undefined | Better HN

0 pointsneom1y ago0 comments

If you'd be so kind for those of us that haven't touched cloud in 5/10 years, what is Wiz? from reading the google announcement: solving the supply chain hybrid cloud security issues? I could google I know but you seem to know what you are talking about, so if you'd be so kind. :)

0 comments

Atotalnoob1y ago

When you use a cloud provider to setup a VM, what policies do you apply to it in order to ensure it’s secure?

Wiz and other tools in the same space tell you and tracks compliance across your fleet.

Idk if wiz does this, but their competitors have “compliance packs” which are preset compliance patterns, IE hipaa, finra, etc.

That way you click a button and it tells you every change you need to make to be compliant

Edit: this is all just examples

allturtles1y ago

I don't know anything about cloud VMs, but I'm confused about how this is possible. Wouldn't determining whether you are HIPAA complaint depend on auditing all kinds of application details about how information flows through the system and how authentication and authorization are done? How could this be validated statically by looking at cloud VM config? Is Wiz doing some kind of AI magic over your whole codebase?

I am sure I am misunderstanding something, but I'm not sure what.

diggan1y ago

> I am sure I am misunderstanding something, but I'm not sure what.

You're missing that a lot of "security" is in reality just a bunch of check-boxes for a form that someone asks you to fill out.

The security you need to really think about is outside of those checkboxes, and it seems like Wiz is not for this type of security, but the former.

1 more reply

moduspol1y ago

They scan for everything they can and report on that. They don't claim to be able to tell you if you're 100% compliant--they just claim to be able to alert you if some subset of the requirements are out of order.

And that still provides a lot of value to the right customers.

TZubiri1y ago

It probably appeals to the kind of businesses that see compliance as a list of checkboxes. Just make sure employees have signed the nda and contract and stuff. Doesn't matter if they are a salesperson and the nda says they can't talk about the product.

Atotalnoob1y ago

HIPAA was an example.

Yes there are other parts to HIPAA than just VM config, but it’s just giving you policies and checks out of the box

ExoticPearTree1y ago

They don't only look at the configuration of the VM, they also look inside the data inside the VM.

mkmk1y ago

Cloud configuration can create compliance issues that are distinct from codebase compliance issues

neomOP1y ago

Figures. Crazy how badly I midsized this problem. When I was working on a cloud provider I suspected this would be a big problem space for building in, but I thought it was in the low billions, I was thinking (I guess stupidly) that the clouds and tools around them would be kind enough to create a lot of standardization so as at least this stuff wasn't junk. I get wanting to create a bit of friction, but thought "this is a bad place to make high friction". I guess it's pretty bad given the size of this acquisition? Or GCP just wants surface area data on other cloud providers (I presume this would aid in that, but I don't know)?

mattnewton1y ago

Idk about other clouds, but Google didn’t eat their own cloud dog food when I was there. We had people food (borg) that was kinda impossible to separate from the infrastructure of google3 (and Google dev processes) and so cloud was built different. It wouldn’t surprise me if that organization just had no awareness of how bad the friction really was for long enough for Wiz to get really good at it?

1 more reply

Aeolun1y ago

You are telling me it’s a huge excel sheet with all my cloud resources (some colored red) in?

Atotalnoob1y ago

Yes?

They have other capabilities, but that’s the primary value add.

Imagine you are working for a fortune 100 company with hundreds of thousands of cloud resources. You can’t manage them individually.

jms7031y ago

But...don't these companies already have cloud security engineers on their payrolls?

ExoticPearTree1y ago

I don't see the need for sarcasm. Most mid-size and up companies have security departments. And they use tools to make their jobs easier.

The problem with the cloud, from a security standpoint is that is it much more complex than a traditional on-premise infrastructure, especially if you go the "managed services" route and have minimal code.

SSLy1y ago

it's a linter for your yaml spaghetti

Tuna-Fish1y ago

And reason they can get recurring revenue for what is indeed basically a linter, is that what it lints your configuration files against is not just best practices but also regulatory compliance. And that gets hairy enough and changes often enough that it's usually worth it to pay for it to be someone else's headache.

theamk1y ago

That's just one part.

The real value is it's linter for _any_ cloud config - you can use terraform or cloudformation or just click around in user interface, and Wiz's rules would still work.

bigfatfrock1y ago

^ Poetry! If only we had linters for all the yaml spaghetti out there in ops land.

tempodox1y ago

Your system nosediving is the linter.

JKCalhoun1y ago

I thought they made smart lightbulbs (I have some "WiZ" ones installed in fact).

Kipters1y ago

I was worried it was that WiZ, luckily it's not Their bulbs are one of the few WiFi bulbs that don't require an app to operate (only for the initial configuration)

birdman31311y ago

Shelly does not require an app at all. Initial setup can be done via the WIFI AP it generates by default. Cloud is a checkbox in the app/web interface.

https://shelly.guide/add-a-shelly-to-your-wi-fi-through-web-...

dublinben1y ago

Can you elaborate on this? The app (both versions!) barely works, and they don’t appear to be compatible with Apple Home like others.

1 more reply

shermantanktop1y ago

I was worried it was https://en.wikipedia.org/wiki/The_Wiz_(film)

swyx1y ago

thank you for asking on behalf of the many of us who are in the same boat.

rakkhi1y ago

If you don't mind a short blog post I run though the capabilities of something like Wiz: https://rakkhi.substack.com/p/choosing-the-best-cloud-native...

j / k navigate · click thread line to collapse

0 comments

Atotalnoob1y ago

When you use a cloud provider to setup a VM, what policies do you apply to it in order to ensure it’s secure?

Wiz and other tools in the same space tell you and tracks compliance across your fleet.

Idk if wiz does this, but their competitors have “compliance packs” which are preset compliance patterns, IE hipaa, finra, etc.

That way you click a button and it tells you every change you need to make to be compliant

Edit: this is all just examples

allturtles1y ago

I am sure I am misunderstanding something, but I'm not sure what.

diggan1y ago

> I am sure I am misunderstanding something, but I'm not sure what.

You're missing that a lot of "security" is in reality just a bunch of check-boxes for a form that someone asks you to fill out.

The security you need to really think about is outside of those checkboxes, and it seems like Wiz is not for this type of security, but the former.

1 more reply

moduspol1y ago

And that still provides a lot of value to the right customers.

TZubiri1y ago

Atotalnoob1y ago

HIPAA was an example.

Yes there are other parts to HIPAA than just VM config, but it’s just giving you policies and checks out of the box

ExoticPearTree1y ago

They don't only look at the configuration of the VM, they also look inside the data inside the VM.

mkmk1y ago

Cloud configuration can create compliance issues that are distinct from codebase compliance issues

neomOP1y ago

mattnewton1y ago

1 more reply

Aeolun1y ago

You are telling me it’s a huge excel sheet with all my cloud resources (some colored red) in?

Atotalnoob1y ago

Yes?

They have other capabilities, but that’s the primary value add.

Imagine you are working for a fortune 100 company with hundreds of thousands of cloud resources. You can’t manage them individually.

jms7031y ago

But...don't these companies already have cloud security engineers on their payrolls?

ExoticPearTree1y ago

I don't see the need for sarcasm. Most mid-size and up companies have security departments. And they use tools to make their jobs easier.

SSLy1y ago

it's a linter for your yaml spaghetti

Tuna-Fish1y ago

theamk1y ago

That's just one part.

The real value is it's linter for _any_ cloud config - you can use terraform or cloudformation or just click around in user interface, and Wiz's rules would still work.

bigfatfrock1y ago

^ Poetry! If only we had linters for all the yaml spaghetti out there in ops land.

tempodox1y ago

Your system nosediving is the linter.

JKCalhoun1y ago

I thought they made smart lightbulbs (I have some "WiZ" ones installed in fact).

Kipters1y ago

I was worried it was that WiZ, luckily it's not Their bulbs are one of the few WiFi bulbs that don't require an app to operate (only for the initial configuration)

birdman31311y ago

Shelly does not require an app at all. Initial setup can be done via the WIFI AP it generates by default. Cloud is a checkbox in the app/web interface.

https://shelly.guide/add-a-shelly-to-your-wi-fi-through-web-...

dublinben1y ago

Can you elaborate on this? The app (both versions!) barely works, and they don’t appear to be compatible with Apple Home like others.

1 more reply

shermantanktop1y ago

I was worried it was https://en.wikipedia.org/wiki/The_Wiz_(film)

swyx1y ago

thank you for asking on behalf of the many of us who are in the same boat.

rakkhi1y ago

If you don't mind a short blog post I run though the capabilities of something like Wiz: https://rakkhi.substack.com/p/choosing-the-best-cloud-native...

j / k navigate · click thread line to collapse