Virtualization Technology News and Information
VMblog Expert Interview: Sonrai Security Talks Data Governance, Least Privilege and the Public Cloud

interview sonrai kedrosky 

Do you know who has access to data, what has access, how access is possible and where best to eliminate risk in your public cloud?  This may sound like a no-brainer question, but these days, enterprise organizations often store their data across AWS, Azure, GCP, and Kubernetes.  And with hundreds of roles, thousands of pieces of compute, and a dizzying array of interdependencies and inheritances, that can include sensitive data -- the answer as to where and how data is stored, is not always readily available.

Do you find yourself struggling to identify risks in your cloud?  You aren't alone.

To get a better understanding of all of this, VMblog sat down with industry expert, Eric Kedrosky, Director of Cloud Research and CISO of Sonrai Security.

VMblog:  What is the current state of data and identity access in the public cloud?

Eric Kedrosky:  Identity and data access complexity is a ticking time bomb in your public cloud. Tens of thousands of short compute pieces, thousands of roles, and a dizzying array of interdependencies and inheritances. If you think about it, you have admins that get access to data stores in your environment. As the old world, but this is just the beginning in the cloud world.

Then, there are service principles, roles, keys. It's what you use every day to build dynamic workloads. If you're using a secret store (like HashiCorp Vault) and want to bring your keys, that's another level of indirection.

It's not about just people anymore. For your cloud, the vast majority of identities are not people's identities. A serverless function, a container, a VM. They have rights too. In addition to specific rights associated with computing or users, a group of policies also convey rights. And of course, cloud security services have access rights too. All of this can be controlled, adjusted, or over-written through global restrictions and resource policies like Amazon's SCP.

Now multiple this by 100 or 1000 and add cloud accounts and subscriptions with Trust Relationships and Permission Inheritance, and you have a ticking time bomb in your cloud. This is why we see data breaches every day.

VMblog:  Your company has stated that Sonrai can help de-risk the public cloud.  What do you mean by "de-risk"?

Kedrosky:  Sonrai offers customers the most comprehensive and innovative approach to protect their cloud security and container environments from risk - whether it is misconfigurations, policy violations, over-privileged identities, inappropriate data access as well as other  data and identities governance  challenges.

We consider our solution unique because we can de-risk your cloud in four steps. Or in other words, help your organization eliminate risks. Our identity and data governance platform, Sonrai Dig, allows customers to do exactly that in 4 steps: 
  1. Get to Least Privilege and stay there. Eliminate all identified risks in your cloud - Sonrai Dig maps every single trust relationship, inherited permission, and policy, for every entity in your cloud. Identify all excessive privilege, escalation, and separation of duty risks across 1000's of roles and compute instances across 100's of cloud accounts; all mapped continuously.

  2. Protect your crown jewel data.  We can discover, classify, lockdown, and monitor all  data in and across your cloud environments. Dig relentlessly monitors your critical data sitting inside object stores and database services. Suspicious access activity or undesirable changes in access rights are flagged.

  3. Shift left by integrating teams. Via organized analysis, alerts, and actions that align with how your organizations use public cloud. Dig allows customized monitoring and views for development, staging, or production workloads and an API architecture that can be integrated into a CI/CD process.

  4. Prevent. Escalate. Remediate. Remediation bots fix the problems found. But, how about preventing those problems from happening in the first place? Sonrai Dig does both. It also puts prevention rules in place across your cloud and makes sure they stay there. As people try to move workloads to production, checks are in place, and promotion only happens if your risk policies are followed.

VMblog:  How does your company and product fit within the container or cloud ecosystem?

Kedrosky:  Sonrai helps reduce complexities across AWS, Azure, Google Cloud, and Kubernetes. We show you what has access, how access is possible, and where best to eliminate risk. Sonrai Dig, the identity and data governance platform, protects cloud and container environments from misconfigurations, policy violations, threats, and data and identity governance challenges. Sonrai customers achieve getting to and maintaining the least privilege and can fully realize the benefits of cloud and container technology without unnecessary complexity and risk.

With Sonrai Dig, organizations gain unified security and compliance for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Kubernetes.

Using out-of-the-box policies mapped to industry and regulatory standards, we empower security and governance, risk, and compliance, and cloud security professionals to quickly identify and assess risk before they are exploited. From custom policies to a robust API, Sonrai Dig can adapt to any organization's unique cloud security operations.

VMblog:  If you're looking to eliminate risk across AWS, Azure, GCP, Kubernetes, etc., where do you recommend cloud and security professionals start?

Kedrosky:  The first place to start is a double edged sword; you want to identify all excessive privilege, escalation, and separation of duty risks across all of the roles and compute instances across all of your cloud accounts. In parallel you want to find where all of your data is, now just where you think it is, as well as classify that data. Next you'll need to determine  what is accessing that data, what has access, what could get access, what has changed. With this, you'll need to determine your Identities Effective permissions. What do we mean by that, it means knowing what actions your Identities (human and nonhuman) can do as well as determining what they have done. At the same time you need to tie it back to the originating Identity and not just the last one in the chain of possible events.  Our team will use the powerful Sonrai Dig platform to deliver a free assessment of your current identity and data access risks. It's an easy place to start.


Published Tuesday, June 16, 2020 7:35 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2020>