How Unity Uses Continuous Security Risk Assessment to Empower Its Google Cloud Estate

Elias Terman, SVP of Marketing at Orca Security, moderated a lively conversation with Justin Somaini, Chief Security Officer at Unity, Chris Johnson, senior compliance product manager at Google Cloud, and Alaap Pandit, Senior Sales Engineer at Orca Security. Watch the show above or read curated highlights below.

 

Meet Justin Somaini, Chief Security Officer at Unity. Somaini is an expert in securing large environments having done stints as the CISO of Yahoo! and SAP. The scale of operations at Unity is even bigger as their games and experiences reach billions of devices a year, powered in large part by a massive Google Cloud Platform estate as well as multi-cloud.

Upon arriving at Unity, Somaini had a decision to make. Should he focus his initial efforts on preventative controls or on deep asset management with continuous risk assessments?

In this webinar, Somaini was joined by Google’s Christopher Johnson and Orca Security’s Alaap Pandit. Key takeaways include:

  • How Unity reduced time-to-remediation by coupling continuous cloud risk assessments with automation
  • How Orca’s deep cloud asset inventory and configuration management unlocked rich enterprise-wide capabilities
  • How Unity eliminated friction between Security and DevOps teams and empowered DevOps with ownership of and accountability for security issues
  • Selection criteria for choosing a cloud security vendor, including the pros and cons of agent-based tools and scanners

“Orca Security allows us to do highly frequent assessments and identify issues in an integrated and automated way so that we can have a faster turnaround on remediation. It’s incredibly valuable. Historically, we haven’t had that ability, and now with Orca, we do. We plan to exploit that as much as possible.”

– Justin Somaini, CSO at Unity

 

Elias Terman: Justin, please introduce yourself and tell us about your background.

Justin Somaini: I’m the Chief Security Officer at Unity, owning both the physical and cyber security aspects. Unity makes one of the leading real-time 3D engines for gaming and other industries for representing the real world in a virtual one, whether for fun or productivity. I’ve been at Unity for over a year and a half, helping grow and manage cyber security in an incredibly agile and high-growth company. Before Unity, I was the Chief Security Officer at SAP, Yahoo!, Symantec, VeriSign, Schwab, and other companies. 

Elias Terman:  Great, Chris, can you do the same? 

Chris Johnson: I’m a senior compliance product manager in the Google Cloud Security team. My team looks after the compliance experience on the Google Cloud Platform (GCP). I’ve been at Google for about five years and we love working with the team here at Orca Security and Unity. 

Elias Terman: Justin, tell us about the overall scale of your operation, and the magnitude of your Google Cloud estate?

Justin Somaini: Our implementation for game developers is in the billions of devices around the globe. But what’s little known is the engine’s utility in real estate, construction, and other industries, as they visualize the 3D world such as creating machine learning algorithms for navigation, driving in your car, and more.

Underneath Unity’s hood, we are like any other SaaS provider. We provide many services to support the monetization, operation, delivery, and upkeep of those games and services. To that end, we’re in multi-cloud environments, with GCP being the most predominant. We manage hundreds of thousands of assets and instances within GCP. Moreover, we need to manage many capabilities, flavors, and implementations of applications and infrastructure. 

Elias Terman: Were there specific cloud security and compliance challenges that were top of mind for you when you arrived at Unity? What did you prioritize?

Justin Somaini: The first thing we wanted was a fidelity of visibility for all assets across our multi-cloud estate. Asset management is one of the most challenging and least tented services and functions in any company. This has been a big challenge for all companies I’ve worked for. True knowledge of assets in most organizations is usually 50% at best. 

“Orca unleashes the power of multi-cloud scans and reveals, ‘Here are your exact assets and this is how they fluctuate over time.’ Providing that visibility for any sort of analysis – whether it’s compliance or financial – is really important. It helps answer questions like, ‘Are there dead accounts we need to clean up? How do we drive into a zero-trust model from a credential standpoint?’”

– Justin Somaini, CSO at Unity

 

The second was to get the depth of vulnerability configuration associated with those assets. And for us, because of the importance of security within the company, the question was how do that on a daily basis? It’s a living process in an agile and ever-changing, massively complex business operation that outstrips third-party compliance standards. So that was probably the biggest bar we had.

Alaap Pandit: Could you share a bit of the difficulty you faced when evaluating cloud security solutions and what compelled you to choose Orca Security as your tool of choice?

Justin Somaini: We’re in multi-cloud with about four cloud providers. We also have OpenStack in other environments. So, we strive to go end-to-end across those multi-cloud providers. We also wanted to get a daily or frequent assessment of our assets and vulnerabilities. We have ephemeral instances being fired up and taken down on a daily, monthly, and quarterly basis. So, Orca’s ability to do very frequent, continuous assessments was a strong selling point for us.

We took a fair amount of time talking through agent and agentless, which was incredibly important as there’s a lot of products and services on the market.

“Agents pose a number of problems. Whether you deploy agents with scripts, Chef, or some other means, that would take at least a year. Then we’d have to manage political backlash because of the operational overhead, and we’d only reach 80% of our assets.”

– Justin Somaini, CSO at Unity

Elias Terman: Justin, one common thread across Orca Security’s customer base is that they’re all doing custom app development on top of public cloud platforms like Google Cloud. Software and platform engineering are pushing code at breakneck speeds in order to innovate, better serve customers, and beat the competition. Under this environment, how does infrastructure security get functions like DevOps to do what you need them to do in order to protect the business?

Justin Somaini: Building goodwill and credibility with DevOps is key. I spoke earlier about asset management and how it’s complex. That was one of the areas where Orca was able to deliver. For the first time, we were able to identify in-depth assets across the deck, and even asset types within instances and containers.

“For the past 20 years, we’ve been doing vulnerability and configuration management but problems are often assigned to the wrong organization. So now, we do nuanced operational ownership and give problems to the right person. As a result, we are getting faster remediation.”

– Justin Somaini, CSO at Unity

Historically, security teams have identified problems or solutions and then told other people what to do. DevOps or operational teams historically have been the destination of those problems. So, our ability to integrate Orca Security with their ticketing systems and their existing processes was incredibly beneficial. And so, we were seen as partners and collaborators. It brought credibility and goodwill, and ultimately, speed in solving the problems across the company.

We’ve proven to the developers that we are actually partners providing meaningful solutions and we help them get the clarity they haven’t had before. It has helped us earn their trust so they’re more willing to hear us out when we bring other issues to them.

“We were planning a 12-month implementation cycle, but we shortened it to five months. In hindsight, we could have gotten it done in a couple of weeks. The longer deployment was to build partnerships or relationships. I’m very happy that we did that because you can’t put a price tag on goodwill and credibility.

– Justin Somaini, CSO at Unity

 

Elias Terman: Chris, for customers migrating to or scaling up on GCP, are there specific design, compliance issues, or best practices that should be top of mind?

Chris Johnson: Yes. Consistency is key. The abilities that Orca talks about, in terms of understanding your inventory, your estate, and driving towards as much of a homogenous infrastructure as you can so that it can be ephemeral is important. Often, that has to do with simplifying your supply chain and removing as many components as possible, whether that be agents, operating systems, or just the diversity of those components. You must secure it, but you also have to simplify it.

Alaap Pandit: Chris, if Google is doing such a great job offering compliance, why would I even look at anything besides just what you offer out of the box?

Chris Johnson: Orca has more than what we offer out of the box.

“One of the things that we’ve been doing at Google is shifting from a shared responsibility to a shared fate model. And instead of pushing everything onto the customer, we want to be part of those outcomes.”

– Chris Johnson, Google Cloud Platform

But we can’t do it all. There’s absolutely no way to do 100% of what’s required to achieve security and compliance outcomes. So there’s always going to be responsibilities to the customer.

Elias Terman: Justin, earlier you mentioned that you now have a deep, all-knowing cloud asset inventory and configuration management. How is this helping you unlock new enterprise-wide capabilities?

Justin Somaini: When we talk about the concept of asset management, we can give a fidelity of all different asset types. This allows us to go into vendor management in better ways. For example, we’re talking about operating system costs or our ability to reduce redundancies within organizations.

 For example, if we have multiple BUs dealing with technology and operationally managing it discreetly unto themselves, now we can ask, why? Should we create centralized services for that technology to benefit the multiple BUs and drive higher capabilities?

“Bringing transparency to what we have, unlocks a better utility of how we manage our environments for the betterment of all. And while it’s a very simple concept of asset management, it breaks down the walls between organizations and brings data to the conversation of how we do better.”

– Justin Somaini, CSO at Unity

Elias Terman: Were there any other results that you would like to highlight in terms of your investment with Orca?

Justin Somaini: Yes, I hit on this before regarding goodwill. The security people coming into the room are like dentists. Everybody knows that they need them but don’t necessarily want to be in the room with them. So, when we’re saying, “Yeah, yeah, but it’s not going to be as painful as you experienced in the past. We can get Orca into your workflow system automatically. We can get data fidelity to be accurate the first time, so you don’t have to deal with this as much. You can just solve the problem and move on with your day.” Those are the things that have the other individuals across the company go, “Fantastic.” They walk away knowing the security team values their time and brainpower.

Get Instant-On, Cloud-Wide, Work-Load Deep Security and Compliance for Google Cloud Platform