Pillars of Cloud Security: Prevent Problems or Fix Them FastRegister Now

Eliminate all identity risks. Get to Least Privilege and stay there

Eliminate all identity risks. Get to Least Privilege and stay there

We show you what has access, how access is possible and where best to eliminate risk.

  • Decode permissions and activity of roles and identities
    Companies in today’s world have 1000s of roles across 100s of cloud accounts. Often 10,000+ non-people identities of computer instances, serverless functions, and containers dominate activity and risk. Track permissions and monitor activity of all of these identities as they create roles, assume roles, and gain access to your data.
  • Uncover all possible access points across many different paths
    Group membership, SCP policies, object permissions, resource statements, and many other controls determine access rights in your public cloud. You need one place to understand possible combinations. Keep track of all possible access paths to your data. You will see access paths you didn't know existed and risky unused rights to data you should remove.
  • Reveal toxic permission combinations
    Combinations of permissions are discovered, like the ability to pass a role to a serverless function coupled with a permission to modify that function’s behavior. Isolated views of a role are insufficient. We find the toxic combinations.
  • Normalize different IAM models of each cloud provider
    AWS, Azure, and Google Cloud have very powerful, very complex, and very different IAM tooling. The Sonrai platform normalizes IAM models so your security, audit, and cloud teams don’t need to understand all the intricacies of vastly different IAM systems.
  • Extend visibility into container platforms and key stores
    Model access allowed by container platforms like Kubernetes and services like EKS and AKS that have distinct identity and access models. Integrations with keystores like KMS and HashiCorp Vault enable tracking of activity when key stores are central to your cloud.
Discover, classify lock down, and monitor “crown-jewel” data

Discover, classify lock down, and monitor “crown-jewel” data

We have found unintended and mistaken data exposure in 90% of customers deployed. Monitoring for public ‘buckets’ is important but not enough. Extend monitoring to all data, resources, and microservices.

  • Continuously monitor database and database service access
    Databases like DynamoDB, CosmosDB, RDS, Data Lake, Big Table and many more cloud based data stores contain your sensitive data. In addition to looking for public buckets and objects stores, Sonrai discovers and monitors access to these critical stores and resources.
  • Highlight resources with a large blast radius
    All potential access paths to your data by any serverless function, container, VM, or person is uncovered and categorized by privilege. Access possible through role switching and assumption is revealed. Sonrai will highlight data stores with access from 100s of identities so you can drastically reduce exposure.
  • Baseline trust relationships to sensitive data
    Baselining discovers and ‘locks’ trust relationships to your resources and data. Any downstream policy, role or privilege change that enables undesired access will automatically generate alerts.
  • Perform ‘second level’ audit of data stores
    Did you know that a bucket may be non-public while an object in the bucket may be publicly exposed? Sonrai allows deep monitoring of data resources to the object or field level. Additionally, get full visibility of activity when using 3rd party secret stores.
  • Prioritized monitoring based on data classification
    Organize your cloud resources into development, staging, production, regulated, and sensitive ‘swimlanes’. Behavioral monitoring and risk sensitivity is customized for each swimlane.
Unify Compliance and Platform Configuration Monitoring

Unify Compliance and Platform Configuration Monitoring

In addition to identity and data monitoring, the Sonrai platform delivers 100% of the security and compliance controls needed for monitoring base platform configuration of AWS, Azure, Google Cloud, and Kubernetes.

  • Cloud platform posture and out-of-the box compliance frameworks
    Security groups with Internet access or exposed ports, public buckets, encryption and audit state, access key rotation, weak ciphers are examples of the 100s of controls that are continuously monitored. Controls are oranized into frameworks to support CIS, NIST, PCI, HIPAA and many other compliance mandates.
  • Separation of duties, escalation, and other identity controls
    Risk lies in the interaction between settings, policies, access rights and identities. First generation security tools miss these interactions. Sonrai has extensive coverage of controls that address separations of duties, escalation, and over privilege risk.
  • Tailored frameworks that address privacy mandates like GDPR
    Track access to your data at a granular level and tie that access to identities and geography. We see where your data is and where the computer that accesses your data is.
Governance Automation allows companies to shift left and integrate teams

Governance Automation allows companies to shift left and integrate teams

Sonrai Dig organizes analysis, alerts, and actions the way you organize your cloud. Dig also automatically dispatches prevention and remediation bots and provides safeguards in the form of code promotion blocks.

  • “Swimlanes” that reflect your cloud organization
    Dev teams across your business populate your cloud with workloads and data in development, staging, and production. Some workloads access sensitive data while others do not. Some workloads are blocked from external access while others are not. Structure your cloud into swimlanes that reflect your different needs for monitoring and control.
  • Context-based alerting
    Too many alerts going to the wrong teams? Sonrai Dig does not let this happen. Did something happen in dev, staging, production or regulated workflow? Sonrai Dig sends alerts to the correct teams who own the problem.
  • API driven automation
    A platform entirely driven by open APIs allows integration into CI/CD development pipelines. Automated checks in development or staging swimlanes ensures costly configuration mistakes don’t make it into production.
  • Remediation Bots
    Out-of-the box smart bots eliminate risks automatically and a flexible framework allows you to add your own bots. Workflow gives you control over escalation to and all bot activity is audited.
  • Prevention Bots
    Policies applied to swimlanes prevent the creation or change of risky cloud services and thus eliminates the possibility of risks being created in the first place.
  • Code Promotion Blocks
    API’s allow full integration into your CI/CD pipeline so that code promotion from staging to production only happens if all risks are eliminated and identity and data governance standards are enforced.

Pillars of Cloud Security: Prevent Problems or Fix Them Fast

The best cloud security teams have a clear categorization of their environments, craft policies and controls appropriate to each, and then handle the alerts that come when controls detect problems. The idea of “Prevent Problems or Fix Them Fast” is to add as much automation as possible to both to remediate problems that are detected or prevent them from occurring in the first place. Just as the controls are adapted to each swimlane of activity, so must the remediation or prevention.