Tide needed to improve its ability to track what was deployed across its multiple containerized AWS accounts, and clean up legacy resources that were no longer needed.
As Tide continued to mature its cloud infrastructure, issues were being discovered in production that could have been remediated before they made their way to the production environment.
Tide was using a CSPM tool that would produce endless alerts, but few were relevant to how Tide was operating its infrastructure.
Tide gained a broader view of what was happening in its containers and sunset legacy systems that cost money and were vulnerable to external threats.
From source through production, Tide automated guardrails to alert developers of issues early in their builds and remediate them before they impacted production workflows.
Tide was able to reduce the number of false positives and prioritize its most critical issues using actionable contextualized insights provided by Wiz.
Small business, big security
Tide is the leading digital business banking challenger in the UK providing financial services for MSMEs and one of the fastest-growing fintechs globally. Since 2015, the company has enabled over 500,000 small and medium businesses gain instant access to financial tools including payroll, automated bookkeeping, invoicing, invoice financing and more. As of May 2023, the company holds more than 9% of the UK market share. In such a setting, the Chief Information Security Officer at Tide, Ben Dewar-Powell, and his team recognize the huge significance of a fast, stable and secure platform for all of Tide’s members.
For the Product and Platform Security Team, led by Ashleigh Vincent, providing consultancy to make sure that developers are integrating secure design from project conception through implementation is fundamental. “It’s all about supporting and empowering the developers,” says Vincent. “We avoid being a block and the security team of ‘No’. Instead we focus on providing useful feedback so developers understand what’s being raised, what will be raised and how to fix it or avoid it.”
Mitigating risk across containers
Tide is hosted on AWS and operates a modern, containerized cloud that brings more agility around applications and cost structure and at the same time presents natural challenges. The environment consists of different AWS accounts due to regulatory, regional and operational reasons. It’s critical to understand where vulnerabilities live in a specific container, to target responses and swiftly remediate issues. “You need to have visibility and understand what’s being deployed in your cloud, rather than applying old server-based security paradigms,” says Vincent. Prior to Wiz, Tide was using in-pipeline container scanning involving building a container, scanning it, alerting on vulnerabilities, and finally triaging it. “This approach doesn’t necessarily tell you if that container is running anywhere,” adds Vincent.
Early on, to get a full picture of Tide’s cloud infrastructure, the systems had to be manually reviewed before trying a number of different open source and commercial tools. But they just generated a lot of noise and findings which required careful examination to surface what was critical to Tide. “The tools would be alerting about something that’s built in by design, and not an issue,” Vincent remembers . This led to an unacceptable burden on the security team at Tide.
It’s all about figuring out how to customize what you actually care about. If you’re in charge of a lean security team at a company with lots of engineers, building that in is critical.
Ashleigh Vincent, Application Security Lead, Tide
Empowering developers by becoming a trusted advisor
Vincent instills a security-first mindset without telling engineers what they can do better. “The holy grail is to automate as much of the manual work as possible. We want to provide a paved road for success and give engineers the freedom to innovate.”
Developers needed earlier warnings that their code, if deployed, could introduce concerns. And getting them to regularly engage with a cloud security tool was demanding. It was outside of their daily workflow and created more tasks. Wiz could be integrated with ticketing systems and an engineer might spot an issue, raise a ticket and notify the product owner about the changes. “We aim to move to a model where if there’s something wrong, it lets us know early and we can drive change off the back of it,” Vincent remarks.
Wiz takes the hassle and thinking out of it. You plug it into your accounts and can see the top 10 cloud things to worry about.
Ben Dewar-Powell, CISO, Tide
A customized and automated solution
Tide saw value in consolidating multiple tools into a single solution to gain full visibility across its containerized environments. This let the company save time and avoid managing multiple systems to address issues. With a comprehensive view of its cloud environment, security and developers could now gain a better understanding of what needed focus.
Tide created security guardrails for engineers to work from with Wiz, and with the ticketing integration, issues could be tackled with less friction. “With the ability to use a single tool, I could build the same automation off the backend; otherwise, I’d have to build two different sets of automation that alert slightly differently,” says Vincent. “It would have been twice as much work for my team with a different tool.”
Wiz is much more than a CSPM provider. It checks a lot of other boxes. Vulnerability scanning on the disk images, container scanning and perimeter scanning.
Ashleigh Vincent, Application Security Lead, Tide
Getting ahead of issues
With Wiz, Tide can identify and remove risk before it becomes an obstacle. Prioritizing only the most critical vulnerabilities and misconfigurations also meant silencing false positives - teams can now focus on more important work. “We only see the ones that we actually care about and are running in our production environment. And with the early warning - defects never make it into production. ” says Vincent.
Reduced time to discovery
Tide’s security team benefits from Wiz’s ability to scan for exposures before they become bigger issues. Vincent was able to warn internal teams of potential impact from a recent OpenSSL vulnerability before the technical details were announced. “I could see there was going to be a vulnerability in this version of OpenSSL and look for where it was running in our infrastructure,” says Vincent. “We were able to warn all the teams so they managed to plan ahead.”
Tide alerted only the impacted teams if something was present in their containers. “Not only could we see the containers built in our pipelines that contained the vulnerability, we could see exactly which ones would be impacted in the next few days. It’s not time to remediation that Wiz saves you—it’s the time to discovery that is super valuable.”
Tide is using the Wiz Dynamic Scanner to automatically capture a screenshot and basic information for every new public resource and publish it to an internal communication channel. This allows engineers to easily see every part of Tide’s internet facing perimeter and communicate change easily.
Surfacing technical details with executives and decision makers where best practices are not being followed can be difficult. But the simplicity of Wiz’s interface helps. “That’s where Wiz’s pretty graphs come in handy,” says Vincent. “Without going into too much detail, I can show a graph going in the right direction, and it makes sense.”
Tide is using Wiz to enable engineers who are experimenting with new technologies to discover potential security misconfigurations in the testing phase. “It helps them think about how they’re going to build,” says Vincent. “The work happens in the testing account, which Wiz can see and point to any concerns present inside.”
Furthermore, the team wants to lean more into Wiz’s project functionality and the ability to divide up a number of projects based on domain. Developers can tag their own containers and AWS infrastructure and get a focused view of just their domain. “That’s the next step as we mature with Wiz,” says Vincent. “It will encourage developers to use the interface, because they’ll only see what they need to address.”
Want to learn how your cloud security program can achieve the same results as Tide? Take a closer look at Wiz's cloud security solutions for financial services.