Case Study: How DivvyCloud Enables Continuous Multi-Cloud Security and Compliance Best Practices for CoStar During Mergers and Acquisitions
CoStar is the leading provider of commercial real estate information, analytics, and online marketplaces. They conduct expansive, ongoing research to produce and maintain the largest and most comprehensive database of commercial real estate information. Their suite of online services, which include Apartments.com, LoopNet, Lands of America, BizBuySell, and many more, enable clients to analyze, interpret, and gain unmatched insight into property values, market conditions, and current availabilities.
To expand their reach, CoStar supplements its core products with complementary services and capabilities through mergers and acquisitions (M&A). As of October 1, 2019, CoStar has spent approximately $2 billion acquiring a total of 27 organizations, each with a unique cloud presence and varying levels of cloud competency. They have an estimated revenue of $1.2 billion. CoStar’s challenge is ensuring the security and compliance of its constantly growing and evolving cloud footprint, which spans across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
When growing through M&A, CoStar needs the ability to:
- Understand the cyber risk of the acquisition target by:
- gaining visibility into the cloud and container environments;
- determining if these cloud and container environments meet CoStar’s security and compliance requirements; and
- establishing the cyber risk associated with these environments and building a plan to minimize this risk.
- Integrate the newly acquired resources, including continuous monitoring and remediation of security and governance, risk, and compliance standards.
- Maintain the ability of these acquired entities to accelerate innovation through the use of cloud services to continue to grow CoStar as an industry leader without the loss of control.
In 2018, CoStar selected the DivvyCloud software platform to establish and maintain comprehensive security for their multi-cloud environment. CoStar’s primary objective in the cloud is to achieve a rigorous standard of security while accelerating innovation and growth. DivvyCloud provides CoStar with control over their cloud resources in a way that supports their business model and culture.
Understand the Cyber Risk
When acquiring a new company through M&A, CoStar uses DivvyCloud as part of its onboarding. This onboarding process integrates key infrastructure and cloud service provider security tools, DivvyCloud, and other third-party tools. This onboarding is done in-house using a custom script. Within about 10 minutes, the script is complete and the new cloud environments are visible in DivvyCloud.
Using DivvyCloud’s Badges and non-invasive Insights as part of their onboarding process, CoStar has immediate visibility of how a new cloud environment scores against their security baseline.
At this point, if any of the new environments do not meet CoStar’s security or compliance requirements, DivvyCloud will automate remediation. For example, by sending an alert in response to these violations and notifying specified personnel through email, Slack, and DivvyCloud’s user interface. Detection and automated remediation can begin in as little as 30 seconds, allowing CoStar to understand the risk created by security, compliance, and governance gaps; alert the right people in real time; and harness the power of meaningful automated remediation.
Integrate and Automate
After using DivvyCloud to align the new cloud environments with CoStar’s cloud security requirements and validating proper configuration, CoStar integrates cloud account authentication and authorization into its Active Directory. At this point, DivvyCloud’s Badging function aligns the new accounts to CoStar’s organizational structure.
Badges allow enterprises like CoStar to customize the organization of their cloud accounts within DivvyCloud. Badges are key-value pairs, similar to AWS tags or GCP labels, that are stored in DivvyCloud. Badges are applied at the cloud account/subscription/project level, depending on the cloud service provider.
CoStar uses DivvyCloud Insights and Bots to identify and automate many standard actions that would otherwise require manual remediation. An Insight is essentially a question about the data, (e.g., “is the database encrypted?”). A Bot is a workflow that can be automatically triggered if and when a finding is detected by an Insight. This workflow executes a user-defined set of actions. These actions include notifications, ticketing, logging, orchestration of third-party systems, and reconfiguration of cloud services. CoStar uses Badges to scope their Insights and Bots. For example, applying a different set of Insights and Bots to development versus production environments or to different business units. With Insights, Bots, and Badges, CoStar can:
- organize their cloud controls in a logical way that aligns to their current business needs while providing flexibility for the future,
- identify standard levels of acceptable risk based on specific resources and settings, and
- create workflows to remediate situations that fall outside the scope of acceptable risk.
Once the new environments are fully integrated, DivvyCloud continues to play a vital role by providing critical data, continuous monitoring, and automated remediation while integrating with many of CoStar’s tools. Through DivvyCloud, CoStar has a holistic, enterprise-level view of their clouds and is able to maintain their secure baseline across AWS, Azure, and GCP. With DivvyCloud’s automated remediation capabilities, CoStar and its subsidiaries can focus confidently on developing and delivering the best possible products to their customers using the full power of cloud technology. By keeping pace through agile development and minimizing friction from security, CoStar allows its acquisitions to thrive. In this relationship, security and development are not opposing forces. In fact, they work together.
DivvyCloud has enabled CoStar to create a standardized security baseline across products, business units, and cloud service providers. Without DivvyCloud, CoStar would have to manually aggregate resources and resolve security issues between AWS, Azure, and GCP. Based on the comprehensive snapshot that DivvyCloud provides, CoStar defines how they are going to address and minimize vulnerabilities, prioritized by risk, using both automated and manual interventions.
DivvyCloud automatically alerts the CoStar security team of misconfigurations, and in some circumstances, corrects issues automatically. Without DivvyCloud’s automation, CoStar’s pace would slow and its vulnerability to risk would rise. Relying on human detection, notification, and intervention for misconfigurations alone would require additional employees, thereby increasing overhead costs and reducing profit. Relying on human intervention would also clash with their developer-centric culture (there is one information security engineer for every twelve developers).
Through continued collaboration, DivvyCloud has delivered several features that extend beyond CoStar’s primary goal of achieving rigorous security while driving innovation and growth. DivvyCloud has become a cornerstone of CoStar’s cloud strategy, which, in turn, supplements their ability to synergize with agile, innovative companies that complement the brand. By investing in DivvyCloud, CoStar has been able to accelerate their M&A process, reduce the cyber risk associated with it, and can adapt to future challenges of cloud security in their evolving organization. CoStar’s ability to leverage DivvyCloud ensures their success because they have the right pieces in place to support their security posture, regardless of CSP, before, during, and after a deal is complete.
Interested in learning more? Schedule a demo and speak with a DivvyCloud expert today!
DivvyCloud protects your cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges. With automated, real-time remediation DivvyCloud customers achieve continuous security and compliance, and can fully realize the benefits of cloud and container technology. Freedom is good. Chaos is bad.
Watch DivvyCloud’s 60-second video to learn how we help customers like Spotify, 3M, Autodesk, Discovery, and Fannie Mae stay secure and compliant.