Amaysim has adopted a new cloud security operating model to detect and prioritise the remediation of code vulnerabilities, misconfigurations and other issues found in its environment.
The mobile virtual network operator (MVNO) is using a cloud-native application protection platform (CNAPP) by Wiz.
A CNAPP, according to Gartner, brings together a number of security scanning capabilities into one platform that is “designed to secure and protect cloud-native applications across development and production.”
IT operations director Peter James told the AWS Summit Sydney that Amaysim operates “a very broad sprawl of cloud infrastructure”, all in AWS.
“We weren’t born in the cloud, but we were fast cloud adopters,” James said.
“We’ve got our share of monoliths running on EC2, we’ve got a bunch of containers, and we’ve got some more modern workloads which are running on CDK [Cloud Development Kit] or serverless as well, and everything in-between.”
James said that early adoption of cloud, combined with evolving use and the cadence of change it enables, meant Amaysim saw a wide variety of challenges around securing the environment.
Threats to the environment ranged from “developer or engineering misconfiguration, all the way through to nation state attacks or other hacks”.
The company’s engineering teams make “probably 200 production releases a month, give or take”, a rate of change that has corresponding impacts on the attack surface.
In addition, James said that “how we used our cloud infrastructure eight or nine years ago is very different to the workloads and how we lean on things today”.
Combined, those challenges led Amaysim to trial - and ultimately adopt - a CNAPP to ensure its cloud security model could scale with usage of the environment and available resources.
One of the use cases for CNAPP is to aggregate and prioritise alerts, determining what vulnerabilities need to be addressed.
“Engineering and security time and effort is one of the most valuable commodities we have,” James said.
“One of the big challenges was prioritisation. There’s potentially so many security distractions as well as core security vulnerabilities that you need to try and solve for.
“We’re giving a curated or prioritised list to our engineers or to our infrastructure team to really make sure that we’re reducing our security risks.
“As a general rule, engineers want to do the right thing. We want to help with that and use tools, practices and processes that help them do the right thing in an efficient way.”
While efforts with CNAPP were initially focused on cloud infrastructure assessment, the platform will also be used to help engineers build more secure software from the outset.
“Something that we really want to bring to bear in the coming year is making sure that we’re fixing things that aren’t there yet,” James said.
“What we’ve focused on so far, which has been really good, is looking at our production environments and what’s actually running.
“The next stage to go, ‘OK, how do we mature and ensure that the things that we’re building next have the right guardrails in place, rather than just blockers or process gates, to allow our teams to do their best work but also not expand our risk posture’?
“We firmly believe that engineers should own their code all the way through to production. Tools like Wiz allow us to eventually [enable that], without it being a huge imposition.”
The iTnews State of Security 2024 report is now available. Click here for full access.
Ry Crozier attended AWS Summit Sydney as a guest of AWS.
