key risks, such as misconfigurations, vulnerabilities, and toxic combinations, even as infrastructure constantly changes. “We work very closely with our IT teams to ensure that we have the right tooling, logic, and help so that our teams can secure our end-to-end multi-cloud environment,” says Nitin Raina, Chief Information Security Officer at Thoughtworks.
Previously, Thoughtworks used a legacy CNAPP solution that began as an agent-based tool. It failed to provide visibility at the highest levels demanded by the team and didn’t seamlessly integrate with all the services Thoughtworks used. In addition, API connections frequently broke, which took the vendor months to repair. As a result, teams spent considerable time and effort to identify and remediate risks as they spun up new infrastructure and developed products.
With the vendor contract ending, Thoughtworks’ security leaders decided to look for a new CNAPP solution that could be used to secure its multi-cloud environment. They sought to implement an agentless cloud-native CNAPP solution that provided a single pane of glass for risk processes, integrated quickly with other security tools, streamlined compliance processes, and was scalable across its growing software business. “Obtaining these capabilities would help our teams quickly drive to insight and focus on the risks that matter most,” says Raina. In addition, the team wanted a solution they could recommend to customers.
The security team evaluated multiple tools and even considered building one internally because of the company’s advanced software expertise. The team chose Wiz because it met all of the company’s critical requirements. As an agentless solution with an easy-to-use interface, it provides a consolidated risk view and expansive feature set that improves cross-team collaboration on risk remediation and automates compliance processes. In addition, Wiz offers a rich API that makes it easy to connect to different systems and provides support and maintenance, which an internally developed solution would not provide.
Our cloud environment is vast and complex. As a result, we were looking for a solution that would create visibility across our multi-cloud footprint, help us make risk-based decisions, and continue to maintain compliance with all the regulations we and our customers must meet. We selected Wiz because it provided visibility and offered robust tools that our security, IT, and development teams could all use to collaborate on risk remediation.
Nitin Raina, Chief Information Security Officer, Thoughtworks
Empowering teams to remediate risks early in the product development lifecycle
Thoughtworks uses Wiz CNAPP which include CSPM capabilities to gain visibility into all cloud resources, see risks in context to prioritize remediations, and continuously detect and remediate misconfigurations from built time to runtime across its multi-cloud environment. As a sophisticated development shop, Thoughtworks also relies on Wiz CWPP to gain continuous threat monitoring and protection for workloads across different cloud environments. The company leverages Wiz DSPM to scan its multi-cloud environment for sensitive data, gain context on risks to identify attack paths, and automate compliance assessment against data regulatory frameworks. Teams can use more than 100 built-in frameworks to customize or build their own.
Thoughtworks’ development work is diverse. “We might be creating an API platform, a development platform, or a solution for internal staffing. As our teams develop these products, they secure any vulnerabilities introduced in the code,” says Raina.
The security and development teams rely on the consolidated view and attack path analysis the Wiz Security Graph provides, which includes data insights from DSPM, to understand risks, predict attacker strategies, map their infiltration approach, and prioritize remediations during staging and production. The attack path analysis detects different vulnerabilities, misconfigurations, sensitive data, public exposures, and exploitable access controls that threat attackers could use to infiltrate systems. By addressing these issues proactively, teams deploy products that are highly secure by design, avoiding costly bolt-on security processes after deployment or the risk of data exposures.
Thoughtworks is also using Wiz's insights to rationalize its cloud footprint, identifying opportunities for consolidation and cost savings.
The integrated view and attack path analysis capabilities Wiz provides helps enable our security and development teams to narrow down which areas they should focus on, avoiding alert fatigue. These insights help them collaborate effectively on prioritizing and remediating risks to secure our growing cloud estate.
Nitin Raina, Chief Information Security Officer, Thoughtworks
Building a business known for advanced security innovation
Thoughtworks has rapidly evolved its cloud security maturity using Wiz. The company has implemented guardrails enabling highly secure development while innovating at speed and scale. Raina and his team see Wiz as a tool spurring business growth by empowering teams to use DevSecOps processes to build products, providing a tool the company can recommend to clients, and winning more work.
“I firmly believe that embedding security excellence in our solutions enables us to win and retain more clients. That’s what we’re trying to do for our business,” states Raina.
