Gaining consolidated visibility into Ocado’s cloud belongings
From the beginning, we had been impressed with the velocity of deployment and safety findings surfaced with SCC. The place it could take a number of weeks prior to now with different software program distributors, we had been capable of shortly arrange SCC in our surroundings and we may instantly begin figuring out our most weak belongings.
In the present day, we use SCC to detect misconfigurations and vulnerabilities throughout lots of of tasks all through our group and we use it to get an aggregated view of our safety well being findings. We filter the findings after which use Pub/Sub or Cloud Capabilities to ship alerts on to the instruments every division is working with, corresponding to Splunk or JIRA. This fashion, every of our groups can uncover and reply to the safety findings in their very own surroundings, with SCC performing as the one supply of fact for our security-related points.
Driving autonomy by delegating safety findings
Autonomy fuels innovation at Ocado Expertise, which is why we need to make our groups as self-sufficient as potential. SCC helps to make our divisions extra autonomous from the central group. It delivers all the safety insights know-how groups must make sensible selections on their very own and at tempo.
Right here’s the place SCC’s delegation options offering folder and undertaking degree entry management are available in. The platform’s fine-grained entry management capabilities allow us to delegate SCC findings to particular groups, with out having to offer them a view of your complete Ocado Expertise group. Enterprise models now not must contact us within the safety crew to trace down vulnerabilities, they’ll do it themselves in a compliant and safe method. It makes our work extra environment friendly and autonomous, permitting everybody to give attention to their very own areas of experience and environments.
Figuring out and remediating a number of medium and excessive vulnerabilities
SCC’s findings are very wealthy and don’t finish with the identification of the potential misconfigurations and vulnerabilities. It goes past this, recommending options to resolve any points and offering clear pointers on subsequent steps. That’s why the suggestions from our customers throughout the group has been so good.
SCC delivers on each high quality and amount. Since implementation, it has helped us determine and take away lots of of medium and excessive vulnerabilities from our Google Cloud property. The variety of safety associated findings have additionally gone down every quarter, indicating actual and tangible enhancements in our safety posture. SCC is so helpful in sustaining our safety posture as as soon as we all know the place the problems are, tackling them is simple.
From Eight-hour safety scans to prompt insights
One explicit concern we’ve been capable of deal with nicely with SCC are vulnerabilities concentrating on the Apache logging system Log4j. SCC knowledgeable us about tried compromises, lively compromises, or the vulnerability publicity of our Dataproc photographs. Throughout Log4j response, all these would have been in any other case very onerous to trace down, particularly with restricted sources. With SCC, we had been capable of leverage the safety experience of Google Cloud to determine the newest vulnerabilities, primarily based on essentially the most up-to-date safety developments, and act on them shortly.
Clearly, velocity is of the essence with regards to menace mitigation and SCC has enabled us to repair points sooner, making us much less uncovered to outdoors threats. Previously, simply scanning every thing as soon as may take as much as eight hours. SCC sped issues up from the beginning and findings have been almost instantaneous because it rolled out real-time Safety Well being Analytics.
Strengthening compliance and demonstrating requirements to stakeholders
SCC helps us to attain higher compliance requirements, and display these requirements to our stakeholders. We lately ran an inside audit train throughout the Ocado Expertise group, for instance, the place we recognized the tasks with essentially the most quite a few and extreme security-related findings. With out the stories from SCC, this is able to have been extraordinarily onerous and even inconceivable.
We additionally use the Safety Well being Analytics data from SCC to visualise the information per undertaking, making a sort of warmth map of safety throughout the group. This helps us assign our sources to the correct tasks and prioritize our efforts accordingly, informing our strategic selections.
From top-down to a developer-led safety
There’s been a paradigm shift in safety operations, and issues are transferring from a top-down strategy to a extra developer-led and autonomous course of. SCC helps drive that change at Ocado Expertise. It allows us to put the duty for security-related points nearer to the useful resource homeowners. By ensuring that the groups most impacted by a possible drawback are those who get to repair it, we empower groups to resolve points proactively and effectively.
Wanting ahead, we are able to’t wait to see SCC evolve additional. One of many options we’re most enthusiastic about is the flexibility to create customized findings (at present in preview) and extra integration capabilities that allow automation. We’re nonetheless not utilizing every thing SCC has to supply, however it’s already an important software for our safety crew.
At Ocado Expertise, we’re pioneering the way forward for on-line grocery purchasing, and this future wants a robust safety basis. SCC helps us to strengthen and keep that basis, making worthwhile, scalable, and safe on-line grocery purchasing potential for much more companies around the globe.