Sonrai Security website logo for identity and data governance and cloud security

Case Study: Fortune 100 Energy Company

World Fuel Services chooses Sonrai Dig to maximize efficiency, increase security, and reduce risk


World Fuel Services is 91 on the Fortune 500 list and provides energy procurement advisory services, supply fulfillment, and transaction and payment management solutions to the aviation, marine, and land transportation industries. It made $36.8 billion in revenue in 2019 and has sold 19.4 billion gallons of fuel.

The Problem

By 2018 World Fuel Services, a global fuel provider, had accumulated 22 data centers through business acquisitions, many of which were running legacy workloads. The company needed to consolidate its data centers to optimize costs and to deliver technology at the pace of a startup, so it set an audacious goal to migrate to the AWS public cloud and get out of the business of running data centers within 2 years.

Testimonial Bio Image
"Security is absolutely foundational for any large scale migration to the public cloud. Sonrai Security and the Sonrai Dig platform is central to the World Fuel Services cloud security operating model. The elimination of identity and data risks, automation, and continuous monitoring has transformed our cloud security operations, and helped accelerate our cloud migration.”

Richard Delisser
Senior Vice President, Land Technology, Cloud & Infrastructure
World Fuel Services

page background graphic

The Goal

Reduce Risk

Any large scale cloud migration has to be built off a foundation of strong operational security, and World Fuel quickly realized traditional first-generation CSPM platforms would overwhelm cloud and security teams with alerts as the cloud footprint increased. An exploding number of roles and identities would add identity and access complexity which, combined with increasing alerts, would have raised the risk to an unacceptable level.

Maximize Efficiency

World Fuel Services knew the current method of triaging and resolving security problems was not suited to an agile cloud-first company, and a new ‘Cloud Security Operating Model’ was needed to bridge operations between cloud, security, audit, and DevOps teams. For this reason, WFS partnered with Sonrai to implement best of breed cloud security.

Increase Security

To date, World Fuel has closed 20 of 22 data centers and Sonrai now provides security controls for World Fuel’s 200+ AWS accounts and Azure subscriptions, with over 6500 AWS roles, 1000 Azure service principals,10,000+ compute instances and hundreds of data stores.

Unlike many solutions that only show singular IAM relationships (e.g. a role with EC2FullAccess or an owner of a subscription), Sonrai Dig connected the dots to show all relationships in a single picture and uncovered hidden risks.

The Results

To eliminate identity risks, this customer leveraged automatic analytics based on Sonrai Dig’s resource graph. The IAM data collected across all World Fuel Services AWS accounts and Azure subscriptions by Dig was compiled into a normalized graph data model that quickly surfaced complex IAM and data relationships across all cloud identities. Unlike many solutions that only show singular IAM relationships (e.g. a role with EC2FullAccess or an owner of a subscription), Sonrai Dig connected the dots to show all relationships in a single picture and uncovered hidden risks. Excessive privilege risks can be eliminated, and ‘least privilege’ enforced.

The impact of automation has been stunning. Sonrai Dig organized analysis, alerts, and actions for environments into approximately 40 “swimlanes” – automatically directing issues to the right World Fuel team owners or bot responsible for remediating. Dig gives each environment overall importance and a single pane of glass with the visual representation of security posture and risk. The right issues go to the right team, eliminating alert fatigue. Sonrai Dig helped the team improve inventory management of people and non-people identities, providing an end-to-end view to manage coverage for all of their dynamic cloud assets. The ability to filter and get immediate information for any instance or object in their environment was key. Dig now monitors the organization’s entire cloud (QA, development, and production) for any configuration or access drift.

Page Background Graphic

Ready to De-Risk Your Public Cloud? See It For Yourself.

Identity and data access complexity are exploding in your public cloud. Tens of thousands of pieces of compute, thousands of roles, and a dizzying array of interdependencies and inheritances. First-generation security tools miss this as evidenced by so many breaches. Sonrai Dig de-risks your cloud by finding these holes, helping you fix them, and preventing those problems from occurring in the first place. Schedule a conversation to talk with us about how we can help your enterprise.