Wholesale Restaurant Food Distributor
Uniform governance and compliance across cloud vendors
The wholesale restaurant food distributor’s reputation is built on the highest ethical standards of business conduct, and they’ve made it a priority that their client environments match. Since moving from a single cloud infrastructure in AWS to multi-cloud, the company wanted to both replicate and enhance their AWS governance and compliance policies in GCP. They needed to ensure that teams coming into a GCP project were set up with the right posture on day one to prevent accidental policy violations.
Differences between GCP and AWS created gaps in coverage when the company initially attempted to translate their governance and compliance policies into GCP. Without internal GCP expertise, they were unable to confidently ensure that policies and protective measures were implemented correctly. Additionally, they needed guidance to improve standards, increase restrictions, and utilize Google tools for efficiency.
The company’s new infrastructure enables and ensures that every GCP project will meet their high set of governance and compliance standards, in addition to the GCP CIS benchmark.
About the Business
This wholesale restaurant food distributor is the global leader in selling, marketing, and distributing food products to restaurants, healthcare, and educational facilities, lodging establishments, and other customers who prepare meals away from home. Their robust international network supports customers in 90 different countries and over 30 U.S. based restaurant chains. With more than 57,000 associates, the company operates 326 distribution facilities worldwide and serves more than 625,000 customer locations.
The Business Challenges
The company had already committed to a comprehensive set of governance and compliance policies based on the AWS CIS benchmarks. As they moved toward a multi-cloud infrastructure, they wanted to mirror their existing policies in their GCP environment. Despite limited internal GCP expertise, the company replicated their AWS governance and compliance standards into their GCP foundational build. Unfortunately, there were a number of gaps caused by differences between the two cloud providers. Without complete policies, GCP teams would unknowingly breach policies in perpetuity and put the company’s data at risk.
Not only did they want to replicate their security and governance policies in GCP, but they wanted to expand them and better equip teams to meet them. The company wanted to avoid the same issues they’d confronted in their AWS environment, which proved to be an ongoing pain point. Again, without adequate GCP experience, the company needed to partner with experts that could lead them toward a solid baseline of security benchmarks in both clouds.
The 2nd Watch Solution
2nd Watch started with an audit of the company’s existing governance and compliance policies in AWS, and compared them to what had already been done in GCP. We identified gaps in coverage and measures for enforcement to keep teams in compliance. Using GCP native policies, GCP Security Center, and the CIS benchmark policy pack, 2nd Watch created an infrastructure where projects run through each of these policies by default. For cost and operations policies, 2nd Watch wrote and tested custom cloud custodian policies that run on a periodic and ongoing basis across all projects.
We worked collaboratively with the company to set up a GCP native security tooling maximizing access to a large amount of cloud security expertise. Since their goal was to enhance governance and compliance across their multi-cloud environment, cloud-native security tooling is the best way to move toward meeting a benchmark on a baseline. 2nd Watch utilized Security Center because the company’s cybersecurity team was already using it, and additional use doesn’t increase spending on this tool. Not only does Security Center allow the company an almost unlimited amount of controls in multiple places, but it enables CIS benchmark policies.
The Business Benefits
With the help of 2nd Watch cloud experts, the company has confidence in their governance and compliance policies, and how those standards are being upheld. The new infrastructure enables and ensures that every GCP project will meet their high set of governance and compliance standards, in addition to the GCP CIS benchmark. The company has complete visibility into their GCP projects, along with a number of preventive measures to keep teams from violating policies. Some of those security and cost-cutting measures include the following:
- Teams cannot spin up an instance that has public SSH or RDP access to the internet.
- Teams cannot spin up any instance that has access to the internet without permission.
- Teams can only use the proved instance types – no access to public instances.
- Teams can only use approved images to ensure all cybersecurity and operational agents are installed.
- Teams can only use approved machine types – no old generation or massive machine types without pre-approval.
Now, the company has a solid baseline from their CIS benchmarks across their public clouds, and they can continue enhancing their security posture with more precision. 2nd Watch is in the process of translating the company’s AWS and GCP governance and compliance policies to Azure to unify their standards across the multicloud environment.