Wiz Security Trust Center

Strong Authentication and Authorization

Wiz enforces the use of a Single Sign On (SSO) platform and phishing-resistant FIDO2 Multi Factor Authentication (MFA) for employee access to Wiz systems. Wiz utilizes IAM roles and short-lived tokens for access to cloud environments. Access to development and production environments is further restricted through the use of a Just in Time administration process to minimize standing privileges, device posture checks, and the use of a zero-trust network access solution.

Cloud Security Architecture

The Wiz production environment runs as immutable infrastructure and is strictly managed through infrastructure-as-code. Automated mechanisms built into the SDLC process and Wiz’s CI/CD pipeline ensure that configuration changes are strictly controlled, undergo security checks, and subject to audit and approval. Unauthorized changes to production are automatically detected and escalated to security and operations teams. Wiz utilizes cloud-native network security mechanisms, in conjunction with its authentication and authorization controls, to restrict remote access to cloud infrastructure, enforce a secure perimeter, and segregate internal environments.

Wiz4Wiz

Wiz uses an internal deployment of its own product (”Wiz4Wiz”) to continuously monitor and protect its cloud environments. Security and engineering teams collaborate on the Wiz platform to identify, prioritize, and fix vulnerabilities, to enforce and validate preventative controls, and to detect and respond to potential threats. Wiz applies industry best-practice frameworks, as well as guidance from Wiz’s own internal research teams, to harden and assess its cloud environments on an ongoing basis.

Secure Development Lifecycle

Wiz ensures the security and integrity of its infrastructure and product code throughout the SDLC. These mechanisms include automated secret scanning, static and dynamic security testing, container image vulnerability scanning using WizCLI, mandatory peer review for code changes, and additional security features within Wiz’s source control and CI/CD platforms. Wiz’s security team partners with engineering to perform threat modeling, security design reviews, and security implementation reviews of emerging product features and changes to development and production infrastructure.

Security Awareness

Wiz’s awareness programs include recurring training focused on information security and data privacy, ongoing guidance on emerging threats, and team-specific guidelines and procedures to ensure employees can adopt secure practices in their daily work. By fostering a culture of security awareness, Wiz can significantly reduce the risk of human error leading to data breaches or security incidents. This proactive approach not only protects customer data but also enhances Wiz's reputation, builds customer trust, and ensures regulatory compliance, ultimately contributing to its long-term success.

Logging, Detection, and Response

Wiz employs a Security Information Event Management system that ingests security telemetry from corporate, development, and production cloud environments. Incoming data is processed through a detection pipeline and retained in a security data lake. Detections and alerts are routed to on-call engineers via ticket, messaging, and paging systems. Wiz’s security team operates globally to quickly triage, investigate, and remediate events.

Endpoint Security

Wiz workstations run endpoint detection and response software that provides malware and attack prevention, detection, activity logging, containment, and investigative capabilities. Wiz additionally deploys Data Loss Prevention software to protect and manage the flow of sensitive information within Wiz systems. Patching and security configuration management are addressed via Mobile Device Management and Mobile Application Management solutions.

Risk Management

Wiz’s risk management process is integrated with business and technical functions across the company, helping teams identify opportunities to improve security and privacy, and to mitigate threats. Doing so enables Wiz to protect critical assets and uphold its customer, regulatory, and legal commitments. Effective risk management also enables Wiz to adapt and evolve in the ever-changing landscape of cyber threats, ensuring long-term success in providing robust security solutions.

Supplier Risk Management

Ensuring the security and reliability of supplier products and services is vital to maintain the integrity of Wiz’s offerings and protecting customer data. A robust supplier risk management program helps mitigate potential breaches, ensures regulatory compliance, and preserves customer trust, making it an essential component of Wiz's overall security strategy.

Audits and Compliance

Wiz maintains a comprehensive audits and compliance program to uphold industry standards, regulatory requirements, and data protection laws worldwide. Such programs ensure Wiz's operations meet or exceed established guidelines and best practices and help identify and rectify potential vulnerabilities. Wiz engages in third-party oversight of its organization-wide security and privacy programs, as well as recurring technical assessments, such as penetration testing and red teaming, of its products and infrastructure.

Encryption and Key Management

Wiz uses cloud-native key solutions such as AWS KMS for secure key storage and management. Automated controls ensure that keys are not stored or transferred via insecure or unapproved methods.