When energy, commodities and services company World Fuel Services Corp. — ranked 91st on the Fortune 500 — decided to migrate to the cloud, it encountered challenges common to many organizations on this journey: the need to build strong security foundation, create a cloud security operating model and find the skilled people for it.

Two years later, most challenges have been overcome. With support from Sonrai Security Inc., World Fuel Services closed 20 of the 22 data centers it amassed through business acquisitions around the world – many of which were running legacy workloads — implemented Sonrai’s security controls and built an operating model to bridge operations across cloud, security, audit and DevOps teams.

“The key takeaway of this would be to choose the right partner; it’s not just the solution,” said Avi Boru (pictured, left), director of cloud engineering at World Fuel Services. “Another key takeaway is automate your way, because security in the cloud is different than traditionally how do you do it … and rely on talent, rely on a lot of young talent that’s coming in and on all the tools like Sonrai, AWS, [that] are making it easier to operate in the cloud.”

Boru and Sandy Bird (pictured, right), co-founder and chief technology officer of Sonrai Security, spoke with Dave Vellante, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the AWS Startup Showcase: The Next Big Things in AI, Security & Life Sciences. They discussed the obstacles companies face in building world-class cloud security, Sonrai Security’s solutions to make this task easier and World Fuel Services’ enterprise computing experiences. (* Disclosure below.)

Identity and data controls are key

To quickly set up a secure cloud environment, World Fuel Services adopted a series of tools and capabilities from the Sonrai Security platform.

Sonrai’s approach sees identity and data controls as central to securing enterprise cloud. Because cloud is flooded with non-people identities, sprawling data and imminent danger, the company created Sonrai Dig, built on patented graphing technology to map every possible access and activity.

“When we talk about identity, we always think of people. But it’s not, of course. Sometimes it’s a machine; sometimes it’s a cloud service. It could be many different things,” Bird explained. “How does every single one of those identities get access to that given resource? And it’s not always as clear as ‘OK, well, here are the direct identities that can access this resource.’”

The data collected by Dig is compiled into a normalized graph data model that quickly surfaces data relationships across all cloud identities. Unlike many solutions that only show singular Identity Access Management relationships (for example, a role with EC2 full access or an owner of a subscription), Dig ties the data together to show all relationships in a single picture and uncovered hidden risks.

In addition, it allows business to see what the effective permission of that identity is. Excessive privilege risks can be eliminated and “least privilege” enforced.

“It really helps by putting it in a graph, because we can actually see all of these interconnections; we can see how they’re interrelated and determine the exact effective permissions of any identity and what risks that may have,” Bird stated.

Automating and decentralizing security

This way of operationalizing security in the cloud was of great benefit to World Fuel Services. Sonrai Dig has organized analysis, alerts and actions for environments into approximately 40 “swim lanes” – automatically directing problems to the right World Fuel team or bot responsible for remediation, eliminating alert fatigue.

It gave each environment a single pane of glass with the visual representation of security posture and risk. Moreover, it helped the teams improve inventory management of people and non-people identities, providing an end-to-end view to manage coverage for all their dynamic cloud assets.

The ability to filter and get immediate information for any instance or object in their environment was fundamental, according to Boru.

“[An]other key thing that we did as part of operationalizing is [that] teams need to use Sonrai as their way of working; teams need to know what and why they should be using Sonrai,” he said. “So, we conducted a lot of training and onboarding and working sessions for teams … so they can proactively start acting on how to stay compliant.”

An important part of the cloud security operating model built by Sonrai is the decentralization of some of the security functions, according to Bird. Security findings are first distributed to teams to resolve issues themselves, and only if they aren’t resolved are those issues forwarded to a centralized security team to address them.

“Cloud is going to get us to a point where we are more secure than we were on enterprise,” he said. “We have all of the right tools and controls to do it; we can decentralize the security and make it better.”

But the best way to create this safe environment is to act in advance.

“I think if anything just to encourage people to really look at a cloud security governance model, you can’t do this ad hoc trying to whack-a-mole small issues as they come up. You build it in as an operating model, you automate it, and you deal with the exceptions,” Bird concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: The Next Big Things in AI, Security & Life Sciences. (* Disclosure: Sonrai Security Inc. sponsored this segment of theCUBE. Neither Sonrai Security nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE