The Modern Framework Challenge

The era of a single, one-size-fits-all framework is over due to the diversity of international business and regulatory needs. This introduces the challenge of managing overlapping controls, which creates inefficiency and administrative burden.

A possible strategic approach is for organizations to consolidate to a unified set of foundational controls and then augment them with additional safeguards that can be tailored to their unique risk profile, industry, geolocation, and operational complexity. This allows for a security program that is compliant and efficient. However, different teams and organizations have various compliance needs.

Securing an enterprise involves demonstrating security posture through audits. However, achieving compliance with one framework often leads to requests for more certifications, creating a continuous cycle. As compliance targets change over time due to regulatory, industry, or worldwide events, Wiz helps bridge the technological gaps between various security control frameworks.

Wiz's offerings can be strategically categorized into three core pillars: Code Security, Cloud Security, and Cloud Detection and Response frameworks. Each of these domains provides unique capabilities to fortify an organization, while also supporting the various processes that maintain product integrity during development, in runtime environments, and throughout a security incident. Consequently, specific governance and compliance frameworks are pertinent to each stage of this security narrative; their relevance and prioritization are ultimately dictated by a customer's unique business operations and overarching risk profile.

And while the value of security frameworks might be most obvious for the Governance, Risk, and Compliance (GRC) team, they can help uncover risk and prioritize remediation work across the entire organization to make it more robust and resilient from code to cloud. The built-in frameworks in Wiz can be used to focus efforts towards one audit, do a gap analysis on a new framework or customer request, or help manage the risk across the entire infrastructure based on a combined framework found in most mature organizations.

Frameworks Within Wiz

Most of our customers need to demonstrate compliance with multiple security frameworks. The mappings and analysis can be enough to make an analyst's head spin. Wiz's platform includes over 300 hundred industry standard frameworks mapped to cloud and host configuration rules. We also offer twenty specialized frameworks we designed to address specific, critical domains our customers care about. All of these frameworks map out to Graph Controls, Cloud Configuration Rules, and Host Configuration Rules within Wiz.

Wiz's proprietary frameworks provide targeted coverage across core security functions. For the Software Development Lifecycle (SDLC), Wiz offers specialized frameworks like Wiz for SAST, and Wiz for Code & Supply Chain Security. These integrate security directly into the development process. To strengthen security administration and governance, foundational frameworks such as Wiz for Cloud Infrastructure Entitlement Management (CIEM), and Wiz for Attack Surface Management (ASM), ensure optimal configuration and visibility. Additionally, for incident and threat response, Wiz includes out-of-the-box frameworks like Wiz for Threat Detection and Wiz for Incident Readiness to help teams prepare for and react to active threats.

Building on Best Practice

Wiz incorporates a library of over three hundred compliance frameworks, industry benchmarks, and security guidelines. We maintain and evolve this comprehensive portfolio to meet diverse customer needs, mapping controls to specific cloud infrastructures, integrations, and configurations. This process ensures that security and compliance needs are assessed within the unique context of each customer's environment, and that can be further modified to satisfy the needs of the customer. This allows evolution of the compliance program as the cocktail of compliance acronyms our customers’ supply chain and customers care about changes over time. 

Crucially, this support extends beyond traditional policy and procedure management. The scope of these frameworks addresses the entire technology stack, enabling organizations to enforce security standards comprehensively, from code development through to cloud operations and beyond. Therefore, the frameworks in Wiz allow our customers to focus on SDLC, core infrastructure security, and incident response.

Code Security Frameworks

First, a quick review. Frameworks in this category are all about building security into software from the beginning. Developers rely on a suite of resources to build secure code and avoid vulnerabilities. For identifying critical risks, they often turn to the Open Web Application Security Project  (OWASP) Top 10 and the SANS Top 25. These prioritize a checklist of the most common and dangerous software weaknesses, such as injection flaws and broken authentication. 

To establish a secure process, frameworks like the National Institute of Standards and Technology (NIST) 800-218 Secure Software Development Framework, (SSDF) and guidance from OpenSSF’s Source Code Management Platform Best Practices, are essential. NIST 800-218 provides a high-level structure for integrating security throughout the entire software development lifecycle, while the OpenSSF offers targeted best practices for securing the software supply chain, including source code management.

Wiz helps by mapping an environment to different rules so that the development environments are secure. NIST SP 800-218, Secure Software Development Framework (SSDF) V1.1 is a framework for managing risk, but in Wiz it is used to support sound security outcomes. SSDF is mapped out in four categories, nineteen supporting categories, with 600 different configuration rules. The rules vary in risk, and can be analyzed to see where compensating controls exist, and where there is room for improvement of the development environment and surrounding processes.

Cloud Security Frameworks

This next set of frameworks provide the blueprint for building and managing an organization's entire security program. They function as the central nervous system for security, including both the specific controls to implement and the management structure to oversee them. 

Frameworks like ISO/IEC 27001 guide organizations in building a full Information Security Management System (ISMS) to ensure these controls are consistently implemented, monitored, and improved. On one hand, comprehensive catalogs like NIST Special Publication 800-53, and the Center for Internet Security (CIS) Controls, offer a detailed "menu" of technical and operational safeguards. 

Ultimately, leveraging these frameworks enables organizations to achieve formal compliance or certification. Standards such as PCI DSS, SOC 2–as well as adjacent frameworks like NIST 800-53 and 800-171–are used to demonstrate a mature security posture to auditors, customers, and regulators, turning internal security efforts into trusted, verifiable credentials. These  standards are often pre-requisites for doing business, particularly with governments and those subject to government regulations; compliance regimes like FedRAMP and the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) are frameworks that companies generally need to adopt to even be considered for business with federal agencies and their contractors. 

For certain frameworks, Wiz helps meet the need of full scope of the cloud infrastructure controls. For example, SOC 2 is mapped out to each one of the Trust Criteria that AACPA is looking for. That is 30 categories with over 200 subcategories with hundreds of configuration rules. This allows our customers whose compliance is based on SOC 2 to further modify and address any gaps in their infrastructure governance by modifying the framework to their needs. Canva is a great customer example: with strict SOC 2 and multi-cloud compliance needs, they use Wiz to automate controls, maintain consistent visibility, and streamline audits. Additionally, we have a full blog post about the SOC2 use case here.

Cloud Detection Frameworks

Teams like the Security Operations Center use these frameworks to cover the full lifecycle of a security incident: preparation, response, and recovery. MITRE ATT&CK is central to preparation and response, providing an encyclopedia of real-world adversary tactics. It can be used to analyze and anticipate threats, or identify an attacker's actions and guide the technical response during an incident. Finally, for organizational resilience after an event, ISO 22301 provides the framework for a Business Continuity Management System. While MITRE ATT&CK focuses on neutralizing the threat, ISO 22301 ensures the organization can recover its critical operations and services, creating a comprehensive strategy that moves from understanding the threat to surviving its impact. Both of these frameworks enable a company to be prepared before, during, and after an anomalous event.

Wiz helps here by ensuring that the scoped infrastructure is configured for accidents. MITRE ATT&CK has 13 categories with over 800 supporting subcategories, yet there are few hundreds different configurations that should be reviewed to ensure that the infrastructure has the right access levels, logging, and security safeguards to ensure that the environment is secure and primed for incident response. 

Conclusion

The security compliance landscape is challengingly  complex. The Wiz platform streamlines the process of translating complex frameworks and policies into practice. Admittedly, some controls (like tabletop exercises and background checks) cannot be met with SaaS alone. Wiz enables organizations to map technical controls, configure alerts, and generate reports for the compliance team thereby increasing security intelligence and simplifying oversight. Essentially, Wiz allows not only for the security functions to thrive, but also make navigating the governance challenges much easier for GRC teams. For those customers interested in talking about how Wiz can be used to enhance their compliance program, reach out to one of our CISO Experts.