Stanford University empowers and protects cutting-edge research with cloud security champions

To protect Stanford’s cloud infrastructure and data used by thousands of employees, the university federates security management to empower individual departments to self-manage.

Stanford University

Industry

Education

Region

North America

Cloud Platforms

AWS
Azure
GCP
Ready to start?
Get a demo

Challenge

  • To empower non-security professionals to easily self-manage their offices’ cloud security, Stanford needed a frictionless deployment with an agentless security solution. 

  • Stanford’s previous security tooling was designed for traditional development and technology organizations, and the university wanted to find a solution that matched its federated, cross-account approach to security management while still being user-friendly.

  • With tens of thousands of users spread across different departments, Stanford needed to more clearly see which applications they were using to detect vulnerabilities.

Solution

  • Stanford deployed Wiz across offices without requiring their respective teams to manually install an agent to scan their environments.

  • To best support all of Stanford’s employees with a wide range of technical knowledge, the team turned to Wiz to simplify their relationship with security and enable faster, more secure cloud-based research. 

  • Stanford’s security team can federate cloud security management to specific team leaders across offices, so each manager has insight into their team’s vulnerabilities.

Empowers 20k+ icon

Empowers 20k+

faculty and staff members to protect their IT infrastructure with self-service security

Equips 13-person icon

Equips 13-person

security team to manage security across seven campuses

Reduces critical risks icon

Reduces critical risks

throughout the university ecosystem with improved visibility

Amplifying researchers and academics solving the world’s big problems

For more than 130 years, Stanford University has stood as one of the leading academic institutions in the world. The colossal network of campuses, hospitals, accelerators, student organizations, restaurants, sports teams, and laboratories covers more than 13 square miles, serves more than 20k employees, and hosts more than 17.5k students. The university motto, “Die Luft der Freiheit weht” (German for “the wind of freedom blows”), reminds them all to embrace the freedom of change.  

The university’s cutting-edge research embraces this freedom to make a global impact. It’s 13-person cloud security team works to empower the communities driving changes, such as reducing fossil fuel emissions, understanding and translating ancient texts and developing healthcare technologies. “We’re here to enable,” says Noah Abrahamson, Director of Cloud Security at Stanford University. “Many people see security offices as places where good ideas go to die, but the reality is that if we work together to use our cloud effectively, we can work faster and safer with cybersecurity built in from step one.” 

Stanford’s previous security solution was entangled with decades of legacy infrastructure and technical debt. It also required individual teams to deploy agents to monitor their applications. “We give our account holders free reign to do and build what they want, which is a blessing and a curse,” shares Abrahamson. “We would have to distribute software and expect an agent would be installed on every virtual machine. In practice, that’s nearly impossible. Those users want to get as much as they can from their resources and investments, so anything that saps from that is seen as a negative.”  

Our small security team is here to enable our researchers, teaching staff, and alumni with secure systems. We’re building toward a zero-trust infrastructure, but that can’t get in the way of progress, so we need security solutions that support everyone’s work.

Noah Abrahamson, Director of Cloud Security, Stanford University

The university wanted to consolidate its security management into a simpler, federated security model to give the security team clearer oversight. It also wanted an agentless solution that would protect its wide range of end users without creating additional work. That’s when it found Wiz.

Adopting a security solution that works for anyone

Stanford’s IT team needed to make security easy, understandable, and relatable to a broad spectrum of users–ranging from industry-leading engineers to staff–with little to no technical experience. “To accommodate everyone, we couldn't work with a security product that was narrowly tailored for modern CI/CD DevOps engineers,” he adds. “Wiz can produce reports and provide insights across our entire cloud, but most importantly, it gives our end users the information that matters without overloading them.”

While the university’s security rules have remained the same, the security team can now rely on Wiz to validate individual teams’ security statuses. “We’re trying to improve our security posture because we’re responding to what’s going on in the real world to protect our data and avoid multi-million dollar fines,” Abrahamson shares. “With Wiz, we can precisely measure degrees of risk to our data to validate which issues need to be addressed rather than trusting manual risk classification.”

With our previous solution, if people didn’t install the agent, their resources would be completely off our radar, which meant potential risks could be easily missed. Because Wiz is agentless, we don’t have to worry about anyone forgetting to install software—we have visibility into everything we need.

Noah Abrahamson, Director of Cloud Security, Stanford University

When Stanford deployed Wiz, it was quickly able to uncover vulnerabilities that were overlooked by its previous solution. “We significantly underestimated how much was missed because we’d relied on an agent-based solution,” Abrahamson says. “Wiz gives us context into where resources exist in longer chains of resources, so we can point teams toward the roots of their problems.”

Stanford has used this increased awareness to identify sources of critical vulnerabilities across its campuses and better target its security strategy. “As more users become aware of Wiz and adopt it, we’ve found that a small percentage of our users are responsible for a significant number of our criticals,” Abrahamson says. “Once, we uncovered one account holder who had malware on 100% of their virtual machines. We turned those off and profoundly improved our security posture almost instantly.”

Federating project management to democratize cloud security

To support more than 20k employees, the security team has adopted a hands-off, self-service approach to security management. With Wiz, it can provide non-security employees with the education, training, and tools necessary to protect their projects while still being able to consolidate and monitor from a distance. “We have a few thousand cloud accounts across our multi-cloud environment, and in Wiz, we can cluster those accounts into projects across broad departments such as humanities or sciences,” Abrahamson says. “We then assign leaders for these projects and these ‘distributed IT’ leaders help us safeguard the whole university.”

This investment in collective cloud security continues to ripple across the university through growing API usage and new security champions who show their teams the advantage of collaborating on security. “We’re continuing to track logins, and we’re seeing ongoing, progressive adoption of Wiz,” Abrahamson shares. “Improved security monitoring is accelerating our overall shift to the cloud because our users have the freedom and knowledge to self-service, address issues quickly, and resume their work.”

You never know what the next Log4J is going to be. With Wiz, I can monitor patterns before they get too big to handle. I can review top emerging vulnerabilities, see how many systems we have that may be impacted, and share my findings with our security champions through internal Slack channels to get ahead of threats.

Noah Abrahamson, Director of Cloud Security, Stanford University

These security champions give individual teams more skills and security awareness to manage their own security standards. By educating their colleagues about how security directly impacts their own research, teams are more incentivized to continue to learn about security practices to safeguard their innovative work. The distributed IT leaders can own security practices within their own project in Wiz and ensure their organization is safe, relieving Abrahamson’s team from micro-managing all of Stanford’s security posture. 

Since empowerment—driven by education—is the organization’s primary security goal, it’s currently measuring success based on teams’ responsiveness rather than vulnerabilities alone. Stanford designed a security scorecard that its distributed IT leaders can use to assess their teams’ work. These ratings consider information such as average age of issues and user login rates to give CISOs and CIOs insight into how their teams are responding to their security responsibilities.  

Scaling Stanford’s security community with automation

With Wiz, groups at Stanford are using APIs to build their own tools, reports, and dashboards to further customize their security management. A more customizable approach to security has helped attract more security champions from major organizations on campus. “Our security champion project has helped us connect with people interested in cloud security and build a community of practitioners sharing best practices and support,” Abrahamson shares. “They’re regularly sharing suggestions for new integrations and apps or advice about which ones work best for our needs.”

Alongside this expanding community space, the team is currently developing executive dashboards to efficiently present security status updates to senior executives. “We want to help our executive leadership log in and see a simple smiley face or sad face to gut check our security health,” he adds. “With Wiz, our team of cyber problem-solvers is making this possible, and we can continue to elevate what cloud security means for Stanford.”

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management