With a global footprint spanning 120 countries and a history of growth through M&A activity, Aon’s cloud environment became incredibly complex and difficult to secure.
The organization lacked a single, real-time view of its multiple cloud operations and relied on a suite of 10 tools to identify and remediate cloud risk.
Critical activity—including risk remediation, compliance reporting, and M&A integration—involved time-consuming, expensive, and error-prone manual processes.
Aon now enjoys a single, real-time granular view of its worldwide cloud assets, as well as their capabilities and vulnerabilities.
The firm’s global cloud assets are automatically scanned, generating risk remediation recommendations. In many cases, developers can fix risks themselves.
Compliance reporting can also be automatically generated, while Aon evaluates the security posture of companies involved in M&A activity, before and after a deal has been signed.
Searching for solutions to a highly distributed cloud landscape
Aon is a global professional services firm, with operations in over 120 countries, employing around 50,000 people worldwide. Headquartered in London, its core business includes risk management, insurance brokerage, reinsurance brokerage, and human capital consulting solutions.
Aon harnesses proprietary data and analytics to reduce volatility and drive the best possible outcomes for its customers. Its overarching approach to technology and security ensures that it has the best tools and skills across all cloud platforms to enable development, growth, and the secure management of risk.
The biggest challenges Aon faced prior to its partnership with Wiz were linked to the company’s complex organizational structure. For many years, Aon has grown through merger and acquisition (M&A) activity. The result is a highly distributed business supported by a convoluted cloud landscape (spanning AWS, Azure, and Google Cloud).
We had offices and development teams in more than 100 countries, each with its own regional requirements, client requirements, technologies, and even different languages to deal with.
Shivendra Singh, Senior Leader, Cloud & Application Security
Shivendra Singh, Senior Leader, Cloud & Application Security, Aon, says his team needed no less than 10 security tools to manage this cloud complexity. That meant a large team, a robust skill set to maintain, plenty of internal conversations, and considerable stakeholder coordination just to facilitate day-to-day operations.
Manual processes significantly undermine risk remediation
In these circumstances, cloud risk remediation was also incredibly difficult, time-consuming, and expensive. Singh’s team had to manually extract findings from its suite of tools, run multiple remediation streams, manually normalize data, figure out the context around each individual vulnerability, identify false positives, and piece together a clear picture of each risk.
To make matters even more challenging, Aon’s security teams could not manually scan their cloud environments. Instead, they had to rely on DevOps to notify them every time new code was published. This method of risk identification and remediation could take days to complete.
“Processes were ad hoc, and the team often missed things from an asset discovery perspective, such as misconfigurations,” explains Michelle Pieszko, Aon’s VP, Cybersecurity Operations.
When it came to satisfying Aon’s cloud compliance requirements, security teams had to manually map the firm’s cloud accounts and amend vendor-supplied documentation to create compliance reports.
“This process didn’t involve live data,” says Pieszko, “so our compliance exercises were typically out of date almost as soon as they were completed.”
Complexity and manual processes were also acting as a restraint on Aon’s primary method of growth—M&A activity. In some instances, it took years to fully integrate new business lines.
Struggling to keep pace with a rapidly accelerating development pipeline
Meanwhile, cloud migration was accelerating Aon’s code development pipeline, leaving its security teams struggling to keep pace. They desperately needed to adopt a proactive security posture, with automated security measures baked into the development pipeline.
The status quo was not sustainable, let alone scalable. Aon’s distributed cloud complexity had drastically increased security and compliance risk, and the situation had to change.
The company needed a “silver bullet” solution, capable of providing a single, real-time view across its entire cloud estate. The solution had to identify and remediate cloud vulnerabilities, automate manual processes, and manage components like identity and systems access.
For Pieszko, the eureka moment came the moment she saw Wiz in action.
During that first Wiz demo, I remember pinging my team and saying, ‘If Wiz does half of the things I’m seeing right now, we absolutely need it!’ It was the first tool I had ever seen capable of giving us visibility right across all of our cloud environments.
Michelle Pieszko, Aon’s VP Cybersecurity Operations
Thanks to its out-of-the-box settings, Wiz not only gave Aon’s security teams immediate company-wide granular insight, but it also brought DevOps and security closer together by providing a shared language around the capabilities and vulnerabilities of individual assets. Aon also discovered that Wiz is totally agentless, requires no systems downtime, and has no impact on operational performance.
The platform’s speed-to-value proved to be a game changer for Aon, enabling its security teams to be proactive with risk remediation, swiftly building security-by-design into its DevOps code production pipeline.
Increased collaboration thanks to a single view of the truth
“The key capability that stood out for me,” says Pieszko, “was the fact that we could have our security and technology teams logged into the same console and looking at the same data set, giving us indisputable evidence that a critical detection had been made.”
Previously, there had been lots of false positives, so Pieszko’s team had to get application owners on the phone to discuss the context of each incident.
“Wiz essentially eliminates those negotiations and fast-tracks remediation,” she says. “The Wiz Security Graph automatically generates key insights such as the attack path and asset value. So, regardless of context, we can now focus on the issue and make critical remediation decisions based on the real-time data provided by Wiz.”
This automated approach means Aon’s technology teams can now remediate risks themselves in many scenarios. They can see the risk, understand why it is critical, and then self-remediate—thanks to a series of recommended steps generated by the platform. Tech teams don’t even need to log on to Wiz—they can view issues via ticketing systems such as Jira and ServiceNow. With this new remediation process in place, Aon reduced the time to remediate risk in its environments from days to hours.
Joe Martinez, Aon’s CSO, says Wiz’s ability to scale and its exceptional time-to-value set it apart from the competition.
“Wiz gave us visibility quickly, helping us understand the cloud landscape. It was a real eye opener, giving us a sense of how much workload, how much activity, how many APIs are actually being used in our cloud environments,” he says.
Unlike many other solutions, Wiz is able to scale to enterprise level. Most other security solutions take months or even a year to realize the full value of your investment. Thanks to Wiz, however, we have been able to achieve that within weeks, which is almost unheard of in our industry.
Joe Martinez, Aon CSO
Pieszko notes that Wiz proved to be Aon’s first line of defense when global OpenSSL vulnerabilities were identified at the end of 2022. Much to her satisfaction, the platform promptly identified every instance of OpenSSL vulnerability across the entire Aon cloud estate and instantly recommended remedial action.
Automating manual tasks and liberating security and compliance teams
The manual collection of vendor compliance documents is also a thing of the past. With over 100 built-in compliance frameworks, Wiz automatically scans Aon’s cloud environment, mapping best practice and regulatory frameworks across the firm’s numerous cloud accounts—revealing gaps in compliance and recommending and automating the remediation of regulatory risk.
“We've eliminated and automated a lot of that compliance work, thanks to Wiz,” says Pieszko. “So, now we really just log into the console and receive the control mapping and assessment data automatically. Only the remediation portion of the cycle is left for the team to take care of. What used to take hours now just takes minutes.”
Swift and seamless deployment has also transformed the security team’s involvement in M&A activity. Aon can now deploy Wiz to a potential acquisition’s cloud environment before a deal has been completed, generating immediate, trusted data on the acquisition’s security posture and flagging any remediation action that may be necessary.
“We don’t need to share questionnaires and spreadsheets with stakeholders any more,” explains Martinez. “Wiz allows us to integrate really quickly, giving us a really transparent understanding of the risk posture of a potential acquisition.”
Aon has swiftly and seamlessly transformed its cloud risk management operation using Wiz, sweeping away manual processes and complexity while making a proactive security-by-design structure the norm.
“Aon’s journey to the cloud would not be anywhere near as successful if we didn't have Wiz,” concludes Martinez.
Want to learn how your cloud security program can achieve the same results as Aon? Take a closer look at Wiz's cloud security solutions for financial services.