I don't know anything about cloud VMs, but I'm confused about how this is possible. Wouldn't determining whether you are HIPAA complaint depend on auditing all kinds of application details about how information flows through the system and how authentication and authorization are done? How could this be validated statically by looking at cloud VM config? Is Wiz doing some kind of AI magic over your whole codebase?

I am sure I am misunderstanding something, but I'm not sure what.

> I am sure I am misunderstanding something, but I'm not sure what.

You're missing that a lot of "security" is in reality just a bunch of check-boxes for a form that someone asks you to fill out.

The security you need to really think about is outside of those checkboxes, and it seems like Wiz is not for this type of security, but the former.

Exactly

They scan for everything they can and report on that. They don't claim to be able to tell you if you're 100% compliant--they just claim to be able to alert you if some subset of the requirements are out of order.

And that still provides a lot of value to the right customers.

It probably appeals to the kind of businesses that see compliance as a list of checkboxes. Just make sure employees have signed the nda and contract and stuff. Doesn't matter if they are a salesperson and the nda says they can't talk about the product.

HIPAA was an example.

Yes there are other parts to HIPAA than just VM config, but it’s just giving you policies and checks out of the box

They don't only look at the configuration of the VM, they also look inside the data inside the VM.

Cloud configuration can create compliance issues that are distinct from codebase compliance issues

Figures. Crazy how badly I midsized this problem. When I was working on a cloud provider I suspected this would be a big problem space for building in, but I thought it was in the low billions, I was thinking (I guess stupidly) that the clouds and tools around them would be kind enough to create a lot of standardization so as at least this stuff wasn't junk. I get wanting to create a bit of friction, but thought "this is a bad place to make high friction". I guess it's pretty bad given the size of this acquisition? Or GCP just wants surface area data on other cloud providers (I presume this would aid in that, but I don't know)?

Idk about other clouds, but Google didn’t eat their own cloud dog food when I was there. We had people food (borg) that was kinda impossible to separate from the infrastructure of google3 (and Google dev processes) and so cloud was built different. It wouldn’t surprise me if that organization just had no awareness of how bad the friction really was for long enough for Wiz to get really good at it?

I'm not at Google, but the usual thinking is that the public product fixed a lot of the design warts of the internal one, but it's only 90% feature compatible, and the internal migration has an opportunity cost that's higher than the cost of maintaining two similar products.

You are telling me it’s a huge excel sheet with all my cloud resources (some colored red) in?

Yes?

They have other capabilities, but that’s the primary value add.

Imagine you are working for a fortune 100 company with hundreds of thousands of cloud resources. You can’t manage them individually.

But...don't these companies already have cloud security engineers on their payrolls?

/s

I don't see the need for sarcasm. Most mid-size and up companies have security departments. And they use tools to make their jobs easier.

The problem with the cloud, from a security standpoint is that is it much more complex than a traditional on-premise infrastructure, especially if you go the "managed services" route and have minimal code.