Sign In

How to Get a FinOps Budget by Solving Security's Biggest Nightmare

Engineering Leadership & FinOps

You’ve done the math. You’ve found the waste. You’re ready to ask for the budget for a FinOps tool, and then you remember: you have to talk to Security.

Suddenly, your business case feels a lot more fragile. You aren't just asking for a tool; you’re asking for permission to do exactly what a CISO is paid to prevent. You want to give a third-party SaaS vendor standing, read-only access to your entire cloud.

In a world of supply chain attacks, that's a massive red flag. No matter how good your ROI looks, it’s dead on arrival if it introduces that level of risk.

Lead with Their Pain, Not Yours

To get this approved, you have to stop framing it as a "spending tool" and start framing it as a "security win." You need to walk into that meeting as an ally, not a developer asking for a favor.

The Old Way: "I found this great SaaS tool that helps us track our AWS spend. We just need to give them an IAM role with cross-account access." The Result: Security starts a six-month audit that eventually ends in a "No."

The New Way: "I need better visibility into our cloud, but I’m not comfortable with the risk of most FinOps tools. They all require standing permissions for a third party, which is a major supply chain vulnerability. I’ve found a way to get the data without that risk."

The "Anti-SaaS" Approach

By positioning the solution as "Anti-SaaS," you solve the CISO’s biggest problem before they even bring it up. You aren't connecting to a cloud service; you’re running a local process inside your own perimeter.

The Workflow:

  • It runs on your hardware: The scanner is a container that runs as a short-lived step in your existing CI/CD pipeline.

  • No long-lived keys: It uses temporary, time-boxed credentials that exist only while the pipeline is running. There are no static keys for an attacker to steal.

  • Data stays home: The scan results are committed as a JSON file to your private Git repo. A complete map of your infrastructure—which would be a goldmine for a hacker—never leaves your network.

  • Offline Analysis: When you want to see the charts, you run a local UI on your machine that reads the file from Git. No third-party servers involved.

Zero-Trust Scanning

You can bake this security-first approach right into your deployment pipeline using an ephemeral runner.

  1. The Trigger: A scheduled GitHub Action or GitLab Runner starts.

  2. The Identity: Use OIDC (OpenID Connect) to get a temporary token from your cloud provider. No secrets are stored in your CI/CD settings.

  3. The Artifact: The scanner runs, saves the cloud-stats.json, and the runner is immediately destroyed.

YAML
 
# Conceptual Secure Scan Step
- name: Scan Infrastructure
  permissions:
    id-token: write # Use OIDC for temporary access
    contents: write
  run: |
    # Get temporary cloud credentials
    # Run the local scanner container
    atlas-scanner --output ./data/cloud-stats.json
    # Commit the update to the private repo
    git commit -m "Update cloud state" ./data/cloud-stats.json

From Risk to Asset

When you present it this way, the cost savings are just the bonus. The real selling point is that you’ve found a tool that aligns with a zero-trust model. You get the visibility you need, and the CISO gets a tool they don't have to worry about.

 

Instead of fighting Security, you’ve handed them a win. That’s how you get your budget approved.

The Conversation Every Engineer Dreads (And How to Win It)

Jun 15, 2026

The directive comes from on high: "Cut 20% from your cloud spend." You know it's not that simple, but how do you push back without looking defensive? You do it by changing the conversation from cost to consequence, armed with undeniable data.

Your Cloud Isn't a Spreadsheet. It's a Living System

Jun 5, 2026

Trying to understand your complex cloud estate by reading a CSV file is an exercise in futility. Your infrastructure isn't a table of numbers; it's a living system, and you deserve a tool that lets you see it that way.

Stop Auditing Your Bill. Start Versioning Your Waste

Jun 3, 2026

Your monthly cloud bill is a financial autopsy report. To actually improve efficiency, you need to stop doing archaeology on past spend and start creating a living, version-controlled history of your infrastructure's health.