Recently, one of our customers in the financial services sector shared with us that RAD Security had helped them save over $300,000 a year in cloud spending. What they shared can be summarized into three common themes that we believe may help other customers, too:
The first category of cost savings our customer experienced can be characterized by two old adages: "if it ain’t broke, don’t fix it" and "there’s nothing more permanent than a temporary solution."
All changes, whether they are minor patches or major architectural reworks, come with costs and risks. Especially when you need to support legacy software that may not handle change gracefully and have an imperative to avoid operational disruption, this creates incentives in your engineering decision making that may favor more technical debt in exchange for current (perceived) stability. This is the kind of situation our customer found itself in. In their specific case, the technical debt was represented by remaining on an older version of managed Kubernetes at their cloud provider. This version was no longer available for new deployments and could only receive cloud provider support by paying additional fees. However, there are plenty of other ways this same type of conundrum could manifest: complicated networking architectures, redundant data layers, “lift and shift” workloads, etc. These decisions carry with them multiple costs: financial, technical, and security costs.
The security considerations are ultimately what turned the tide in this particular case. RAD Security was able to highlight several security risks— including some un-patchable CVEs— which made this technical debt no longer tenable. When the customer followed RAD’s advice to upgrade to a more recent version of Kubernetes, they also reaped some significant cost savings by dropping those extra support fees.
We raise this story to note something that isn’t always considered when evaluating security risks: that often “accepting” or deferring on a security risk can carry additional financial cost. In cases like these, security not only provides protection to the organization, it also acts as a business enabler by freeing up needed resources.
The second category of savings our customer experienced further illustrates this point.
We’ve all experienced the proliferation of security agents or tools in IT environments. For example: tools to analyze network traffic, monitor endpoints for suspicious behavior, scan those same endpoints for malware and scan them again for file integrity violations and again for mis-configurations, agents to collect logs, agents to prevent sensitive data being shared outside the organization, agents to provide access to company resources, and so on and so forth. Each of these tools comes with a cost, whether that be licensing fees, infrastructure requirements, staff power, or a combination of all three. Perhaps most impactful, though, is the cost in attention for your security team. Simply put, the more places you need to look to spot a potential problem, the more likely you are to miss one. The resulting blind spots redound to the benefit of attackers, who may avoid detection not because the tooling didn’t exist to find them but because the attention didn’t exist to watch the tooling.
RAD Security can consolidate many of these tools into one dashboard. Because RAD Security is a Kubernetes-native security solution, it is capable of analyzing data from both your workloads themselves and the platform they are running on. It can scan for suspicious behavior, anomalous network activity, permissions issues, misconfigurations, and newly disclosed vulnerabilities present in your environment. This consolidation effect reduces license fees and infrastructure requirements, resulting in cost savings that again translate to business enablement. But it also puts all of that data in one location—making it easier for your security team to monitor and take action— translating to better security. In other words: this was for our customer both a financial and a productivity gain.
A third category of savings our customer experienced was the discovery of dormant, little used clusters. Using a public cloud allows teams to quickly spin up new infrastructure to scale or conduct experiments without scheduling purchases of hardware, or coordinating the installation and configuration of that hardware in a data center.
That flexibility, though, inevitably leads to forgotten or underutilized infrastructure being scattered across your organization’s cloud footprint. RAD can help identify these no longer needed resources through its cluster discovery mechanism. The RAD Security platform reads CSP APIs to generate a list of clusters that were provisioned. RAD's own plugins (agents) are able to determine what is actually running on the clusters, and can provide an inventory of these workloads. Our customer discovered that several clusters were only running non-essential and non-business-facing services, so they could be deleted without impacting business operations.
Our customer was able to validate that these clusters were either no longer in use or were only hosting ancillary services that could be consolidated or retired without affecting operations. This freed up those resources for other use.
We suspect that many other organizations are facing similar challenges, and we are confident we can help.