This content is sponsored by Wiz.
More and more agencies are accelerating their moves to the cloud, spurred on by the pandemic, hybrid work environments, and a need to deliver better applications faster and to more constituents.
But speed bumps are appearing in the road, slowing that progress. Existing risk management frameworks aren’t designed for cloud environments. They’re based on a triad of people, process and paper.
Authorities to operate are static, done largely on spreadsheets and shareware. Shadow IT combined with a lack of visibility into all of an agency’s assets across the network inhibit the adoption of zero trust and leave agency networks vulnerable. Meanwhile, an attack can happen in minutes.
And even if agencies can achieve the kind of visibility they need, they still struggle with a high signal to noise ratio. Security teams lack the context to understand which risks are critical. Developers are busy with a laundry list of security fixes, and alert fatigue runs high. But if agencies can democratize security and knock down the silos between development, security and compliance, it becomes easier to see where the risk is and shift the risk mitigation left.
Prioritize your most critical risks
“Wiz provides a line graph that gives a simple visualization of the customer’s entire cloud estate and identifies where the greatest risk is,” said Dean Scontras, senior director of federal strategy at cloud security company Wiz. “Wiz identifies toxic combinations, a variation of risks in a certain situation that represent the most critical risk. So not only can you see it, but now you can actually get a contextual understanding and view of the risk, what it is, and where you need to prioritize efforts to focus on high-impact work.”
The cloud-native application protection platform (CNAPP) space arose in large part from a desire to consolidate tooling. Not all CNAPPs are created equal, however. The best ones reduce complexity and forge tight interlock with developers by providing total visibility and protection from development to runtime.
For example, Scontras said when the Log4J vulnerability was discovered, customers using Wiz’s agentless, graph-based dashboard were able to locate the vulnerability within their environments immediately and remediate it in a matter of minutes.
But without a tool that offers that kind of visibility and risk prioritization, accomplishing the same task could take days.
More recently, the widespread MOVEit vulnerability made headlines for its impact on federal government agencies. In the case of MOVEit, Wiz customers were able to use prebuilt queries and advisories in the Wiz Threat Center to pinpoint it in their environments.
Keep track of compliance
But risk prioritization and remediation aren’t the only benefits of having that kind of visibility. The ability to incorporate the various risk management frameworks that agencies are beholden to allows them to both enhance and ease compliance.
“Our customers are hoping to use Wiz for a way to achieve a state of continuous authority to operate. Wiz is constantly scanning the environment, looking for threats and risks, and reporting and helping to mitigate them in real time,” Scontras said. “From a compliance perspective, the traditional way is to use various point products to collect the data and then manually assemble for reporting purposes. They’re compiling a lot of static data from various sources without any contextual understanding of where the real risk is. This can be a slow and inexact process.”
But having a holistic view of the cloud environment allows Wiz to incorporate the various risk management frameworks — including the National Institute of Standards and Technology’s Risk Management Framework, the Defense Department’s security technical information guides and more than 100 others — imported directly into the platform. Because Wiz is constantly monitoring the environment and ensuring compliance, it can alert developers if anything falls out of compliance, Scontras said.
“The way old way of doing things is retroactive and static. Audits are done annually and manually,” he said. “As the government’s modernizing their environment and their applications, the long pole in the tent has been the compliance component. And the ATO component, which gets around to continuous monitoring, continuous authorization, and allows them to move at the speed of clou, but also adhere to compliance requirements — just in a new way.”
The undercurrent through all of this is consolidation: Security teams want a deep understanding of risk to be effective and have clear priorities like their developer counterparts. But to do that, they need more context and accuracy — and to embrace a new cloud operating model.
“That is the killer use case for us, because what a lot of people are struggling with is trying to get things into a modern framework. Also, they want to be not only modern but more effective, because those audits are annual or biannual, and they’re largely subject to a snapshot versus a running, real-time view of their environment,” Scontras said.
To read or watch other sessions on demand, go to our 2023 Cloud Exchange event page.