Cloud-first IT infrastructure

SimpleRose is a cloud-first organization with infrastructure primarily on AWS, structured through multiple sub-accounts managed under an AWS Organization and aligned with best practices for workload separation and security. SimpleRose employs cloud-native development practices and designs its applications for scalability, resilience, and observability, leveraging containerization and infrastructure-as-code within AWS.

SimpleRose’s security function is embedded within the broader IT and operations teams. While not a standalone department, they operate a cross-functional team approach involving security champions from Engineering, Compliance, and IT, coordinated through the Rosarians — SimpleRose’s team for Security, Ops, IT, and Compliance.

Security challenges: 

One of SimpleRose’s biggest challenges was achieving real-time, centralized visibility into the compliance and configuration of their diverse and rapidly growing tech stack - including cloud infrastructure, endpoints, SaaS platforms, and developer tooling. 

Todd Bradfute, Senior Director of Security & Technology at SimpleRose: “Although we had strong perimeter and endpoint protections in place through tools like CrowdStrike and Cloudflare, and we had Vanta to validate basic workstation compliance (e.g., password lock, encryption, antivirus, screen lock [PEAS]), all these solutions worked in silos.”

SimpleRose lacked a unified platform that could provide deep insights into the broader compliance posture of their systems, such as:

• Patch status and software versions
• File permissions and system configurations
• Cloud services configuration and container security
• Web asset security posture (such as misconfigured domains or cloud services)

“As we scaled up cloud-native services and moved faster in CI/CD pipelines, these blind spots became more pressing,” Todd adds. “We needed a way to not just check boxes for compliance, but to validate the actual state of systems in a developer-friendly, extensible way — and Mondoo gave us that.”

“We needed a way to not just check boxes for compliance, but to validate the actual state of systems in a developer-friendly, extensible way — and Mondoo gave us that.”
_{Todd Bradfute, Senior Director of Security & Technology at SimpleRose}

Solution: Mondoo

When Todd heard about Mondoo’s Policy as Code solution at DevOpsDays, his interest was immediately sparked. That, coupled with Mondoo’s ease of use, got SimpleRose quickly hooked.

With Mondoo, SimpleRose can now view their compliance status across different types of tools and assets in one place. Although they already had other tools that provided high-level insight, Mondoo goes much deeper into config-level verification, providing both breadth and depth.

Todd: “We were already using tools like Vanta to validate foundational workstation compliance, but we needed to go beyond high-level controls and into the specifics — like verifying if file permissions were correctly applied, patch versions were up-to-date, and Docker configurations followed best practices.”

With Mondoo, SimpleRose now gets:

• Central and deep visibility: Consolidated compliance insights from diverse environments (e.g. laptops, AWS, DockerHub, internal web services), with deep config-level verification.
• Customizable and scalable policies: SimpleRose can write and customize policies as code, making it easy to tailor checks to their specific internal standards.
• Automated security pipeline: Smooth integration with their CI/CD and infrastructure pipelines enable security-as-code without blocking developer velocity.
• Clear actionable paths to resolution: Streamlined remediation processes that bridge the gap between detection and action. Todd: “Mondoo gives us a razor sharp answer for how to address identified problems.”

“Mondoo gives us a razor sharp answer for how to address identified problems.”
_{Todd Bradfute, Senior Director of Security & Technology at SimpleRose}

Implementation

“Mondoo was very easy to deploy," Todd said. “I had workstation scanning running literally within an hour of seeing Mondoo’s presentation at DevOpsDays. Connecting to our other environments was also pretty effortless.”

Results

With Mondoo, SimpleRose achieved:

• Reduction in manual work: What used to be multi-step, manual, and siloed workflows are now clear, actionable paths to resolution with automated patching of affected systems. 
• Significant decrease in number of vulnerabilities: Instead of a sea of red alerts with no clear path forward, after fully implementing Mondoo with automated policies, there are now only a handful of issues at a time.
• Optimized attention focus: SimpleRose can now focus on what actually needs remediation and apply the granularity to create custom policies to fit their business needs. 
• Repeatable and automated remediation process: SimpleRose now benefits from an automated and repeatable process (As Todd calls it: “rinse, lather, and repeat”) to deal with vulnerabilities and misconfigurations across their entire tech stack:

1. Mondoo reports on the worst offenders.
2. SimpleRose targets the best ones to fix.
3. SimpleRose uses RMM (for workstations), IaC (for workloads), and Terraform (for cloud tooling) to deploy fixes, using Mondoo’s remediation code snippets.
4. Mondoo rescans and shows if the score improved.

Conclusion

The key business drivers for SimpleRose adopting Mondoo centered around the need to unify and deepen compliance and configuration visibility across a rapidly growing tech stack, but Mondoo has delivered far more than that. With an automated, repeatable remediation process, SimpleRose has been able to reduce manual work, accelerate remediation, and ensure the most critical exposures are resolved quickly.

Mondoo Policy as Code and integration into the SDLC has also helped SimpleRose introduce security into their development process, catching security issues early without compromising on speed. Todd: ”Mondoo became our bridge between technical configuration and policy requirements, which is critical for scaling secure operations without introducing friction.”

Todd: “No matter where you are in your security journey, Mondoo meets you there. For those with existing tooling, Mondoo has had an answer for every tool we’ve needed to support. For organizations that know they have to support lots of different frameworks, Mondoo has been a great partner to grow with.”

‍Mondoo enhances our ability to monitor, validate, and enforce security policies across all our IT surfaces from a single platform, giving us both visibility and control without operational overhead.”
_{‍Todd Bradfute, Senior Director of Security & Technology at SimpleRose}