Strengthen Your

Azure Cloud Security

Integrate Your IT Operations with Sonrai Dig
and Microsoft Azure

Sonrai - Azure Cloud Security Certified Header

Secure identities, data and workloads in complex Azure environments

The modern cloud’s dynamic infrastructure presents extreme flexibility and innovation that can lead to runaway permissions issues, even in Azure.

Identity is the new perimeter of the cloud, and features like inheritable rights, privilege escalation capabilities, and the complexity of group and policy membership can bury an identity’s true access capabilities in a byzantine path hidden from traditional identity management tools.

It’s not about “excessive permissions” anymore. By simulating every attack path an identity could take, Sonrai Security’s effective permissions analytics identify those access paths in Azure regardless of how short-lived an identity’s access may be or how many degrees of separation it has from data.

Sonrai Dig icon

Sonrai Dig is built on a sophisticated graph that continuously identifies and monitors every possible relationship between identities and data that exists inside your Azure cloud.

Dig works in concert with your underlying Azure security controls to enable audit, visibility, protection, detection, and automation of security controls running on Azure. Dig additionally monitors and remediates cloud misconfigurations and policy violations allowing customers to achieve continuous security and compliance.

Your Azure workloads require an integrated security approach with 24/7 Azure Cloud monitoring to protect and govern your identities and data.

Microsoft Azure Shared Responsibility Model For Cloud Security

Sonrai - Azure Cloud Security Shared Responsibility Model

Secure identities, data, and workloads in complex Azure environments

Sonrai Dig is built on a sophisticated graph that continuously identifies and monitors every possible relationship between identities and data that exists inside your Azure cloud. Dig works in concert with your underlying Azure security controls to enable audit, visibility, protection, detection, and automation of security controls running on Azure. Dig additionally monitors and remediates cloud misconfigurations and policy violations allowing customers to achieve continuous security and compliance.

Your Azure workloads require an integrated security approach with 24/7 Azure Cloud monitoring to protect and govern your identities and data.

Sonrai GCP & Sonrai Work Together icon

How Sonrai and Microsoft Azure Work Together

Sonrai Dig uses Azure APIs to discover how your resources are configured and how identities can interact with those resources based on any permissions your enterprise has and any permissions which may have been granted.

This discovery helps your organization understand the state of your Azure cloud. From this baseline, Dig builds out the IAM model to understand the uniqueness of Azure’s identities around classic admins, defining management and RBAC groups, and determining how those are inherited through subscriptions and resources.

Sonrai - Azure Cloud Security Risk Grade

See every identity revealed, every right to data mapped in your Azure environment

Sonrai Dig will map every single RBAC assignment at a subscription or unique individual layer back to the identities that are associated with them. This mapping will give your enterprise a true understanding of not only the assigned permissions of a given identity but the effective permissions they inherit through all of these assignments. Dig allows for scenarios in Azure to look for access keys granted on storage accounts so you can understand if people have access outside of the traditional IAM protocol. This process gives organizations full visibility and control of their cloud security posture by graphing and monitoring identity and data access to detect cloud drift, misconfigurations, and complying with regulatory requirements and best practices.

Manage your organization identity risks, and auto remediate them

Sonrai Dig will map every single RBAC assignment at a subscription or unique individual layer back to the identities that are associated with them

Detect privilege escalation, separation of duty risks across roles, accounts, tables, services, and toxic combinations across any Azure service

Dig allows for scenarios in Azure to look for access keys granted on storage accounts so you can understand if people have access outside of the traditional IAM protocol

See & Protect all Sensitive Data

In Azure, data exists in many places across your cloud. Sonrai Dig locates and identifies all data within your Azure cloud to provide an up-to-date model of who and/or what can access them and from where. Furthermore, the platform can audit every single action to determine a continuous baseline of what’s happening with your data. Should a deviation be found, the right teams are alerted to the right problem. Not only can Sonrai Dig find where your data is in the cloud, who and what can access it, we can also classify your data. This feature comes with out-of-the-box models to help your enterprise find PII and other sensitive data. Sonrai Dig also has custom configurations to help you with your own unique data models.

Sonrai Cloud Azure see and protect icon

Locate and identify all data within your Azure cloud to provide an up-to-date model of who and/or what can access them and from where data is accessed

Discover and classify data across all your data stores – Azure Data Lake, Azure SQL, Azure blob, and more

Provide Least Access, track data movement and lockdown crown jewel data
(PII, PCI, etc)

Behavioral modeling: Instantly detects changes in data access behavior, including access from new identities, access from undesirable locations including geography, and unusual changes in how identities access data. Sonrai Dig will also detect if suspicious access is granted before it is used

Automated blocking: Depending on the severity of the alert, Sonrai Dig can either block all access to a store, block a specific identity from access, or temporarily downgrade access privileges for a specific identity

Sonrai - Platform, Identity, & Data issues and risks.

Gain Continuous Cloud Security Posture Management (CSPM) in Azure

Sonrai Dig works on the Azure foundation in your cloud to provide a cloud security and risk operating model that spans all identities, data, and resources. Initially, Sonrai Dig will discover everything that is deployed in Azure – all of the different data stores, all of the networks you have in your subscriptions, and all of the ways identities are configured in your Azure environment to provide contextual value to your sensitive information. Once we have a baseline and contextual view, Dig will then run security use cases, like NIST CyberSecurity Framework, ISO 27001, GDPR, HIPAA, and other compliance mandates, against your environment to ensure your key values are met.

Is your data protected properly?

Do you have issues with privilege escalation?

Do you have CSPM issues?

We know that security is not a static thing, so Sonrai Dig continuously audits all of the changes that are happening in Azure to be sure that your security posture is kept up-to-date and you have a single end-to-end view of your Azure environment’s risk profile.

Sonrai Dig works on the Azure foundation in your cloud to provide a cloud security and risk operating model that spans all identities, services, data stores, secret stores, and networks.

Build a baseline and contextual view of your cloud security posture

Run security use cases, like NIST Cybersecurity Framework, ISO 27001, GDPR, HIPAA, against your environment to ensure compliance

Sonrai Dig continuously audits all of the changes to be sure your security model is kept up-to-date

Contextually prioritize and auto remediate your findings using our proprietary swim lanes

Organize, Prioritize
& Fix at Scale

Dig brings all the best practices from Azure and policies together into one platform

Operationalize your Cloud Security Model with automation

Build swimlanes based not just on your accounts and workloads, but rather in line with your governance model

Owners of those environments and applications are best positioned to review the risks and decide on the best path forward

Built-in Automation bots that can be used to prevent and/or remediate issues at the speed of cloud

Dig’s Governance Automation Engine automates workflow, remediation, and prevention capabilities across cloud, DevOps, DevSecOps, and security teams to ensure end-to-end security and visibility

Sonrai AWS cloud security tickets overview icon
Sonrai Google Cloud Dividing Icon

Sonrai Dig Keeps You On Top of Your Azure Environment

In Azure, it is likely your org divides workloads and environments into things like subscriptions, management, and resource groups.

Because your Azure environment is extremely complex, it becomes very difficult to keep track of what each and every identity has permission to do, if that permission has been used, and what data it can access. Sonrai Dig maps every trust relationship, inherited permission, and policy for all of the resources, data stores and identities in Azure. Through this model, Dig is able to detect identity risks such as privilege escalation, separation of duty violations, and toxic combinations across your Azure environment.

Dig’s Governance Automation Engine enables enterprises to “shift left” and integrate teams via organized analysis, alerts, and actions that align with how your organization uses your cloud(s). Dig allows customized monitoring and views for development, staging, or production workloads and an API architecture that can be integrated into your CI/CD pipelines. To effectively manage and secure your enterprise, Dig maps your workloads into swimlanes, where each swimlane represents a specific slide of your environment, determined by you and how your business works. For example, traditional swimlanes would include your Dev, Stage, and Prod environments where your governance models are applied in a way that makes sense to you. Alerting and remediation would be in the context of the swimlanes, which helps to eliminate alert fatigue and enables effective management of risks that arise. Dig’s Governance Automation Engine automates workflow, remediation, and prevention capabilities across cloud and security teams to ensure end-to-end security and visibility.

Powered by a Patented Cloud Identity Graph & Analytics Engine

If identity is the new perimeter, Sonrai is your perimeter schematic. It’s the only source for comprehensive intelligence on identity-to-data pathways. A big data analytics engine continuously updates every complex path an identity has used or could use to access data – sometimes 12 relationships and inheritances deep or more. All activity, all relationships, all identities. See everything, connect everything, and build a foundation for cloud security.

Understand how our analytics engines can help you

Deep Understanding and Integration
with Azure

Sonrai Dig’s unique integration with Azure provides deeper insights into identity and data in your cloud.

For example, Azure Security Center uses a wide variety of physical, infrastructure, and operational controls to help secure Azure — but there are additional actions you need to take to help safeguard your workloads. With Sonrai Dig, you can uncover all identity and data relationships between people and non-people identities (admins, roles, compute instances, serverless functions, and containers) across multi-cloud accounts and third-party data stores to further strengthen your security posture and protect against threats.

Sonrai - Add Destination for Swimlane

Dig also has an integration with Advanced Data Security (ADS), which is a unified package for advanced SQL security capabilities. Dig with ADS includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities through over privileged identities, and detecting anomalous activities that could indicate a threat to your database. The combined integration provides a single goto location for managing and governing these activities including data classification, drift detection, and more.

Dig also sends alerts to Azure Sentinel, bringing insights around configuration, identity, and data risks of a particular application or the entire cloud environment within the Sentinel Console. Ticket activities in Dig, like remediations and snoozes, can be configured to appear in Sentinel to give a comprehensive picture of security event management. Sentinel users can also run automation & orchestration playbooks off of Sonrai alerts.

Organizations that already use on-premise Active Directory can synchronize their identities with Azure AD to provide seamless integration between on-premise and cloud resources. While this may seem seamless, migrating workloads from on-premise to the cloud can be an identity and data security challenge for enterprises.

Sonrai - Azure Sentinel Logs

Utilize Sonrai with Azure Sentinel

Dig also sends alerts to Azure Sentinel, bringing insights around configuration, identity, and data risks of a particular application or the entire cloud environment within the Sentinel Console. Ticket activities in Dig, like remediations and snoozes, can be configured to appear in Sentinel to give a comprehensive picture of security event management. Sentinel users can also run automation & orchestration playbooks off of Sonrai alerts.

Sonrai - Microsoft Azure Marketplace logo

Annual Subscription Offered Through Azure Marketplace

Sonrai Dig’s integration provides visibility and context across hundreds of Microsoft Azure services. The result is that there are no blind spots and also integrates seamlessly with Azure Sentinel.

Featured Resources

Microsoft Azure & Sonrai FAQs

Q. Is Sonrai Security available through the Microsoft Azure Marketplace?

A. Sonrai Dig is available for direct purchase on the Azure Marketplace. Buy now on Microsoft Azure Marketplace

Q. Can Sonrai’s platform protect workloads running on Azure?

A. Our platform can prevent unauthorized access, enforce container immutability, network segmentation and segregation of duties.

Q. What Azure service integrations are available?

A. Sonrai Dig’s cloud security platform provides security, visibility and context for more than 150+ Azure services.

Q. What is the Microsoft Azure Shared Responsibility Model?

A. Like most cloud providers, Azure operates under a shared responsibility model. Azure takes care of the security ‘of’ the cloud while Azure customers are responsible for security ‘in’ the cloud. Learn more about the shared responsibility model.

Like most cloud providers, Azure operates under a shared responsibility model. Azure takes care of the security ‘of’ the cloud while Azure customers are responsible for security ‘in’ the cloud. Learn more about the shared responsibility model.

See Sonrai’s integration with Microsoft Azure

firsthand