Challenges
Managing individual rule sets for the three cloud service providers in Bouygues Telecom’s environment adds complexity and management load to the cloud team.
Restricted access to applications and projects for multiple teams within Bouygues Telecom –including the security team – meant they had to email the cloud team for assistance, increasing the burden on its members.
A planned adoption of Kubernetes and serverless technologies potentially opened up new security surface areas that impeded the adoption of the new services.
Solutions
Bouygues Telecom applies the same rule set to each workload, regardless of the cloud it is running, using native controls included in Wiz.
Bouygues Telecom provides application access to security and architecture teams and project managers, reducing the incident and vulnerability remediation load on the cloud team, through Wiz RBAC.
Bouygues Telecom is exploring the potential of Wiz to manage the Kubernetes and serverless environments expected to dominate its architecture within the next two to three years.
Driving innovation in telecommunications
Connectivity is crucial to people and businesses across France–and the opening of the country’s telecommunications market to new operators in 1998 increased the range and quality of services available. Bouygues Telecom was among the earliest operators to enter the newly competitive market and provides high quality voice and data connections to customers. An agile business with close to 8,000 employees, Bouygues Telecom is known for innovation with achievements such as launching IPTV into the market.
Securing a multi-cloud environment
As Cloud Expertise Manager at Bouygues Telecom, Mael Louvet’s responsibilities include building and running a multi-cloud infrastructure incorporating AWS, GCP, and Azure, as well as a wide range of on-premises servers. His team of 10 architects provides governance, guidance, and security architecture for all cloud platforms. “We undertake a lot of advisory work with the application and operations teams working on different cloud platforms,” says Louvet.
“We work closely with cloud providers such as AWS, GCP and Azure to help clients access new networks, technologies, and social media–and we apply a premium to subscriptions to invest in improving the quality of our networks.”
To realize the full potential of its multi-cloud investment, Bouygues Telecom is evolving its application architecture to incorporate serverless technologies and migrating to the Kubernetes open-source container orchestration system to deliver standardization across legacy and serverless applications. The business is also transitioning to software as a service (SaaS) for applications it cannot easily manage within Kubernetes due to complexities in managing a wide range of microservices.
Using Security by Design to protect a multi-cloud environment
Bouygues Telecom is applying a Security by Design methodology to protect its multi-cloud environment. This approach embeds security into every layer of its technology architecture and ensures each user or system accesses only the systems and data required to perform authorized tasks.
Measures Louvet’s team has implemented to drive security across the Bouygues Telecom platform include:
automating platform creation to improve control over deployments;
implementing autonomy to empower teams and individuals to manage the applications they deploy on the platform;
working closely with Bouygues Telecom’s dedicated cyber-governance team on a security checklist each user must review before accessing the cloud environment, and;
using a security tool to automate control of the audited environment.
Streamlining security across the organization
After initially using a Cloud Security Posture Management (CSPM) product from a different provider that failed to deliver, Bouygues Telecom switched to Wiz. “That’s been one of the huge improvements we’ve made to ensure security is at the level we want,” says Louvet. “We changed because we are implementing a multi-cloud solution and will have workloads designed for AWS, GCP or Azure. Our previous security tool would have required us to rewrite the rules for each cloud, so we would have had three specific sets of rules to follow to ensure we kept data and systems in each secure.”
Wiz also provides contextualization that enable Bouygues Telecom to correlate data about an issue to other events, vulnerabilities, or problems in its broader environment, making security analysts’ work easier when reviewing the organization’s risk profile. “This capacity was very interesting to us and was something we didn’t see in alternative solutions,” says Louvet.
We wanted to apply the same rules to all the different clouds we worked with, and tried a lot of different solutions to achieve this. Only Wiz provided this capability embedded natively in its solution.
Mael LouvetCloud Expertise Manager, Bouygues Telecom
Wiz implementation extends security accountability to other teams
Through the implementation of Wiz, accountability for security at the telecommunications provider is extending from the cloud team to other teams and individuals within the business. Bouygues Telecom security and architecture teams and its project managers are gaining the access and autonomy to make changes to the applications they are managing or maintaining and obtain the security data they need directly. “When we can give specific access to a small subset of the platform through role-based access control (RBAC), it is very easy to bring autonomy to each team,” says Louvet. “Previously, we could only provide a global overview for a small set of people while others, who may not have access, had to check with us if there was a problem.”
Wiz’s ease of integration has enabled Bouygues Telecom to connect Wiz to the ServiceNow system used for IT service management. Each incident or vulnerability registered by Wiz will raise a ticket in ServiceNow that is sent to the relevant team to be addressed. “Because management follows KPIs directly through a single pane of glass in ServiceNow, it will be easy for us to put pressure on teams that need to patch their deployments or ensure compliance through that system,” explains Louvet. “The ServiceNow plugin offered by Wiz makes this a comparatively easy process.”
As part of a broader shift left strategy, the Bouygues Telecom team wanted their developers engaged in maintaining the security of their service. To achieve this goal they leveraged the Wiz-cli command line tool to check code before it is deployed, and expects to complete the implementation in early 2023. “Deployment is always a challenge for each IT team, and we decided to deploy each application using continuous integration-continuous deployment (CI/CD) with infrastructure as code,” says Louvet. “We constrain every internal team to use a CI/CD tool and they have to describe all the infrastructure and application code in a GitLab project base. Now that is in place, we can ensure a lot more security because there is only one way to deploy assets on the cloud.”
Bouygues Telecom is now testing Wiz’s container security to detect and identify exposures across networks and containers. Once in place, Wiz would check every part of the Bouygues Telecom platform, including small elements of containers in Kubernetes, for security alerts or non-compliance with security policies, and scan Kubernetes clusters for network exposures.
Kubernetes comes with a lot of small blocks and in each one can be a new security breach. So, we have to step in and use Wiz at a smaller level, to be sure each one of the deployments will still be compliant with the security rules.
Mael LouvetCloud Expertise Manager, Bouygues Telecom
Energizing Bouygues Telecom’s security culture and practices
With an agentless solution that provides full coverage and visibility of its environment, deploying Wiz has energized the security culture and practices within Bouygues Telecom. The business measures the success of its Wiz deployment through two major KPIs–engagement and adoption. “The number of people who want to be enabled on Wiz has grown extremely fast. Last year we created a small team of security champions for training on security topics,” says Louvet. “Now that number has grown to 50 or 60. In addition, we run dedicated meetings that include senior management for our huge development domains, and we display Wiz dashboards at these. Combined, these are delivering great adoption and genuine success for our team.”
Bouygues Telecom is reaping the rewards of increased visibility, more accountability for vulnerability and issue remediation, and more efficient allocation of resources. Through the Wiz dashboard, the business can easily check vulnerability and incident status across multiple clouds, and the tool delivers a clear view of which teams and individuals are working on which issue. In addition, the Wiz Security Graph enables the business to identify the different operations accessing external networks, or view the state of its network at a particular point in time for audit.
The organization can now effectively rank issues and vulnerabilities across its architecture for resolution. “Our top priority is external exposure, and we work on issues and vulnerabilities here based on severity, internet exposure, and environment,” explains Louvet. “We are particularly focused on our production environment, in which customer data is stored.”
With Bouygues Telecom’s multi-cloud environment now secure and operating smoothly, the organization’s parent, Bouygues Group, is considering extending the telecommunications company’s remit to provide guidance to teams across all its businesses. This extended role may also include infrastructure and associated tools – potentially paving the way for Wiz to assume a broader role in securing Bouygues group companies.
The Wiz deployment was so successful, the tool may be used across all businesses owned by our parent, Bouygues, including construction, real estate development, and media organizations.
Mael LouvetCloud Expertise Manager, Bouygues Telecom
