Full Report
Over 50% of Wiz customers have reduced their cloud risk by reaching Zero Critical Issues
Analysis Summary
# Best Practices: Achieving and Sustaining Zero Critical Cloud Security Posture
## Overview
These practices focus on operationalizing cloud security workflows to achieve and maintain a "Zero Critical" status by prioritizing and remediating highly dangerous combinations of risks (Wiz Critical Issues) that expose crown jewels like sensitive data. The goal is to reduce the organization's cloud attack surface through continuous, measurable improvements and security democratization.
## Key Recommendations
### Immediate Actions
1. **Identify and Prioritize Critical Issues:** Immediately utilize cloud security tools (like Wiz) to gain a centralized, actionable view of the highest-priority risks based on pre-analyzed attack paths.
2. **Focus Remediation on Critical Risks:** Prioritize the swift elimination of "Critical Issues"—combinations of risks that directly create attack paths to sensitive resources or "crown jewels."
3. **Initiate Contextual Risk Communication:** Use visualization features of security tools to clearly communicate *why* an issue is critical and *what* specific actions are required, aiding rapid leadership and team understanding.
### Short-term Improvements (1-3 months)
1. **Start Production Environment Remediation:** Begin the systematic cleanup process by focusing initial remediation efforts on production environments, especially those protecting customer data.
2. **Empower Decentralized Ownership:** Establish a structure where individual teams (engineering, ops, infrastructure) are fully empowered and responsible for addressing risks identified within their own infrastructure scope.
3. **Implement MTTR Tracking:** Begin automatically calculating and tracking Mean Time to Resolution (MTTR) for any newly emerging critical issues to measure and motivate rapid remediation performance.
### Long-term Strategy (3+ months)
1. **Shift Security Left:** Integrate security processes earlier into the development lifecycle (Shift-Left) to prevent the introduction of high-risk configurations and vulnerabilities into the cloud environment initially.
2. **Automate Controls:** Develop and deploy automated controls that proactively prevent the recurrence of risks that were previously remediated, ensuring security is embedded across teams.
3. **Promote Security Excellence:** Enroll in advanced recognition programs (like the Wiz All-Stars Club) to maintain vigilance, reward proactive practices, and foster continuous improvement across various risk domains (e.g., managing excessive administrative roles, eliminating critical vulnerabilities).
## Implementation Guidance
### For Small Organizations
- **Focus on Clarity:** Leverage tools that translate complex cloud risks into layman’s terms to enable quick understanding and action by small, potentially non-security-focused teams.
- **Prioritize Data Protection:** Immediately focus resources on securing any environment containing the most sensitive organizational or customer data.
- **Rapid Onboarding:** Aim for rapid onboarding and configuration of the cloud security platform to gain full initial visibility quickly (aiming for a "one-day love story" experience if using capable tools).
### For Medium Organizations
- **Establish Structured Remediation:** Adopt a systematic approach, moving from production environments to less critical staging/development environments sequentially.
- **Democratize Access:** Begin implementing self-serve practices by granting context-rich issue visibility to engineering, ops, and infrastructure teams, transitioning security into a shared responsibility model.
- **Define Success Metrics:** Clearly define what "Zero Critical" means organizationally and begin tracking simple success metrics like MTTR streaks.
### For Large Enterprises
- **Orchestrate Multi-Org Cleanup:** For complex multi-org or multi-tenant structures, central security teams must orchestrate the process by providing access, context, and guidance while devolving final remediation work to respective team owners.
- **Implement Achievement Frameworks:** Utilize structured champion/achievement centers to incentivize diverse teams (e.g., rewarding the "Identity Investigator badge" for cleaning up excessive admin roles).
- **Sustain Vigilance with Streaks:** Implement rigorous MTTR streak tracking to ensure that the zero-critical status is continuously maintained against the inevitable emergence of new risks.
## Configuration Examples
*Note: The context does not provide specific command-line or code configuration examples. However, the principles derived suggest the following configuration goals:*
1. **Role Restriction Policy:** Configure IAM/RBAC policies to enforce the principle of least privilege, targeting removal of roles flagged as having "excessive admin privileges" identified by security tooling.
2. **Preventative Pipeline Hooks:** Implement mandatory security scanning checks (SAST/SCA/IaC scanning) within CI/CD pipelines configured to *fail* builds containing known high-risk vulnerability signatures or insecure infrastructure definitions that would otherwise result in a critical finding.
3. **Data Access Controls:** Configure network segmentation and data access controls (e.g., encryption at rest/in transit) specifically around storage environments identified as containing "crown jewels" or sensitive data.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** The practices align strongly with the **Identify** (understanding assets and risks), **Protect** (implementing protective measures and reducing attack surface), and **Detect/Respond** (via MTTR tracking) functions.
- **CIS Benchmarks:** Achieving zero critical status inherently requires adherence to foundational security controls, particularly around identity and configuration management defined in CIS Benchmarks.
- **ISO 27001:** The emphasis on operationalizing security workflows, defining measurable objectives, and continuous improvement maps directly to the management system structure of ISO 27001.
## Common Pitfalls to Avoid
- **Focusing Only on New Risks:** Failing to address *existing* critical risks before focusing on preventing *new* ones during the initial cleanup phase.
- **Centralized Bottleneck:** Keeping the remediation responsibility entirely within the central security team rather than distributing ownership to the teams that control the infrastructure.
- **Lack of Context:** Trusting raw vulnerability counts instead of utilizing tool-assisted path analysis to prioritize risks that directly lead to business impact (i.e., ignoring the context of the "crown jewels").
- **Treating Zero Critical as a Destination:** Viewing the achievement as a final state rather than a baseline, leading to a lapse in vigilance and a rebound in risk exposure.
## Resources
- **Security Platform Functionality:** Utilize centralized security platforms (like Wiz) that provide visualization, pre-analyzed attack path scoring, and actionable remediation context.
- **Champion/Recognition Center:** Leverage internal or platform-provided "Champion Centers" to gamify security tasks and reward proactive contributions across engineering teams.
- **MTTR Tracking Mechanism:** Implement a method for automatically measuring and rewarding short Mean Time to Resolution for newly discovered critical issues to ensure ongoing resilience.