Wholesale Restaurant Food Distributor

About the Business

This wholesale restaurant food distributor is the global leader in selling, marketing, and distributing food products to restaurants, healthcare, and educational facilities, lodging establishments, and other customers who prepare meals away from home. Their robust international network supports customers in 90 different countries and over 30 U.S. based restaurant chains. With more than 57,000 associates, the company operates 326 distribution facilities worldwide and serves more than 625,000 customer locations.

The Business Challenges

The company had already committed to a comprehensive set of governance and compliance policies based on the AWS CIS benchmarks. As they moved toward a multi-cloud infrastructure, they wanted to mirror their existing policies in their GCP environment. Despite limited internal GCP expertise, the company replicated their AWS governance and compliance standards into their GCP foundational build. Unfortunately, there were a number of gaps caused by differences between the two cloud providers. Without complete policies, GCP teams would unknowingly breach policies in perpetuity and put the company’s data at risk.

Not only did they want to replicate their security and governance policies in GCP, but they wanted to expand them and better equip teams to meet them. The company wanted to avoid the same issues they’d confronted in their AWS environment, which proved to be an ongoing pain point. Again, without adequate GCP experience, the company needed to partner with experts that could lead them toward a solid baseline of security benchmarks in both clouds.

The 2nd Watch Solution

2nd Watch started with an audit of the company’s existing governance and compliance policies in AWS, and compared them to what had already been done in GCP. We identified gaps in coverage and measures for enforcement to keep teams in compliance. Using GCP native policies, GCP Security Center, and the CIS benchmark policy pack, 2nd Watch created an infrastructure where projects run through each of these policies by default. For cost and operations policies, 2nd Watch wrote and tested custom cloud custodian policies that run on a periodic and ongoing basis across all projects.

We worked collaboratively with the company to set up a GCP native security tooling maximizing access to a large amount of cloud security expertise. Since their goal was to enhance governance and compliance across their multi-cloud environment, cloud-native security tooling is the best way to move toward meeting a benchmark on a baseline. 2nd Watch utilized Security Center because the company’s cybersecurity team was already using it, and additional use doesn’t increase spending on this tool. Not only does Security Center allow the company an almost unlimited amount of controls in multiple places, but it enables CIS benchmark policies.

The Business Benefits

With the help of 2nd Watch cloud experts, the company has confidence in their governance and compliance policies, and how those standards are being upheld. The new infrastructure enables and ensures that every GCP project will meet their high set of governance and compliance standards, in addition to the GCP CIS benchmark. The company has complete visibility into their GCP projects, along with a number of preventive measures to keep teams from violating policies. Some of those security and cost-cutting measures include the following:

• Teams cannot spin up an instance that has public SSH or RDP access to the internet.
• Teams cannot spin up any instance that has access to the internet without permission.
• Teams can only use the proved instance types – no access to public instances.
• Teams can only use approved images to ensure all cybersecurity and operational agents are installed.
• Teams can only use approved machine types – no old generation or massive machine types without pre-approval.

Now, the company has a solid baseline from their CIS benchmarks across their public clouds, and they can continue enhancing their security posture with more precision. 2nd Watch is in the process of translating the company’s AWS and GCP governance and compliance policies to Azure to unify their standards across the multicloud environment.