If you'd be so kind for those of us that haven't touched cloud in 5/10 years, what is Wiz? from reading the google announcement: solving the supply chain hybrid cloud security issues? I could google I know but you seem to know what you are talking about, so if you'd be so kind. :)

When you use a cloud provider to setup a VM, what policies do you apply to it in order to ensure it’s secure?

Wiz and other tools in the same space tell you and tracks compliance across your fleet.

Idk if wiz does this, but their competitors have “compliance packs” which are preset compliance patterns, IE hipaa, finra, etc.

That way you click a button and it tells you every change you need to make to be compliant

Edit: this is all just examples

I don't know anything about cloud VMs, but I'm confused about how this is possible. Wouldn't determining whether you are HIPAA complaint depend on auditing all kinds of application details about how information flows through the system and how authentication and authorization are done? How could this be validated statically by looking at cloud VM config? Is Wiz doing some kind of AI magic over your whole codebase?

I am sure I am misunderstanding something, but I'm not sure what.

> I am sure I am misunderstanding something, but I'm not sure what.

You're missing that a lot of "security" is in reality just a bunch of check-boxes for a form that someone asks you to fill out.

The security you need to really think about is outside of those checkboxes, and it seems like Wiz is not for this type of security, but the former.

Exactly

They scan for everything they can and report on that. They don't claim to be able to tell you if you're 100% compliant--they just claim to be able to alert you if some subset of the requirements are out of order.

And that still provides a lot of value to the right customers.

It probably appeals to the kind of businesses that see compliance as a list of checkboxes. Just make sure employees have signed the nda and contract and stuff. Doesn't matter if they are a salesperson and the nda says they can't talk about the product.

HIPAA was an example.

Yes there are other parts to HIPAA than just VM config, but it’s just giving you policies and checks out of the box

They don't only look at the configuration of the VM, they also look inside the data inside the VM.

Cloud configuration can create compliance issues that are distinct from codebase compliance issues

Figures. Crazy how badly I midsized this problem. When I was working on a cloud provider I suspected this would be a big problem space for building in, but I thought it was in the low billions, I was thinking (I guess stupidly) that the clouds and tools around them would be kind enough to create a lot of standardization so as at least this stuff wasn't junk. I get wanting to create a bit of friction, but thought "this is a bad place to make high friction". I guess it's pretty bad given the size of this acquisition? Or GCP just wants surface area data on other cloud providers (I presume this would aid in that, but I don't know)?

Idk about other clouds, but Google didn’t eat their own cloud dog food when I was there. We had people food (borg) that was kinda impossible to separate from the infrastructure of google3 (and Google dev processes) and so cloud was built different. It wouldn’t surprise me if that organization just had no awareness of how bad the friction really was for long enough for Wiz to get really good at it?

I'm not at Google, but the usual thinking is that the public product fixed a lot of the design warts of the internal one, but it's only 90% feature compatible, and the internal migration has an opportunity cost that's higher than the cost of maintaining two similar products.

You are telling me it’s a huge excel sheet with all my cloud resources (some colored red) in?

Yes?

They have other capabilities, but that’s the primary value add.

Imagine you are working for a fortune 100 company with hundreds of thousands of cloud resources. You can’t manage them individually.

But...don't these companies already have cloud security engineers on their payrolls?

/s

I don't see the need for sarcasm. Most mid-size and up companies have security departments. And they use tools to make their jobs easier.

The problem with the cloud, from a security standpoint is that is it much more complex than a traditional on-premise infrastructure, especially if you go the "managed services" route and have minimal code.

it's a linter for your yaml spaghetti

And reason they can get recurring revenue for what is indeed basically a linter, is that what it lints your configuration files against is not just best practices but also regulatory compliance. And that gets hairy enough and changes often enough that it's usually worth it to pay for it to be someone else's headache.

That's just one part.

The real value is it's linter for _any_ cloud config - you can use terraform or cloudformation or just click around in user interface, and Wiz's rules would still work.

^ Poetry! If only we had linters for all the yaml spaghetti out there in ops land.

Your system nosediving is the linter.

I thought they made smart lightbulbs (I have some "WiZ" ones installed in fact).

I was worried it was that WiZ, luckily it's not Their bulbs are one of the few WiFi bulbs that don't require an app to operate (only for the initial configuration)

Shelly does not require an app at all. Initial setup can be done via the WIFI AP it generates by default. Cloud is a checkbox in the app/web interface.

https://shelly.guide/add-a-shelly-to-your-wi-fi-through-web-...

Can you elaborate on this? The app (both versions!) barely works, and they don’t appear to be compatible with Apple Home like others.

You can use a Python library/tool to control them (https://github.com/sbidy/pywizlight), which means Home Assistant supports them out of the box.

In my setup I have Home Assistant running on an N100 mini PC and that's what I use as an HomeKit bridge.

If possible I'd use ZigBee or Z-Wave bulbs (or even better, switches) though.

thank you for asking on behalf of the many of us who are in the same boat.

If you don't mind a short blog post I run though the capabilities of something like Wiz: https://rakkhi.substack.com/p/choosing-the-best-cloud-native...

It was going to happen last year but Wiz said they wanted to IPO. Wonder what that implies about the larger IPO/exits market.

Here's the letter sent by the CEO Assaf Rappaport to his team at the time (2024):

"Wizards,

I know the last week has been intense, with the buzz about a potential acquisition. While we are flattered by offers we have received, we have chosen to continue on our path to building Wiz.

Let me cut to the chase: our next milestones are $1 billion in ARR and an IPO.

Saying no to such humbling offers is tough, but with our exceptional team, I feel confident in making that choice."

https://techcrunch.com/2024/07/22/wiz-walks-away-from-google...

Wiz by itself is a great business and public markets will price it accordingly, but Google is able to price it much higher because of its unique position. Wiz + GCP sales team will boost adoption of the main product, a Google branded security tool keeps eyes from looking out, and of course, the ability to move huge amounts of revenue from competitors over to GCP is something only a hyper-scaler can tap. At 36x+ valuation, this is still a great deal for Google.

On what are you basing your opinion that this is a "great deal"? Google is going to have to earn close to $100B in profit attributable to this acquisition over the next 10 years in order to financially justify it.

> On what are you basing your opinion that this is a "great deal"? Google is going to have to earn close to $100B in profit attributable to this acquisition over the next 10 years in order to financially justify it.

Maybe like the Motorola acquisition - not so much the profit attributle from the acquisition but the profit they *won't* lose by not acquiring them.

I don't think that 100B number is correct. It would be if Google had to give back the business (or it imploded) after 10 years

That $100B is a based on a ballpark estimate of how much a passive investor would expect to earn by putting $32B of their money into a high-yield stock fund (yielding 15% per year, which is a conservative annual growth rate for a cloud provider) and sitting on it for 10 years. If Google can't do at least as well as that, the investor would be better off with the stock fund.

Yes but I'm saying that they will still own Wiz at the 10 year mark, so you can discount their valuation at the time from the 100B.

I accounted for that in my math. Investing $32B for 10 years at 15% interest compounded continuously = $132B.

It's smart defense, great offense, and a good product behind it. Each eat a big chunk of that $100B target. I don't see Wiz as a 10 year company, I see it as a forever requirement for companies to manage all of their cloud resources (across all providers). It will be here as long as GCP/AWS are here. I expect a short path to ROI on this one.

Consider that AWS's entire operating income for 2024 was $40B. GCP is 1/5th the size. I admire your optimism, but I think it's unwarranted.

So why do you think Google is making this acquisition?

Wiz is a recognized leader in the CNAPP/DevSecOps market, and so they'd be naturally attractive to any cloud hyperscaler. Google had to either build or buy a similar solution to grow GCP; and they chose to buy. But $32B is an enormous hunk of cheddar, and I don't know why they felt compelled to pay that much. The ROI on such a large investment is unclear.

It gives them (legally debatable) visibility into how customers are using their competitions products. That's part of the reason it didn't happen under the Biden administration. Trump is very much against enforcing anti-competition laws though, so the deal suddenly began to make sense again.

Google would have to be contractually bound not to do that, or Wiz customers would flee like rats off a sinking ship, which would significantly devalue their investment.

A lot has happened in the last 56 days that has resulted in significant uncertainty in the stock markets. That, combined with the higher offer, apparently changed the board's mind.

> Wonder what that implies about the larger IPO/exits market

The window is closed and locked. Haven't closed the storm shutters yet.

LOL IPO market is dead for observable future.

> But also, and may more important, you get to see everyones cloud usage, across all providers

Yeah - that’s not likely to happen. Even the current in-house developed multi-cloud security stuff Google has doesn’t let internal people see customer data. It’s right there in the T&Cs they publish and agree to.

I suppose they could be violating them in egregious ways, but that wouldn’t last long before one or more of the 170,000 employees got upset and went all whistleblower, which would lead to billions of dollars in lawsuits.

There are ways around it. If they look into specific customer's usage it is looking at customer data. If they look at more customers it will just be called anonymous analytics.

Then you slice and dice the analytics data to extract what you need in the name of planning & improving the product.

For a truly multi cloud customer, your second point switches from being a pro to being a con as soon as Google owns it. Why would you give one of your cloud vendors visibility over your footprint across their competition?

It's pro for Google, not pro for customers.

How on earth does buying Wiz force other developers to move? I think the tinfoil is too tight.

They don’t need to force people, just make them a very good targeted offer. This is also great for seeing which features their customers use most to help GCP catch up to the competition, too.

It doesn't force them to move, it just gets Google the information about how you use competitors products so they can out negotiate them come deal time.

Wiz itself doesn’t. But Wiz knows what is going on in everyone cloud. That data could be fed to GCP sales team though customers might riot if that happens.

>That data could be fed to GCP sales team though customers might riot if that happens

Large enterprises don't sign the stock terms and conditions that would enable this, most do or should have legal teams redlining contracts around how cloud data is accessed and used by vendors. Maybe Wiz is so good they would agree to it, but it would get challenged and negotiated during the sales cycle.

Clients can have their lawyers jump up and down but the data is there, you just KNOW the mothership gonna use it. All they need is some obfuscation and plausible denyability. It's just too good to not use it.

There's no force but Google can now leverage the data from Wiz to target good customers for other services.

How is this not a good thing for everyone involved? Or am I wrong for reading the comment in a tone that I perceived to be critical?

I dunno, I don't like the anti-trust implications (using Wiz data to target companies on AWS/Azure) but other than that I don't really care.

That's probably cos I am far away from this space.

So is Wiz just a CASB?

(Cloud Access Security Broker)

Wiz is a CNAPP provider. (Cloud Native App Protection Platform)

They wanted it to happen last year, but Wiz wasn't sure yet whether they would want to go public instead.

If you know the Cloud market you know nobody is moving to GCP :-)