Below is a list of common questions and answers for the University’s cloud security tool Wiz.
Basics
- Q. What is Wiz?
- A. Wiz is a cloud security management platform that performs read-only scans on cloud accounts and presents a visual display with the results.
- Q. Is there a software licensing charge for Wiz?
- A. No, there is no charge to the campus community for the Wiz service itself; this is a centrally-funded project to protect Stanford resources. However, there will be a small charge for temporary data storage. See below for more information.
- Q. Can I use Wiz on my standalone (non-Cardinal Cloud) account?
- A. No, this product is configured only to run on Cardinal Cloud accounts with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure (Azure) accounts.
- Q. How does Wiz work?
- A. Using each cloud service provider’s native read-only APIs, Wiz will make a snapshot of your resources and examine the components for cybersecurity risks. About 5 to 10 minutes later, the snapshots are deleted, leaving nothing behind.
- Q. Will Wiz slow down any of my resources?
- A. No, it will not affect performance of any cloud resources.
- Q. What is a workload (related to Wiz)?
- A. In the context of Wiz and its licensing, a workload is considered a virtual machine, a container host, the containers themselves, and serverless functions.
Cost and expense
- Q. Who pays for the cost of snapshotting all of my cloud resources?
- A. Each account in Cardinal Cloud will incur a very minimal monthly storage charge, typically between 2 cents and $2. This is related to the temporary storage of the snapshots, which will vary based on the number of workloads.
Note: Only the operating system (boot, or root) volume is scanned, not separate data volumes that might be attached to a virtual machine. If you have only one virtual disk attached to a compute resource, which operates as both an OS boot volume and a data volume, the whole disk will be snapshotted and analyzed. It’s an established best practice to use at least two volumes per virtual machine—one for the OS and the other(s) for persistent data. - Q. What’s an example of the cost, using Google Cloud Platform (GCP)?
- A. Details used for this example: One 200 GB virtual hard drive, attached to a Linux virtual machine, scanned every night by Wiz.
GCP charges 2.6 cents per GB per month for standard snapshots stored in one region (Oregon). That equals $0.000000601851852 per GB per minute.
If it takes ten minutes for Wiz to create, analyze and destroy a snapshot of this volume—and does this every night for a month, the cost will be 2.71 cents per month after Stanford’s enterprise agreement discount.
Here is that equation:
((((([$].026/43200[minutes])*200[GB])*10[minutes])*30[days])*.75[discount])*100[dollar to penny]
Note: Google Cloud Platform currently charges by the second for snapshot storage. In April, 2023 GCP will change this to a minimum of one hour charge and 5 cents per GB per month. Stanford will not experience the price increase, but may experience the minimum charge of one hour. Under those conditions, the cost would increase to 16.25 cents. - Q. What about data transmission to and from the Wiz servers? Who pays for all that?
- A. Analysis is performed in the same region as your cloud account; cloud service providers do not charge for intra-region transmission. As an aside, Stanford, like all educational institutions, has a waiver for almost all types of data egress charges.
Security and privacy
- Q. What information or data is transmitted back to Wiz?
- A. Only the metadata, such as vulnerabilities, misconfigurations, and software versions, is sent back to Wiz. This metadata constitutes the findings in the web console.
- Q. I’m concerned about someone reading my sensitive data. I don’t want Wiz, or the Information Security Office, or anyone in UIT to read my cloud resources.
- A. Humans will not be reading your data or files. Rather, similar to how antivirus or malware detection software works, resources are read by software for the purposes of evaluating risk, reviewing configuration options, and identifying malware.
- Q. Are any files captured, stored or sent out to any third-party for malware analysis?
- A. No, files are never shared for threat analysis. Globally-unique identifiers of the files (hashes) are sent to a third party called ReversingLabs for analysis.
- Q. Does Wiz read files on my virtual server’s secondary data hard drive?
- A. No, only boot devices (the operating system volumes) are scanned. For this reason, it’s important to install Crowdstrike antimalware software on your server.
- Q. Who vouches for the security and safe data handling practices of Wiz?
- A. Wiz has undergone a Data Risk Assessment with the Office of the Chief Risk Officer and with the Information Security Office at Stanford. They have met a number of certifications for handling regulated data and have completed a SIG questionnaire on data handling practices.
- SOC2 Type 2
- SOC3
- ISO 27001
- ISO 27701
- ISO 27017
- ISO 27018
- HIPAA
- CyberGRX
- Q. Is Wiz approved for Stanford’s classification of High Risk Data and Protected Health Information (PHI)?
- A. Yes, Wiz is approved to examine the configuration of cloud accounts and resources that have protected health information (PHI) and other High Risk Data.
Using Wiz
- Q. Do I need to install anything?
- A. No, there is nothing to install.
- Q. How do I prepare my accounts to use Wiz? Or, how do I configure Wiz to scan my cloud accounts?
- A. Wiz is being configured to scan all Cardinal Cloud accounts; no further configuration is required.
- Q. How often does Wiz review accounts?
- A. About once a day.
- Q. Can I do an ad hoc scan?
- A. Yes, in addition to the automatic scans, Wiz users can kick off an ad hoc scan and see the results soon afterwards.
- Q. Will my team and I see only our resources, or will we see everyone else's cloud accounts too?
- A. Accounts will be grouped so that teams and individuals can access and view only their associated resources.
- Q. Does Wiz analyze all cloud services, functions, workloads and technologies made available by my cloud service provider?
- A. No, but a majority are. These include the most commonly deployed technologies that could serve as a pathway to compromise or exploitation.
Compliance and expectations
- Q. Who’s expected to use Wiz?
- A. Anyone who administers a Cardinal Cloud account in AWS, GCP, or Azure. This includes anyone setting up or managing technologies, resources, or components. Even if you’re a researcher or student, avoiding account takeover, data theft, or reputation damage is an important responsibility that goes along with cloud computing.
- Q. Must we use Wiz?
- A. Stanford expects all cloud users of AWS, GCP, and Azure to properly configure their cloud accounts, identify vulnerabilities, and remediate security concerns, irrespective of the quality or classification of data or the purpose of the account, whether it’s for simply for learning, student work, development, testing or solutions put into production.
For this reason, UIT has invested in Wiz to best help users with this task. It will be the supported tool with a community of on-campus users.
Wiz will also serve as the benchmark for which compliance will be gauged, contributing to metrics and our Cybersecurity Scorecard for departments and schools.
If a comparable tool exceeds the detection of misconfigurations and vulnerabilities and similarly allows responsible parties to prioritize and remediate misconfigurations and vulnerabilities, that’s certainly acceptable. - Q. If we use a different cloud security tool and it shows a misconfiguration or vulnerability, and we fixed it, will it show up in Wiz?
- A. If another cloud security management tool identifies the same finding and someone correctly resolves the issue, it will be marked resolved by Wiz at the next scan (within 24 hours at the most, or when an ad hoc scan is performed).
- Q. Who is held accountable for securing cloud accounts?
- A. Responsible parties include all of these:
- The individual or team who requested the cloud account
- Anyone with access to the cloud account and has the ability to add, remove, or configure technologies
- Support personnel and contracted groups
Miscellaneous
- Q. Should I continue to use Qualys CloudView?
- A. No, this product replaces Qualys CloudView. University IT will not renew our subscription to this component in our Qualys Enterprise Suite.
- Q. Should we still install the Qualys Agent software on our virtual machines?
- A. Installing the Qualys Cloud Agent software on your virtual machines is encouraged and will complement your analysis and security work in Wiz.