Thoughtworks is a global technology consultancy that seeks to enhance its clients’ technology foundations with flexibility and adaptive strategies. Thoughtworks underpins its IT operations with an information security organization composed of two teams: one addressing security risk and operational assurance across regional business operations, the other using cybersecurity intelligence to secure Thoughtworks’ cloud and IT software ecosystem. This InfoSec organization works to secure the resources consumed and built by the Thoughtworks Professional Services and IT teams across applications, regions, and clouds.
Fully invested in CI/CD methodologies, Thoughtworks IT is developing, shipping, and deploying containerized software at a rapid pace across hundreds of cloud accounts. These activities are the result of nearly three-dozen cross-functional, yet independent, teams with diverse tech stacks, spinning-up and decommissioning resources as necessary to function autonomously at speed. Container images are deployed in Amazon and Google cloud environments, often with one cloud account per team, per service, per environment. At this scale, the Thoughtworks cybersecurity team must rely on automation and efficiency to securely configure cloud accounts and scan container images for vulnerabilities as they are pushed through the pipeline dozens of times per day.
“The cloud technologies help teams move faster,” said Felix Hammerl, Enterprise Architect – Cyber Security at Thoughtworks. “But since there is no centralized operations or admin team, you lose that oversight.”
Maintaining control over Thoughtworks IT’s cloud security posture and managing the security debt that manifests itself as vulnerabilities in containers and serverless functions was paramount for Hammerl and team.
“Security debt accumulates over time and it’s surprisingly hard to have a structured approach to that,” explained Hammerl, “What we’re looking for is a stop-gap for everything that falls through the cracks and having a sane way to stop things from falling further back.”
Hammerl defines this approach as “Ruthless Sustainability,” a methodology in which Thoughtworks’ cybersecurity team can maintain consistent security standards, facilitated by automation, regardless of staff availability or unforeseen challenges to the broader organization.
Thoughtworks’ evaluation criteria for such a solution included:
“I feel that a lot of other security products require large analyst teams, and if an analyst misses something, then where does it go?” added Hammerl. “I want the engineering team to just be able to step away and then everything should still work… I don’t want to have to look at everything every day and be worried that I might have missed something.”
This led Thoughtworks to Aqua Cloud Security Posture Management (CSPM) and Aqua Vulnerability Scanning to support security requirements throughout CI/CD pipelines and across clouds.
Establishing a security center of excellence using Aqua was critical to meet Thoughtworks’ evolving needs.
“Senior execs at Thoughtworks are always curious about what our cybersecurity strategy is for the ever-growing business that we are in,” explained Nitin Raina, Vice President – Cyber and Information Security at Thoughtworks. “If I look at it from a NIST Cybersecurity Framework point of view, we have heavily invested in the Identify and Protect space and now we are focusing more in the Detect and Response spaces.”
Aqua CSPM enhances Thoughtworks’ security standards in the Protect stage of the NIST Cybersecurity Framework (CSF) by:
“Aqua alerts us to ‘known bad’ and helps ensure that our systems are resistant to known exploitation,” Hammerl summarized. “A lot of cloud accounts equal a lot of different configurations and Aqua CSPM lets us see a clear list of things we should not do and alerts us if someone does one of those things.”
Aqua Vulnerability Scanning enables Thoughtworks’ evolution in the Detect stage of the NIST CSF by:
“One of the reasons we looked at Aqua was because we want to use fewer vendors,” explained Raina. “Adding more vendors into the security ecosystem doesn’t help the customer at all, it complicates the situation for us. If someone addresses the two or three needs that we have in the infrastructure security and container vulnerability space – and Aqua does a good job there – we would prefer to work with them.”
In addition to Aqua’s support for multi-cloud environments, its ease-of-use for a lean cybersecurity team, and the benefit of working with a single solution vendor, Thoughtworks valued Aqua’s ability to deliver SaaS-based cloud native security solutions.
“We heavily leverage SaaS,” said Raina, “so on-prem infrastructure is only relevant for office network gear.”
For Hammerl and the cybersecurity team, the benefit of Aqua’s SaaS delivery is simple:
“We were really happy to find Aqua has a hosted version,” expressed Hammerl, “Self-hosting solutions quickly becomes really old. With Aqua SaaS, I don’t have to worry about things like upgrade cycles, uptime, or patch state. I have someone who I can approach for that and I don’t have to do it myself.”
“The day-to-day impact is a clean conscience,” summarized Hammerl. “My mindshare is more available for the things that I need to put in place that will actually make a difference. The rest, I can leave to people who can do that better, at scale, and much more reproducibly.”
Thoughtworks emphasizes the importance of a strong, mutually beneficial relationship with Aqua. This includes close interaction with a dedicated Customer Success Manager and a responsive Support team to address needs for issue resolution and solution enhancement. This lock-step relationship is critical to the performance and resilience of Thoughtworks’ cybersecurity initiative with Aqua.
“SaaS only works when the shared responsibility is picked up by both parties, and Aqua puts a lot of priority on that,” said Hammerl. “Regular check-ins serve both sides of the equation here, so we get updates about what’s happening, we can push for certain things, and we can give the context that may not be there when you open a ticket.” This open communication ensures consistent support for Thoughtworks and enables Aqua to evolve its solutions for CSPM and vulnerability management in cloud native applications in ways that directly address customers’ changing needs. “I really like that close collaboration,” expressed Hammerl, “and Aqua has done a good job at moving at the pace that we’re moving.”