On June 16, Sandy Bird, Co-Founder and CTO of Sonrai Security, participated in theCube AWS Startup Showcase for leaders in enterprise cloud security. The panel, titled “22 to 2 Data Centers: How World Fuel Services and Sonrai Security Made It Happen Securely,” included Avi Boru, Director of Cloud Engineering for World Fuel Services and Dave Vellante, Co-founder & Co-CEO for SiliconANGLE Media. In this post, we’ve included key cloud security takeaways from the AWS virtual event.
World Fuel Services (WFS) ranked 91 on the Fortune 500 list in 2018 and delivers energy procurement advisory services, supply fulfillment, and transaction and payment management solutions globally. Industries served include aviation, marine, and land transportation industries. World Fuel Services generated $36.8 billion in revenue in 2019 and sold 19.4 billion gallons of fuel.
Through business acquisitions, WFS accumulated 22 data centers, many of which were running legacy workloads. Looking to lower total costs and provide technology that would keep pace with the demands of a startup, WFS set out for large-scale, worldwide migration to the AWS and Microsoft Azure public clouds. WFS set an ambitious, 2-year timeline to cease its data center operations. WFS fully understood that this initiative required a robust enterprise cloud security platform to support the new operating model that would also accelerate the migration.
“There was … a strong need for us to build a strong security foundation because going into the cloud [with] as many capabilities as it gives us to innovate, it also gives us a lot of challenges to deal with from a security standpoint,” said Avi Boru. “And as part of building the security foundation, we had to tackle some key challenges.”
Challenges included building a cloud security operating model and upskilling their talent. “More than choosing a solution, we needed a really strong security partner who [could] guide us in this journey, help us to build the foundations, take us further and mature,” Avi stated.
WFS looked at various enterprise cloud security platforms including Cloud Security Posture Management (CSPM) tools, which focus on ensuring that their cloud is configured securely and that it stays that way. Should deviations occur, they need to be identified and alerted upon immediately. The WFS team required an agent-less approach to CSPM where they could build their own framework-specific controls.
With their move to the cloud, WFS also wanted to take a fresh approach to how they do security; one that aligns with their DevOps methodology. They needed the ability to decentralize security where risks and/or issues are triaged to those responsible for remediating them as opposed to a centralized security or operations queue. This ensures that they are addressed at the speed of the cloud resulting in more secure applications being delivered in a shorter period of time. This also helps those teams to understand the impact of decisions made in the environment when they make them.
WFS needed to provide “defense in depth” enterprise cloud security in an ever-evolving, growing cloud ecosystem with identity as the primary security control. They required an approach to manage the complex relationships between identities (person and non-person) and the resources in their cloud, especially their crown jewel data. Legacy identity inventory and entitlement solutions were not equipped for the cloud.
WFS realized that with the scale and speed of their cloud environment, it would be near impossible for teams to mitigate all identified risks manually. WFS needed a solution that would provide intelligent workflows and automated remediation capabilities to align with their shift-left approach to security. Key to this approach was the ability for them to customize, or build in, their own workflows and automation as it makes sense to how they organize and manage their business.
WFS considered the native AWS and Azure security tools but decided to go with a single tool that was able to address their pain points across both of their clouds. World Fuel Services decided on Sonrai Dig’s leading enterprise cloud security platform because it provided a single point to address their cloud security management requirements and required less customization when compared to others they evaluated.
WFS realized traditional CSPM’s shortcomings early on. Avi cites Sonrai’s unique CSPM capabilities as a selling point, among others. “… [Sonrai’s CSPM feature set] is different from other platforms … because they give you … a lot of out-of-the-box frameworks and controls,” said Avi. Sonrai also delivered the ability to build specific framework-specific controls. The level of flexibility to support the unique business needs of their organization was a huge selling point.
Sonrai Dig closed the gap between what World Fuel Service could accomplish with traditional IAM solutions and what was required. Avi said Sonrai’s capabilities to manage risk, and identify the interactions between person and non-person identities, offer a unique perspective to using IAM. Sonrai Dig not only discovered all Identities across WFS’s AWS Accounts and Azure Subscriptions but also mapped their effective (end-to-end) permissions. It generated a normalized graph data model that surfaced complex layers of IAM and data relationships across their multi-cloud environment.
“It was a really good starting foundational point,” stated Avi. Sonrai Dig’s graph analytics, which is a departure from traditional relational databases that tap into fixed, predetermined data relationships, uncovers relationships that don’t jump out at you and teams might miss.
“… The cloud identity models inside of the graph allow us to understand exactly how any given identity can gain access to a resource,” said Sandy Bird. “By using the graph, we can tie that whole model together to really understand the entire list of what gets access.”
Sonrai Dig introduced WFS to Governance Automation. The Sonrai platform provides intelligent workflows and automation to enable WFS to manage risks and remediate issues at the scale and speed of the cloud. Sonrai Dig organized the analysis, alerts, and remediation actions into approximately 40 “swimlanes.” With the swimlanes in place, WFS continuously monitors their environment and when risks and issues arise, it directs them to those responsible for handling them or kicks off automation.
As described by Sandy Bird, CTO and Co-founder of Sonrai, “There’s a set of security findings that are a fairly low risk and should be dealt with by the individual teams themselves … but that same team may not have the person that can sign off on the risk if it’s high enough … that needs escalation to the next level up [for signoff].“ Having the ability to customize their workflow, and automation, to meet even the most specific requirements was a must-have for WFS.
Through their partnership, Sonrai Security and WFS implemented security controls for more than 200 AWS accounts. They overcame struggles of managing relationships between over 6500 AWS roles, 1000 Azure service principals,10,000+ compute instances and hundreds of data stores.
Sonrai Dig empowered WFS to understand all the data and identity relationships across its cloud footprint, uncovering hidden risk. “We used to have to map it all out on a massive table with index cards, to trace through identities, what they could do and what data they could access,” said Richard Delisser, SVP of land technology, cloud, and infrastructure at World Fuel Services.
WFS shut down 20 of its 22 data centers in under two years and fully moved to the cloud in a secure and maintainable way. Furthermore, leveraging Sonrai’s automation and workflow capabilities, WFS eliminated 10,000 findings in one month as well and enabled them to eliminate their legacy security tooling and solutions. In the end, and with the help of the Sonrai enterprise cloud security platform, WFS exceeded their goals and are now firmly, securely, in the cloud.