World Fuel Services chooses Sonrai Dig to maximize efficiency, increase security, and reduce risk
By 2018 World Fuel Services, a global fuel provider, had accumulated 22 data centers through business acquisitions, many of which were running legacy workloads. The company needed to consolidate its data centers to optimize costs and to deliver technology at the pace of a startup, so it set an audacious goal to migrate to the AWS public cloud and get out of the business of running data centers within 2 years.
Any large scale cloud migration has to be built off a foundation of strong operational security, and World Fuel quickly realized traditional first-generation CSPM platforms would overwhelm cloud and security teams with alerts as the cloud footprint increased. An exploding number of roles and identities would add identity and access complexity which, combined with increasing alerts, would have raised the risk to an unacceptable level.
World Fuel Services knew the current method of triaging and resolving security problems was not suited to an agile cloud-first company, and a new ‘Cloud Security Operating Model’ was needed to bridge operations between cloud, security, audit, and DevOps teams. For this reason, WFS partnered with Sonrai to implement best of breed cloud security.
To date, World Fuel has closed 20 of 22 data centers and Sonrai now provides security controls for World Fuel’s 200+ AWS accounts and Azure subscriptions, with over 6500 AWS roles, 1000 Azure service principals,10,000+ compute instances and 100’s of data stores.
To eliminate identity risks, this customer leveraged automatic analytics based on Sonrai Dig’s resource graph. The IAM data collected across all World Fuel Services AWS accounts and Azure subscriptions by Dig was compiled into a normalized graph data model that quickly surfaced complex IAM and data relationships across all cloud identities. Unlike many solutions that only show singular IAM relationships (e.g. a role with EC2FullAccess or an owner of a subscription), Sonrai Dig connected the dots to show all relationships in a single picture and uncovered hidden risks. Excessive privilege risks can be eliminated, and ‘least privilege’ enforced.
The impact of automation has been stunning. Sonrai Dig organized analysis, alerts, and actions for environments into approximately 40 “swim lanes” – automatically directing issues to the right World Fuel team owners or bot responsible for remediating. Dig gives each environment overall importance and a single pane of glass with the visual representation of security posture and risk. The right issues go to the right team, eliminating alert fatigue. Sonrai Dig helped the team improve inventory management of people and non-people identities, providing an end-to-end view to manage coverage for all of their dynamic cloud assets. The ability to filter and get immediate information for any instance or object in their environment was key. Dig now monitors the organization’s entire cloud (QA, development, and production) for any configuration or access drift.
Identity and data access complexity are exploding in your public cloud. Tens of thousands of pieces of compute, thousands of roles, and a dizzying array of interdependencies and inheritances. First-generation security tools miss this as evidenced by so many breaches. Sonrai Dig de-risks your cloud by finding these holes, helping you fix them, and preventing those problems from occurring in the first place. Schedule a conversation to talk with us about how we can help your enterprise.