Challenge
OTTO needed to find ways to adhere to compliance standards while still developing and deploying code quickly.
A growing multi-cloud environment and a complex collection of distributed business leaders helped teams move quickly, but it also added risk. The company needed a centralized platform for its teams to monitor and unify its cloud security.
In addition to viewing security posture in one place, OTTO also wanted to reduce the manual work required to review and understand security-related information.
Solution
The company chose Wiz as a consolidated security solution to reduce the need for separate tools and build a scalable foundation for its growing cloud security program.
With Wiz, OTTO has a single source of truth for its security monitoring that provides individual teams the ability to customize which alerts are shared with them. This way, every team has access to the most relevant information in a way that meets their needs.
By automatically prioritizing and sharing potential risks with the right parties, Wiz allows OTTO to focus on development rather than manually reviewing and tracking security posture.
Securing the cloud infrastructure of the largest German online shop by consolidating security tools
OTTO GmbH & Co KG (OTTO) is the provider of the largest German online shop of the same name. The company got its start as a mail-order catalog in 1949. It has expanded to become part of the Otto Group, a globally active retail and services group with around 41,000 employees in 30 major company groups, operating to bring the best e-commerce experience to its millions of customers. Today, the Otto Group it is one of the largest online retailers in the world with more than $16 billion in annual revenue (GMV – Gross Merchandise Volume).
In the years since the move from mail-order to e-commerce, the company has dramatically grown its presence in the cloud. Becoming a primarily online business meant shifting more and more of its technologies online as well, but in that process the company found new requirements for remaining compliant and effectively governing access to data.
Protecting both its gradually expanding cloud infrastructure and its customer data is a major priority. To do this, OTTO is committed to making security a shared responsibility across the organization. “For a company of our size, we feel it’s important to incorporate security practices into everyone’s everyday work,” said Ralf Kleinfeld, Information Security Officer at OTTO.
We set high standards for our security practices to protect our customer data. Meeting those standards requires us to share the responsibility of security throughout the company, and we can use Wiz to easily share security information with the right people.
Ralf Kleinfeld, Information Security Officer, OTTO
With that in mind, OTTO needed a security solution that would keep all of its teams on the same page. “From an organizational perspective, distributing security responsibilities is challenging without a centralized security solution. To ensure everyone was both remaining compliant with our security standards and able to do their jobs autonomously, we had to unify security,” said Kleinfeld. The company’s existing security solution offered some insight into security problems, but it required several manual steps to investigate problems. This led OTTO’s DevOps team to search for a more efficient, consolidated solution.
Centralize and democratize cloud security management with a CNAPP
Wanting to balance security and speed of deployment drove OTTO to explore cloud-native application protection platform (CNAPP) solutions. This means combining its ability to see its entire security posture, secure the software development process with a single policy across teams, and build compliance checks into development with one tool. “We had a lot of options for security solutions, but we found that a CNAPP offered us the most comprehensive view of our cloud environment and we could better secure our development process at the same time,” Kleinfeld explained. The company chose Wiz to support its cross-company security goals.
With Wiz, different teams can leverage one security platform to build, secure, and monitor cloud infrastructure. They can use this alignment to ensure policies and controls are standardized, so risks are evaluated consistently and throughout the development process. “Our security teams can review posture management, our developers can see security alerts about applications, and operations can see issues across teams,” said Kleinfeld. “Every team has access to what they need, and they can easily discuss with other teams because they’re looking at the same information.” Another part of that alignment also came from including stakeholders across teams during the evaluation process. With everyone being able to see Wiz’s role in their workflows, everyone was able to align on how the solution would support future work.
Wiz CNAPP supports security across our cloud environments in a single place. All of our security information is in one place, and the solution is flexible enough that different teams can focus on just the details they need.
Ralf Kleinfeld, Information Security Officer, OTTO
To ensure teams across OTTO were using this security context, the company implemented security champions into the teams that use Wiz. With their support, everyone was able to explore new ways to integrate security into their work. “Our developers know that security is important, but they don’t spend their days in Wiz,” Kleinfeld pointed out. “Being able to customize how they receive alerts has really improved adoption rates which means we can continue to resolve issues faster.”
Teams use everything from in-app Wiz alerts to service tickets and email notifications to stay on top of security risks and remediate issues efficiently. This meant that the team could immediately find and address issues as soon as a vulnerability is introduced to the environment.
The company has also built custom rules in Wiz to line up with OTTO-specific requirements. “We have a tagging system for our cloud resources, and now we can ensure no resources are deployed that aren’t tagged with the proper information,” Kleinfeld explained.
Using context to prioritize and collaborate on security
Being able to not only see an alert but also understand how critical an issue is, and why it’s important to address, reduces the time OTTO needs to protect its cloud environment. “Now we know that we’re looking at the important things first, and we can use Wiz to measure exactly how long it takes us to handle an issue,” said Kleinfeld. With this data on hand, the Information Security Officer can clearly demonstrate security’s value and outline how security enables, not slows, work at the organization.
Because Wiz evaluates and prioritizes our risks automatically, we’ve been able to build a more structured process to resolve issues based on impact.
Ralf Kleinfeld, Information Security Officer, OTTO
By consolidating, viewing and measuring security’s impact in one place, OTTO also has a simple way to report on the organization’s security journey. “With the Wiz Dashboard, I have a live view of our security posture in one place,” Kleinfeld explained. “That ease of access is something we hadn’t had before, and it makes my life so much easier.”
The organization continues to find new ways to leverage Wiz to secure its cloud development. By diving deeper into every element that makes up OTTO’s complex cloud environment, the company can continue finding, managing, and securing every layer of its cloud.
