With its migration to the cloud and prior to having a Cloud Security Posture Management solution, Priceline wanted to better contextualize the compliance of its cloud infrastructure.
Security teams were often creating tickets for developers to remediate individual cloud configuration issues rather than addressing the root cause, costing considerable time and resources to remediate.
As security teams spent time creating tickets for configuration changes, it pulled them away from working on more strategic initiatives.
Priceline gained visibility into its cloud environment quickly and efficiently and the team ensures it adheres to industry standards.
Priceline learns from the risks in its runtime environment, completes a one-time clean up, and then shifts left, creating security policies for developers to adhere to in the CI/CD pipeline. Developers get immediate feedback to quickly resolve issues.
Priceline proactively mitigates risk by automatically blocking deployments with misconfigurations before they are live in production. Now, security teams can focus on more strategic work instead of resolving isolated issues.
Building bridges between security and development teams
Priceline is an online travel company that helps customers find discounted rates for their trips. On its journey to become fully cloud-native, the company has steadily migrated most of its on-premises workloads to Google Cloud and AWS.
While a cloud-first infrastructure helps Priceline innovate quickly, it also presents a new set of security challenges that need to be addressed. Cloud security architect, Andrew McKenna, and his team are responsible for securing cloud applications and development pipelines as well as securing and monitoring Priceline’s cloud workloads and environments. “The cloud enables developers to quickly spin up systems which are public facing, however, without design and implementation of appropriate guardrails, that and other infrastructure is insecure by default.”
The security team found that they were spending considerable time and resources submitting tickets to update configurations across their environment, which didn’t prevent the issue from reappearing. As a result, the team started to rethink Priceline’s cloud security practices and how to focus their efforts on strategic initiatives rather than solving isolated issues.
Because our footprint is large, we don’t want to be doing ‘whack-a-mole’ when it comes to vulnerabilities and issues – we want to address systemic issues rather than anomalies, and ensure we’re secure by default.Andrew McKennaCloud Security Architect, Priceline
McKenna and his team made the bold decision to move to a shift left strategy to save time and resources on ensuring all configurations across the environment adhered to security best practices by default. They looked for a solution where they could detect deviations from industry standards earlier in the development cycle to remediate issues before they went live in production. In this new workflow, security would set specific policies to ensure best practices are implemented before deployment, and security wouldn’t need to ask development teams for changes to production environments after something is launched.
Priceline knew transitioning to a shift left security model was an ambitious goal. Companies often fail to do this successfully because teams work in silos and use different, unconnected tools. Developers have tools with policies that analyze their pipeline but are entirely isolated from what security sees, creating a fragmented view of the security posture.
Priceline needed a solution that would provide a single, consolidated policy engine that was managed by security and was easy for developers to use—without adding complexity or generating more work. The security team wanted to ensure they didn’t introduce unnecessary friction into the development workflows.
Before you can shift left, you must get your house in order, so you’re not an obstacle to users within the business. You're making changes that impact how people work. We want to give developers the autonomy to create their own applications and platforms and deploy those into a pipeline that ends up in production. We needed to determine what guardrails would enable them to deploy securely.Andrew McKennaCloud Security Architect, Priceline
After exploring potential solutions, Priceline selected Wiz because of its ease of use and cloud-native platform. “What stood out about Wiz for me was it has a very intuitive interface and a really simple dashboard. The fact that it's cloud native and agentless meant we could have it up and running in a matter of minutes and have clear, actionable information,” says McKenna.
Identify, prioritize, and contextualize
As a first step, Priceline used Wiz as its CSPM solution to gain visibility of its cloud environment, benchmark its current security posture, and remediate issues in its runtime environment. Wiz detected potential configuration issues and correlated them with other risk factors like network exposure or cloud entitlements to give the cloud security team actionable context on prioritizing issues.
Learn from the right, shift to the left
With a baseline security posture established in production, Priceline took the learnings from its runtime environment to help it shift to the left. Wiz’s analysis of the running environment helped the team choose the right policies and frameworks to put in place to automatically prevent similar issues from being introduced in the future.
Once Priceline knew which policies it wanted to shift left to development, it leveraged CI/CD scanning in Wiz to apply checks in the right parts of the process. The security team then had to work backwards to create a secure, frictionless pipeline.
We did a lot of work to fix the development modules so that they were consistent with what we wanted. It was the most ‘left’ thing we could do—updating IAC modules before putting a guardrail between development and infrastructure—but it allowed developers to continue to do their work.Andrew McKennaCloud Security Architect, Priceline
Combining Wiz’s continuous analysis across accounts, users, and workloads with the Terraform infrastructure-as-code product – integrated into Priceline’s CI/CD pipeline – enabled the company to identify and address issues early in the development process. Every build is measured against the policies and frameworks within Wiz to determine whether any issues exist with the code or the plan. If the issues are classified as medium or higher, the deployment is blocked, providing immediate feedback for the developer.
“We want to implement guardrails within that pipeline to facilitate security. We just want those guardrails to be invisible,” says McKenna. “Now, development teams have the autonomy to deploy securely, saving both teams time and reducing the need to go back and resolve the issue in the future when it’s more costly to do so.”
Implementing the automation of policies in the pipeline
The team is now able to focus on more strategic work across the company and getting additional value from Wiz. Priceline extended Wiz across existing operations and new acquisitions, including one company running in Google Cloud and another running in AWS. Wiz connected in minutes via a single connector, and delivered coverage without disrupting business operations or requiring ongoing maintenance.
Rather than spending time creating tickets, Wiz allows the security team to spend more time on strategic work, such as ensuring new acquisitions running in AWS meet Priceline’s standards.Andrew McKennaCloud Security Architect, Priceline
With Wiz, Priceline ensures all acquisitions comply with its security framework, whether in Google Cloud or AWS and across Kubernetes environments. The business can measure the security posture of new acquisitions running in different public clouds against its framework and immediately see any vulnerabilities ranked by severity. The security team prioritizes vulnerabilities or issues for remediation and takes a methodical approach to working with relevant teams on the required actions.
By gaining visibility into its cloud infrastructure as well as the ability to prevent known vulnerabilities and misconfigurations from entering its runtime environment, Priceline is getting a singular solution to minimize its cloud risk. McKenna also lauds the responsiveness of the Wiz team in helping Priceline maximize the value of the product and points to the collaboration between the two teams on developing tools within the platform. “The Wiz team has been really responsive. We worked closely together on the development of IaC Scanning, and relied heavily on their support.”