Do you know who has access to data, what has access,
how access is possible and where best to eliminate risk in your public
cloud? This may sound like a no-brainer
question, but these days, enterprise organizations often store their data
across AWS, Azure, GCP, and Kubernetes.
And with hundreds of roles, thousands of pieces of compute, and a
dizzying array of interdependencies and inheritances, that can include
sensitive data -- the answer as to where and how data is stored, is not always
readily available.
Do you find yourself struggling to identify risks in
your cloud? You aren't alone.
To get a better understanding of all of this, VMblog
sat down with industry expert, Eric Kedrosky, Director of Cloud Research and
CISO of
Sonrai Security.
VMblog: What is the current state of data and
identity access in the public cloud?
Eric Kedrosky: Identity and data access complexity is a ticking time bomb in your public
cloud. Tens of thousands of short compute pieces, thousands of roles, and a
dizzying array of interdependencies and inheritances. If you think about it,
you have admins that get access to data stores in your environment. As the old
world, but this is just the beginning in the cloud world.
Then, there are service principles, roles, keys. It's
what you use every day to build dynamic workloads. If you're using a secret
store (like HashiCorp Vault) and want to bring your keys,
that's another level of indirection.
It's not about just people anymore. For your cloud,
the vast majority of identities are not people's identities. A serverless
function, a container, a VM. They have rights too. In addition to specific
rights associated with computing or users, a group of policies also convey
rights. And of course, cloud security services have access rights too. All of
this can be controlled, adjusted, or over-written through global restrictions
and resource policies like Amazon's SCP.
Now multiple this by 100 or 1000 and add cloud
accounts and subscriptions with Trust Relationships and Permission Inheritance,
and you have a ticking time bomb in your cloud. This is why we see data
breaches every day.
VMblog: Your company has
stated that Sonrai can help de-risk the public cloud. What do you mean by
"de-risk"?
Kedrosky: Sonrai offers customers the most comprehensive and
innovative approach to protect their cloud security and container environments
from risk - whether it is misconfigurations, policy violations, over-privileged
identities, inappropriate data access as well as other data and identities governance challenges.
We consider our solution unique because we can
de-risk your cloud in four steps. Or in other words, help your organization
eliminate risks. Our identity and data governance platform, Sonrai Dig, allows
customers to do exactly that in 4 steps:
- Get to Least Privilege and stay there. Eliminate all
identified risks in your cloud - Sonrai Dig maps every single trust relationship,
inherited permission, and policy, for every entity in your cloud. Identify
all excessive privilege, escalation, and separation of duty risks across
1000's of roles and compute instances across 100's of cloud accounts; all
mapped continuously.
- Protect your crown jewel data. We can discover, classify, lockdown, and
monitor all data in and across your
cloud environments. Dig relentlessly monitors your critical data sitting
inside object stores and database services. Suspicious access activity or
undesirable changes in access rights are flagged.
- Shift left by integrating teams. Via organized
analysis, alerts, and actions that align with how your organizations use
public cloud. Dig allows customized monitoring and views for development,
staging, or production workloads and an API architecture that can be
integrated into a CI/CD process.
- Prevent. Escalate. Remediate. Remediation bots
fix the problems found. But, how about preventing those problems from
happening in the first place? Sonrai Dig does both. It also puts
prevention rules in place across your cloud and makes sure they stay
there. As people try to move workloads to production, checks are in place,
and promotion only happens if your risk policies are followed.
VMblog: How does your company and product fit within the
container or cloud ecosystem?
Kedrosky: Sonrai helps reduce complexities across AWS, Azure,
Google Cloud, and Kubernetes. We show you what has access, how access is
possible, and where best to eliminate risk. Sonrai Dig, the identity and data
governance platform, protects cloud and container environments from
misconfigurations, policy violations, threats, and data and identity governance
challenges. Sonrai customers achieve getting to and maintaining the least
privilege and can fully realize the benefits of cloud and container technology
without unnecessary complexity and risk.
With Sonrai Dig, organizations gain unified security
and compliance for Amazon Web Services, Microsoft Azure, Google Cloud Platform,
and Kubernetes.
Using out-of-the-box policies mapped to industry and
regulatory standards, we empower security and governance, risk, and compliance,
and cloud security professionals to quickly identify and assess risk before
they are exploited. From custom policies to a robust API, Sonrai Dig can adapt
to any organization's unique cloud security operations.
VMblog: If
you're looking to eliminate risk across AWS, Azure, GCP, Kubernetes, etc., where
do you recommend cloud and security professionals start?
Kedrosky: The first place to start is a double edged sword; you want to identify all
excessive privilege, escalation, and separation of duty risks across all of the
roles and compute instances across all of your cloud accounts. In parallel you
want to find where all of your data is, now just where you think it is, as well
as classify that data. Next you'll need to determine what is accessing that data, what has access,
what could get access, what has changed. With this, you'll need to determine
your Identities Effective permissions. What do we mean by that, it means
knowing what actions your Identities (human and nonhuman) can do as well as
determining what they have done. At the same time you need to tie it back to
the originating Identity and not just the last one in the chain of possible
events. Our team will use the powerful
Sonrai Dig platform to deliver a free assessment of your current identity and
data access risks. It's an easy place to start.
##