Gaining consolidated visibility into Ocado’s cloud assets

From the start, we were impressed with the speed of deployment and security findings surfaced with SCC. Where it would take several weeks in the past with other software vendors, we were able to quickly set up SCC in our environment and we could immediately start identifying our most vulnerable assets.

Today, we use SCC to detect misconfigurations and vulnerabilities across hundreds of projects throughout our organization and we use it to get an aggregated view of our security health findings. We filter the findings and then use Pub/Sub or Cloud Functions to send alerts directly to the tools each division is working with, such as Splunk or JIRA. This way, each of our teams can discover and respond to the security findings in their own environment, with SCC acting as the single source of truth for our security-related issues.

Driving autonomy by delegating security findings

Autonomy fuels innovation at Ocado Technology, which is why we want to make our teams as self-sufficient as possible. SCC helps to make our divisions more autonomous from the central organization. It delivers all the security insights technology teams need to make smart decisions on their own and at pace.

Here’s where SCC’s delegation features providing folder and project level access control come in. The platform’s fine-grained access control capabilities enable us to delegate SCC findings to specific teams, without having to give them a view of the entire Ocado Technology organization. Business units no longer need to contact us in the security team to track down vulnerabilities, they can do it themselves in a compliant and secure manner. It makes our work more efficient and autonomous, allowing everyone to focus on their own areas of expertise and environments.

Identifying and remediating multiple medium and high vulnerabilities

SCC’s findings are very rich and don’t end with the identification of the potential misconfigurations and vulnerabilities. It goes beyond this, recommending solutions to resolve any issues and providing clear guidelines on next steps. That’s why the feedback from our users across the organization has been so good.

SCC delivers on both quality and quantity. Since implementation, it has helped us identify and remove hundreds of medium and high vulnerabilities from our Google Cloud estate. The number of security related findings have also gone down each quarter, indicating real and tangible improvements in our security posture. SCC is so useful in maintaining our security posture as once we know where the issues are, tackling them is easy.

From 8-hour security scans to instant insights

One particular issue we’ve been able to handle well with SCC are vulnerabilities targeting the Apache logging system Log4j. SCC informed us about attempted compromises, active compromises, or the vulnerability exposure of our Dataproc images. During Log4j response, all these would have been otherwise very hard to track down, especially with limited resources. With SCC, we were able to leverage the security expertise of Google Cloud to identify the latest vulnerabilities, based on the most up-to-date security trends, and act on them quickly.

Obviously, speed is of the essence when it comes to threat mitigation and SCC has enabled us to fix issues faster, making us less exposed to outside threats. In the past, just scanning everything once could take up to eight hours. SCC sped things up from the start and findings have been nearly instantaneous since it rolled out real-time Security Health Analytics.

Strengthening compliance and demonstrating standards to stakeholders

SCC helps us to achieve better compliance standards, and demonstrate these standards to our stakeholders. We recently ran an internal audit exercise across the Ocado Technology organization, for example, where we identified the projects with the most numerous and severe security-related findings. Without the reports from SCC, this would have been extremely hard or even impossible.

We also use the Security Health Analytics information from SCC to visualize the data per project, creating a kind of heat map of security across the organization. This helps us assign our resources to the right projects and prioritize our efforts accordingly, informing our strategic decisions.

From top-down to a developer-led security

There’s been a paradigm shift in security operations, and things are moving from a top-down approach to a more developer-led and autonomous process. SCC helps drive that change at Ocado Technology. It enables us to place the responsibility for security-related issues closer to the resource owners. By making sure that the teams most impacted by a potential problem are the ones who get to fix it, we empower teams to resolve issues proactively and efficiently.

Looking forward, we can’t wait to see SCC evolve further. One of the features we’re most excited about is the ability to create custom findings (currently in preview) and additional integration capabilities that enable automation. We’re still not using everything SCC has to offer, but it is already a vital tool for our security team.

At Ocado Technology, we’re pioneering the future of online grocery shopping, and this future needs a strong security foundation. SCC helps us to strengthen and maintain that foundation, making profitable, scalable, and secure online grocery shopping possible for even more businesses around the world.