How Thoughtworks Manages Cloud Security and Container Vulnerabilities
Many companies, in an effort to modernize their software and cloud tech stacks, are beginning to confront the challenges of managing security across multiple cross-functional, yet independent, teams - each with diverse tech stacks. One such example is Thoughtworks, a leading global technology consultancy that works with enterprises to enable them to keep pace with the accelerating rate of technological change.
Thoughtworks' long and diverse list of clients inspires Thoughtworks IT teams to develop containerized software at a rapid pace, and to deploy it across hundreds of cloud accounts, all in an effort to enable their global team to deliver on their clients' evolving needs. Due to the large scale of operations, Thoughtworks’ InfoSec organization is focusing on automation and efficiency to help ensure that security practices move at the pace of their business. This includes secure configuration of AWS and Google cloud accounts and container image scanning to detect vulnerabilities and prioritize them for remediation as they are pushed through the pipeline dozens of times per day.
What Challenges Did Thoughtworks Set Out to Solve?
Through the extensive evaluation process, Thoughtworks was focused on the concept of “Ruthless Sustainability,” a methodology that Thoughtworks’ cybersecurity team describes as maintaining consistent security standards. This consistency should be facilitated by automation and should support security and performance requirements regardless of staff availability or unforeseen challenges to the broader organization.
Thoughtworks' evaluation criteria for the ideal solution focused on centralized security risk insight for their AWS and GCP cloud environments, as well as integrated security risk assessments of container images and serverless functions. With the speed and frequency at which they are deploying artifacts on a global scale, rapid cloud security configuration checks and automated vulnerability scanning were necessities in any solution they would select. Thoughtworks would find additional benefit from any solution that could help prioritize risks that should be addressed more immediately, given the team's valuable and limited time to triage lists of security issues.
Because of their diverse tech stack and security toolkit, Thoughtworks required extensive API support for cloud account enrollment as well as vulnerability management workflows and remediation activities. All this would need to suit a lean cybersecurity team without sacrificing coverage, flexibility, and scalability.
After careful consideration, Aqua’s Cloud Security Posture Management (CSPM) and Aqua Vulnerability Scanning were determined to be the most well-suited solution for the team to support security requirements throughout their CI/CD pipelines and across clouds.
An all-in-one solution
Using Aqua CSPM and Aqua Vulnerability Scanning, Thoughtworks is able to achieve their goals for enhanced security standards in the Identify and Protect stages of the NIST Cybersecurity Framework (CSF) without the need for using solutions from multiple vendors, supporting Thoughtworks' continued focus on Detect and Response stages.
“One of the reasons we looked at Aqua was because we want to use fewer vendors,” said Nitin Raina, VP of Cyber and Information Security at Thoughtworks. “Adding more vendors into the security ecosystem doesn’t help the customer at all, it complicates the situation for us. If someone addresses the two or three needs that we have in the infrastructure security and container vulnerability space – and Aqua does a good job there – we would prefer to work with them.”
A SaaS partner to rely on
For Thoughtworks, a key benefit of working with Aqua was their ability to deliver SaaS-based cloud native security solutions and their dedication to a strong and responsive relationship. Aqua SaaS provides the most up-to-date functionality, enterprise-class scalability, and resilience for the tools Thoughtworks’ cybersecurity team uses each day, and the team is able to collaborate with Aqua to ensure their needs are directly met.
“We were really happy to find Aqua has a hosted version,” said Felix Hammerl, Enterprise Architect, Cyber Security at Thoughtworks, “Self-hosting solutions quickly become really old. With Aqua SaaS, I don’t have to worry about things like upgrade cycles, uptime, or patch state. I have someone who I can approach for that and I don’t have to do it myself.”
Read the case study
Read the complete Thoughtworks case study to learn more about how Thoughtworks manages container vulnerabilities and secures cloud accounts with Aqua.