Challenge
Zendesk’s vast product suite requires a large cloud footprint to maintain, and the company struggled to retain visibility across its entire multi-cloud environment.
Development teams had freedom to build and scale quickly but lacked insight into the importance or location of vulnerabilities when they were flagged by security.
Disconnected security tools required dedicated specialists to maintain and monitor which took away time and resources from higher value projects.
Solution
Zendesk gained complete visibility of their cloud environment and centralized security across their development and cloud security teams.
By leveraging prioritized recommendations and insights in Wiz, Zendesk’s development teams are now able to own their specific assets from a security perspective and focus their attention on critical vulnerabilities.
Zendesk proactively secures its container images and IaC configurations in development, so engineers can dedicate time to creating new products and features.
Consolidated visibility
across a complex environment into a single pane of glass
Eliminated 96%
of critical vulnerabilities
Improved collaboration
across security and development teams with 1,200+ Wiz users
Scaling into to a multinational industry leader
The co-founders of Zendesk —Morten Primdahl, Alexander Aghassipour, and Mikkel Svane—built the first version of the digital customer support and service solution in a small apartment in Copenhagen in 2007. Within its first few months, it had nearly 1,000 trial customers, by 2009 it was funded, and today it’s a multibillion dollar organization with more than 6,000 employees around the world. Its product suite includes a wide array of service and sales solutions, each with their own dedicated tools.
To support this ecosystem and give its customers the power to provide great customer experiences, the company requires a continuously growing cloud environment. This includes several major cloud providers, containerized storage, Kubernetes clusters, and more than 10k virtual machines (VMs) all powering 800+ services across the platform. With an environment this complex, the company struggled to maintain visibility into every nook and cranny, and its security tooling required support from specialists who then couldn’t spend their time on designing new solutions. Zendesk knew it needed to simplify and automate to scale security alongside its cloud infrastructure.
In addition to these technical challenges, Zendesk wanted to encourage more collaboration between engineering and development teams. With 30 product security engineers and nearly 2,000 software engineers, it was difficult for its small security team to manage everything itself. “In an environment this large, no one can know everything,” says Andrew Wagner, Director of Engineering at Zendesk. “In order to address issues effectively, security and developers have to collaborate. My team needed to be able to take an issue to security and ask for their opinion, not just wait for directions.” In this shift toward a more proactive security strategy, Zendesk’s vision was put to the test when it needed to quickly uncover vulnerabilities related to Log4Shell.
We used to be a very reactive security organization, but our aim today is to build secure-by-design products to maintain and incrementally improve those standards. Wiz gives us insight into where risks are, so we can fix misconfigurations and reduce the chance of them happening again
Koen Hendrix, Director of Product Security, Zendesk
The company was evaluating new security solutions when it learned about Log4Shell, but without a way to easily see its entire cloud environment, finding potential exposures efficiently was impossible. “With Wiz, we could see everything across our environment and where we were running Log4Shell,” says Koen Hendrix, Director of Product Security, Zendesk. “Our confidence in our cloud inventory and coverage went from maybe 60% to 100%. We could see all of our gaps, and we were able to start closing them overnight. We knew how to move the needle on our security posture, and that made Wiz an easy choice.”
Uncovering blind spots to expand security coverage
Once Zendesk decided to implement Wiz, it was able to deploy quickly and easily because its security team didn’t need to install agents across its cloud. “Wiz gave us the ability to implement and review our footprint fast,” Wagner says. “We could uncover blind spots in our VM data and all of our environments without having to cobble together a solution from disparate sources.”
With visibility and tooling consolidated in a single pane of glass, Zendesk can be fully aware of risks and pivot toward a more proactive approach to cloud security. “We have more awareness of the technology our engineers are using, we can provide constant compliance status updates, and we have everything in a single destination,” says Hendrix. “Because of that, we can find and address risks faster than ever and spend more time on higher value projects.” Since implementing Wiz, the company has reduced vulnerabilities out of SLA by 95% and remediated 96% of its total critical vulnerabilities.
When Log4Shell happened, we were testing Wiz, and the team worked closely with us to help review our entire cloud for vulnerabilities. After seeing the Security Graph, I knew it was the right fit. Wiz is the only vendor tool that I’ve personally, heavily advocated for at Zendesk because I knew it would solve our problem.
Andrew Wagner, Director of Engineering, Zendesk
Since Zendesk has more context in one place, security and engineering teams can also make more informed decisions about how and where to spend time and which issues are the most important to remediate. Teams can easily reference tags, metadata, and Wiz’s built-in prioritization recommendations to have a complete understanding of the nuances of specific issues. This means that engineers that own specific assets and projects can bring their knowledge to the table and align with security on how best to solve a problem. “Let’s say our engineering team has time to do 10 tasks in a week. Before, we may have simply handed them 50 problems, and they wouldn’t know where to start,” Hendrix shares. “Now, we can share two or three specific issues and explain why they’re important.”
Building security into every layer of each product
More than half of Zendesk’s 2,000-person engineering organization now uses Wiz, and as more members trust it as a source of truth, security and engineering teams are able to better collaborate using a shared language. “My team's focus is elevating the security posture of Zendesk’s product stack at every layer of the product,” Hendrix says. “That means from the moment an engineer has an idea to writing code and deploying to production that it’s safe. Since our engineers now use Wiz, they can also come back to us with their own findings, and that’s brought our teams closer together.”
With Wiz CLI, the team has implemented vulnerability scanning for container images and scans and builds flags during local development. Zendesk provides engineers a gentle warning about misconfigurations before they proceed, so they can adjust easily and continue building. This also ensures that potential vulnerabilities are caught as they enter staging environments and don’t endanger production. “We know we can’t completely stop people from building a vulnerable image, but if we can flag an issue, we won’t have to worry about a new SLA down the road,” Wagner says.
Wiz gives us a common language between security and engineering. It's one tool that everybody has access to, it’s super intuitive, and it’s easy to leverage because the context we need to work together and do our jobs is all in one place.
Koen Hendrix, Director of Product Security, Zendesk
This collaborative approach to security monitoring has allowed Zendesk to gradually shift its approach to security left and secure code earlier in the development process. “Our security group and my engineers can now co-own and co-govern the security of our solutions because we have a unified tool,” Wagner says.
The team can also now monitor and protect its environment to improve its compliance with its federal partnerships using Wiz Runtime Sensor. “With Wiz Sensor, we can continuously evaluate our compliance frameworks and easily show to our partners that we’re meeting our FedRAMP, SOC II, PCI, and other requirements because we can see everything in real time,” says Wagner. “This is invaluable because we can keep up with standards as they change and maintain those valuable partnerships.”
Implementing new safeguards for a growing cloud infrastructure
As Zendesk continues to evolve its approach to cloud security, it’s looking at using Wiz Defend to improve its runtime security and monitor vulnerabilities with a higher level of signal. “Having real-time visibility is going to be a game changer because we can reduce the time it takes to detect, investigate, and contain cloud attacks.,” says Hendrix.
The team also sees Wiz as a key piece of its continuous strategy to shift further left. “We want to be able to scan earlier and earlier for misconfigurations and tag issues at the very beginning of our process,” Hendrix adds. “Wiz is a core part of maturing our approach to security.”
