CASE STUDY
Custom cloud controls enable rapid shift left and
reduce time to deployment
One of North America’s leading diversified financial services companies, providing personal and commercial banking, wealth management, and capital markets products globally to 17 million clients. The bank is proactive with its digitization strategy choosing to focus on the best use of technology to protect its clients, partners, and investors.
This Tier 1 bank was in the cloud, but speed and security weren’t aligning with a new development mandate: they needed to double their application’s growth in one year and support moving more of their digital assets into the cloud. The bank had a mature set of security controls for on-premise that it had yet to translate to the cloud fully. Instead, they relied on out-of-the-box native tools from the cloud providers to do basic compliance checks and satisfy access controls with a semi-manual security review. Finally, their multi-cloud deployment between AWS and Azure entailed a need for a unification of controls.
With such an increase in development output, they needed to cut down on time it took a workload to deploy. This means automating security reviews and catching issues easier in the dev pipeline (i.e., “shifting left”) was critical.
They needed to translate existing on-prem controls into the cloud, which required establishing things like which cloud actions were affected by which policies, locating and classifying all data, and knowing which environments (and what data) individual policies should apply to. In AWS alone, there are over 10,000 unique cloud actions, including 1800 ways to create something and 1300 ways to delete. The security team couldn’t catalog this alone – but Sonrai’s analytical model could.
Sonrai first helped the bank rebuild all their custom policies in a cloud-centric way, thanks to prebuilt frameworks that overlapped and nightly categorization of all new cloud actions for evaluation by existing policies. This helped the bank cover all the permissions and inherited rights risks that the cloud-native tools didn’t cover. For example, they could now see a full analysis of chained access via AWS AssumeRole, Azure Group membership, and other indirect trust relationships. This eliminated the need for manual security reviews of each workload before they hit production.
Next was enabling shift left. They needed to organize workloads so alerts and remediation workflows went to the right cloud team and escalated to the security team when necessary. Sonrai helped the bank organize into ‘swimlanes’ – Sonrai’s groupings for environments – to ensure the right personnel, escalation schemes, and policy sensitivities matched the right workloads. Now, a collaboration between the cloud and security teams was flowing, and the security team could act as a failsafe to any risks that get past the cloud team.
“Our security team demanded extensive governance around sensitive data for all AWS and Azure deployments. With Sonrai we verify all identity and data controls are in place and working. We can demonstrate that our risk in the cloud is equivalent or less than our on-premise data centers.”
Workload deployment speed increased 93% thanks to the elimination of security reviews. This critical change enabled them to reach their goal of doubling application growth.
Upon initial evaluation of their cloud, lateral movement risks were reduced from thousands to a handful, despite complex and scaled machine-to-machine access. Sonrai’s ability to see access paths that rely on multiple trust relationships between non-person identities eliminated this risk, even for the ephemeral parts of their cloud. Overall, this helped the security team shift from a compliance-focused mindset on identities to a risk and threat analysis approach.
The team was also able to extract entitlements intel from Sonrai and build into broader entitlements certification workflows. The extremely flexible and accessible GraphQL interface with Sonrai meant a seamless integration into a larger security analysis apparatus.
Replacing and consolidating first-generation cloud tools also gave them an annual savings of $1 million on tooling. The team also estimates an $845k savings on productive hours freed up from security reviews. More importantly, a secure development acceleration was delivered ahead of schedule. With unprecedented visibility into privileges, collaboration across teams on a distributed security model, and custom controls rebuilt for cloud and updated every night, the security & cloud teams unlocked a new era for the company as they reap the benefits of cloud development.
Customer stories you may like to read
