Client story Carvana Shifts to Proactive Cloud Security With Insight

Changing the way people buy and sell cars

Carvana pioneered online car buying and selling, building proprietary technology and operations designed to deliver a fundamentally better customer experience. Millions of customers have chosen Carvana’s eCommerce platform to shop, sell, finance, and trade in vehicles, and the company’s cloud footprint has expanded rapidly across multiple platforms to support increasing demand. This fast growth brought technical challenges, as the team had to balance a rapid pace of innovation with a need for consistent security. By moving from a reactive approach to a proactive model, Carvana now automatically hardens its cloud infrastructure, ensuring that speed does not come at the cost of security.

The challenge: Scaling security across a growing cloud environment

Carvana’s platform is built to move quickly, launching new features that deliver a fundamentally better customer experience. As the company scaled, its cloud environment grew across multiple providers to meet different business needs. This rapid expansion made it increasingly complex to keep security controls consistent.

Navigating policy consistency with multiple cloud providers

“We operate in multiple cloud environments for continuity and business resiliency,” says Dina Mathers, who’s responsible for cybersecurity at Carvana. “Because of that, we had some complexities due to inconsistent security policies. We were always reacting to security risks as they were identified. We wanted to be more preventative versus reactive.”

The volume and complexity of these security findings continued to grow, making it clear that a project-by-project approach to security was no longer feasible. The team needed a way to manage risk without slowing down the developers powering the platform’s growth and to build preventive controls to stop those security risks from recurring.

The solution: Build a cohesive security architecture

Carvana partnered with Insight to build a more cohesive security architecture, starting with Google Cloud. Insight brought deep technical expertise in Google Cloud and helped the team move from detection to prevention. The transformation focused on three core areas:

• Building a strong foundation: Insight helped Carvana establish a consistent folder hierarchy and naming convention. This structure lets the security team apply policies across the entire organization at once, rather than managing them project by project.
• Implementing guardrails: Instead of simply identifying risks, Insight built controls directly into the platform. By using organizational policies, like disallowing default service accounts, Carvana was able to remove entire categories of security risks from the backlog.
• Adopting a sustainable rhythm: Insight helped Carvana shift to a quarterly remediation cadence, giving the team a predictable schedule to address risks and prevent them from accumulating.

“Insight has a lot of Google Cloud expertise, which helped us build policies to make sure we don’t create new service accounts with overly excessive permissions and only grant the necessary permissions, as an example,” says Mathers. “In parallel, Insight and our team did tech debt remediation to resolve current risks. Insight helped us build a foundation that included security controls and policies.”

The outcome: From reactive to proactive security

Insight helped Carvana by building security directly into the platform and shifting the company from a reactive approach to a proactive cloud security model. Many risks are now caught before they reach production, and teams move faster with confidence knowing the platform automatically safeguards their work. This foundation positions Carvana to scale securely across multiple cloud environments.

Quantifiable benefits

By coding security requirements directly into the platform, Carvana transformed manual processes into automated advantages.

• Efficiency gains: Security updates that previously required hours of configuration on a project-by-project basis now take only minutes with organizational-level policies.
• Data retention enforcement: Automated lifecycle policies limiting data storage eliminated a manual review process that required consistent monitoring.
• Quarterly remediation cadence: With the primary risk-reduction work completed, Carvana and Insight have moved to a quarterly routine that enables prioritization of existing risk backlog for remediation.

Qualitative improvements

The collaboration went beyond operational metrics. Security is now understood across the organization as a platform-level concern, not just the responsibility of one team.

“When security controls are built into the platform rather than applied as afterthoughts, the friction between security and engineering decreases naturally,” says Michael Hayslip, manager, information security at Carvana. “Developers have clearer guardrails, and the security team spends less time chasing individual project exceptions.”

Developers now provision resources confidently, knowing they operate within safe boundaries by default. Engineering leadership spends less time on security remediation and more time focused on building features that serve Carvana's customers.

Future outlook

This foundational work positions Carvana to handle the next generation of cloud challenges. The hierarchy and policy framework established by Insight in Google Cloud provide Carvana with a proven model that its team can extend to other cloud platforms like AWS^® and Azure^®.

“The infrastructure that Insight helped us put in place — the hierarchy, the policies, the remediation rhythm — is the foundation we’ll build on as our cloud environment continues to grow,” says Mathers. By investing in this solid foundation, Carvana ensures its security posture scales in step with business goals, keeping them moving fast while staying secure.

Prepare for the future of cyber threats. Explore AI driven attacks, the rise of shadow agents, and the evolution of ransomware in 2026.