Pillars of Cloud Security: How “Shift-Left” Enhances a Secure SDLCRegister Now

Get to and maintain least privilege. Eliminate all identity risks in your cloud

Get to and maintain least privilege. Eliminate all identity risks in your cloud

We show you what has access, how access is possible and where best to eliminate risk.

  • Decode permissions and activity of roles and identities
    Companies in today’s world have 1000s of roles across 100s of cloud accounts. Often 10,000+ non-people identities of computer instances, serverless functions, and containers dominate activity and risk. Track permissions and monitor activity of all of these identities as they create roles, assume roles, and gain access to your data.
  • Uncover all possible access points across many different paths
    Group membership, SCP policies, object permissions, resource statements, and many other controls determine access rights in your public cloud. You need one place to understand possible combinations. Keep track of all possible access paths to your data. You will see access paths you didn't know existed and risky unused rights to data you should remove.
  • Reveal toxic permission combinations
    Combinations of permissions are discovered, like the ability to pass a role to a serverless function coupled with a permission to modify that function’s behavior. Isolated views of a role are insufficient. We find the toxic combinations.
  • Normalize different IAM models of each cloud provider
    AWS, Azure, and Google Cloud have very powerful, very complex, and very different IAM tooling. The Sonrai platform normalizes IAM models so your security, audit, and cloud teams don’t need to understand all the intricacies of vastly different IAM systems.
  • Extend visibility into container platforms and key stores
    Model access allowed by container platforms like Kubernetes and services like EKS and AKS that have distinct identity and access models. Integrations with keystores like KMS and HashiCorp Vault enable tracking of activity when key stores are central to your cloud.

Lock down your “crown-jewel” data

Lock down your “crown-jewel” data

We have found unintended and mistaken data exposure in 90% of customers deployed. Monitoring for public ‘buckets’ is important but not enough. Extend monitoring to all data, resources, and microservices.

  • Continuously monitor database and database service access
    Databases like DynamoDB, CosmosDB, RDS, Data Lake, Big Table and many more cloud based data stores contain your sensitive data. In addition to looking for public buckets and objects stores, Sonrai discovers and monitors access to these critical stores and resources.
  • Highlight resources with a large blast radius
    All potential access paths to your data by any serverless function, container, VM, or person is uncovered and categorized by privilege. Access possible through role switching and assumption is revealed. Sonrai will highlight data stores with access from 100s of identities so you can drastically reduce exposure.
  • Baseline trust relationships to sensitive data
    Baselining discovers and ‘locks’ trust relationships to your resources and data. Any downstream policy, role or privilege change that enables undesired access will automatically generate alerts.
  • Perform ‘second level’ audit of data stores
    Did you know that a bucket may be non-public while an object in the bucket may be publicly exposed? Sonrai allows deep monitoring of data resources to the object or field level. Additionally, get full visibility of activity when using 3rd party secret stores.
  • Prioritized monitoring based on data classification
    Organize your cloud resources into development, staging, production, regulated, and sensitive ‘swimlanes’. Behavioral monitoring and risk sensitivity is customized for each swimlane.
Shift left by integrating your security, cloud, audit, IAM, and DevOps teams

Shift left by integrating your security, cloud, audit, IAM, and DevOps teams

Sonrai Dig organizes analysis, alerts, and actions the way you organize your cloud.

  • “Swimlanes” that reflect your cloud organization
    Dev teams across your business populate your cloud with workloads and data in development, staging, and production. Some workloads access sensitive data while others do not. Some workloads are blocked from external access while others are not. Structure your cloud into swimlanes that reflect your different needs for monitoring and control.
  • Context-based alerting
    Too many alerts going to the wrong teams? Sonrai Dig does not let this happen. Did something happen in dev, staging, production or regulated workflow? Sonrai Dig sends alerts to the correct teams who own the problem.
  • API driven automation
    A platform entirely driven by open APIs allows integration into CI/CD development pipelines. Automated checks in development or staging swimlanes ensures costly configuration mistakes don’t make it into production.
  • Workflow for integrating your security, cloud, audit, IAM, and DevOps teams
    Role based access gives different views into this depending on the role and the owners: DevOps, Security, Audit, IAM, and Cloud teams all get their own roles-based access. Problems and remediations are tied to swimlanes and the dev teams who must eliminate the risk.
Fix problem fast. Prevent them from happening in the first place

Fix problem fast. Prevent them from happening in the first place

Remediation bots fix problems that are found. But, how about preventing those problems from happening in the first place? Sonrai Dig does both! Our identity and data governance platform puts prevention rules in place across your cloud and makes sure they stay there. As people try to move workloads to production, checks are in place, and promotion only happens if your risk policies are followed.

  • Prevention Bots
    Policies applied to swimlanes prevent the creation or change of risky cloud services and thus eliminates the possibility of risks being created in the first place.
  • Remediation Bots
    Out-of-the box smart bots eliminate risks automatically and a flexible framework allows you to add your own bots. Workflow gives you control over escalation to and all bot activity is audited.
  • Code Promotion Blocks
    API’s allow full integration into your CI/CD pipeline so that code promotion from staging to production only happens if all risks are eliminated and identity and data governance standards are enforced.
Unify Compliance and Platform Configuration Monitoring

Unify Compliance and Platform Configuration Monitoring

In addition to identity and data monitoring, the Sonrai platform delivers 100% of the security and compliance controls needed for monitoring base platform configuration of AWS, Azure, Google Cloud, and Kubernetes.

  • Cloud platform posture and out-of-the box compliance frameworks
    Security groups with Internet access or exposed ports, public buckets, encryption and audit state, access key rotation, weak ciphers are examples of the 100s of controls that are continuously monitored. Controls are oranized into frameworks to support CIS, NIST, PCI, HIPAA and many other compliance mandates.
  • Separation of duties, escalation, and other identity controls
    Risk lies in the interaction between settings, policies, access rights and identities. First generation security tools miss these interactions. Sonrai has extensive coverage of controls that address separations of duties, escalation, and over privilege risk.
  • Tailored frameworks that address privacy mandates like GDPR
    Track access to your data at a granular level and tie that access to identities and geography. We see where your data is and where the computer that accesses your data is.ivacy mandates like GDPR.

Webinar: Pillars of Cloud Security: How “Shift-Left” Enhances a Secure SDLC

The idea of “shift-left,” moving the responsibility for designing and implementing security as early as possible in the software development and system design process, has proven to be an integral benefit to improving security. In addition, doing things this way for resolving problems makes sure they are fixed permanently.