Migrating to the cloud has become a popular business move for organisations and one of strategic importance for surviving the move to hybrid working. Top of the priority list for CISOs, however, is ensuring the migration happens securely. Shawn M Bowen, CISO of World Fuel Services, tells us how the company – as one of the world’s leading energy organisations – managed to embed security as a foundation for its large-scale migration to the public cloud, and how Sonrai Security and the Sonrai Dig platform is central to the World Fuel Services cloud security operating model.
World Fuel Services is 91 on the Fortune 500 list and provides energy procurement advisory services, supply fulfilment and transaction and payment management solutions to the aviation, marine and land transportation industries.
The problem
World Fuel Services needed to consolidate its data centres to optimise costs and to deliver technology at the pace of a startup, so it set an audacious goal to migrate to the AWS public cloud and get out of the business of running data centres, within two years.
“Security is absolutely foundational for any large-scale migration to the public cloud,” said Richard Delisser, Senior Vice President of Land Technology, Cloud & Infrastructure, World Fuel Services. “Sonrai Security and the Sonrai Dig platform is central to the World Fuel Services cloud security operating model. The elimination of identity and data risks, automation and continuous monitoring has transformed our cloud security operations and helped accelerate our cloud migration.”
The goal
Reduce risk
Any large-scale cloud migration has to be built off a foundation of strong operational security, and World Fuel quickly realised traditional first-generation CSPM platforms would overwhelm cloud and security teams with alerts as the cloud footprint increased. An exploding number of roles and identities would add identity and access complexity which, combined with increasing alerts, would have raised the risk to an unacceptable level.
Maximise efficiency
World Fuel Services knew the current method of triaging and resolving security problems was not suited to an agile cloud-first company, and a new ‘Cloud Security Operating Model’ was needed to bridge operations between cloud, security, audit and DevOps teams. For this reason, WFS partnered with Sonrai to implement best-of-breed cloud security.
Increase security
To date, World Fuel has closed 20 of 22 data centres and Sonrai now provides security controls for World Fuel’s 200+ AWS accounts and Azure subscriptions, with over 6,500 AWS roles, 1,000 Azure service principals, 10,000+ compute instances and hundreds of data stores.
The result
To eliminate identity risks, this customer leveraged automatic analytics based on Sonrai Dig’s resource graph. The IAM data collected across all World Fuel Services AWS accounts and Azure subscriptions by Dig were compiled into a normalised graph data model that quickly surfaced complex IAM and data relationships across all cloud identities. Unlike many solutions that only show singular IAM relationships (e.g. a role with EC2FullAccess or an owner of a subscription), Sonrai Dig connected the dots to show all relationships in a single picture and uncovered hidden risks. Excessive privilege risks can be eliminated and ‘least privilege’ enforced.
The impact of automation has been stunning. Sonrai Dig organised analysis, alerts and actions for environments into approximately 40 ‘swim lane’ – automatically directing issues to the right World Fuel team owners or bot responsible for remediating. Dig gives each environment an overall importance and a single pane of glass with a visual representation of security posture and risk. The right issues go to the right team, eliminating alert fatigue. Sonrai Dig helped the team improve inventory management of people and non-people identities, providing an end-to-end view to manage coverage for all of its dynamic cloud assets. The ability to filter and get immediate information for any instance or object in its environment was key. Dig now monitors the organisation’s entire cloud (QA, development and production) for any configuration or access drift.
Shawn M Bowen, CISO, discusses how Sonrai Security’s technology offering enables the organisation to solve energy challenges for its customers around the world.
Can you tell us what your role entails as the CISO of a major energy company?
It’s the same rules for any CISO, except the implications are significantly higher as you move up the food chain of size of companies. The interesting aspect about this company is that it’s a global energy company. We also dabble in a lot of different areas, not just energy, but also the technology supporting and delivering it. Take aviation for example; not only do we deliver the fuel, we also offer technology to support fixed-base operations for airports, scheduling and coordination of private planes, and the fleets associated with them.
Why did you select Sonrai Security?
One of our values that we try to align with during vendor selection is partnering with vendors that we aspire to be like. The people behind that technology are one of the reasons why we partner with specific companies. That was what really started the relationship with Sonrai and it helps that it has a tool which covers a lot of components that we needed, such as cloud security and posture management. Sonrai also deals with cloud identity and combining the two allows the linking of identity so that we can see the whole life cycle.
Why did you decide to migrate your processes to the cloud and what were some of the potential risks involved?
If you’re not migrating to the cloud in 2021, what are you doing? I think there are a few companies that can justify using data centres or on-premise servers, but most are rationalising their data centres; I think more companies should be moving to the cloud. The journey we embarked on a few years ago was to close all 22 data centres and migrate entirely to the cloud. We still have a couple of months left to put over our last two data centres that are working in tandem with one another – that should be done by mid next year. The move has allowed us to be more effective in our current operations, and once that’s fully fleshed out, we are already looking at advancing to the next couple of levels and expanding our capabilities.
How does Sonrai Security’s technology enable you to solve energy challenges for your customers around the world?
One of the problems we had before I started was a lack of dedicated cloud security engineers. People that were responsible for their segments were responsible for their security as well. So, in the cloud engineering function, they had cloud security pieces, and Sonrai was able to aggregate the data and display it in a way that made it easier for people who were not security native, to solve security problems. We were able to solve a lot of the problems that we hadn’t seen prior to having Sonrai.
Now, as we’re developing Security Engineering function and maturing the engineers, we’re able to task things out, for example, we’re doing some integrations into Jira right now. Sonrai is driving tickets and getting tickets to the specific teams. We have 200+ applications that we develop in-house and we have a tonne of infrastructure that’s in the cloud for supporting applications and standard business. So, now we’re able to generate tickets and show what’s relevant to the person, not the whole cloud. Teams need to be able to segment off what’s applicable to them and that’s something that Sonrai has been able to do for us.
What are some of the business benefits you’ve seen since moving from using data centres, to the cloud?
The benefits we’ll see is continuing to make our current processes and our old processes far more efficient by doing things faster in the cloud through automation and aggregating data into a single environment. This means we can do searches and answer our questions with data all in the same location. We’ll also be able to build new products, pivot and expand our current footprint in a much quicker way than we were able to in a data centre. That will allow us to move faster, as we know a lot of the other markets are very tech-savvy and tech friendly. So, if you’re not there, you’re going to be left behind.
How do you predict World Fuel Services will evolve over the next 12 months, from a technology perspective?
I see a significant increase in security maturation. We have been building our security programme using the NIST Cybersecurity Framework along a more traditional maturity-based development and we are ready to provide security through a more risk-based offering where we’ll apply threat modelling at the product and business levels, then map that down to threat modelling we do at the technology level. That should allow us to tailor our security capabilities specific to the threats that are related to the different products. We don’t want to have a standard blanket offering of security, we want to have security wrappers tailored around each of our components.
Then, as we continue to go API-first, data centric and reinvent our cloud into the cloud native environments, those efforts are going to require even more security tailoring. Being API-first is a huge one for us because that means the portability of our applications, our data and our operations are endless once we get to that fully API-driven environment, so that will allow ultimate flexibility.
What advice would you offer to other CISOs when faced with securely migrating their systems to the cloud and implementing strong operational security into their business model?
We know that most cloud breaches are related to misconfigurations, so something like a CSPM is a must – like Sonrai with its cloud security posture management which allows us to find those misconfigurations as quickly as possible and limit our exposure. Then there’s the design factor; patching, updates and standard security will be there, but in the cloud, misconfigurations are far more damaging than a misconfiguration in an on-prem environment. So, you need defined principles for the teams to follow and establish secure configurations before you start moving into the cloud. That would be the one piece of advice I would have for that initial transition to the cloud.