World Fuel Services (WFS) delivers trusted energy solutions providing a powerful integrated platform to optimize energy, logistics, and related services for aviation, marine, commercial, industrial, and land transportation to customers globally. Ranked 83 on the Fortune 500 list, WFS delivers energy solutions at more than 8,000 locations in more than 200 countries and territories around the world. WFS is using technology to transform how it does business, making interactions faster, easier, and more intuitive for customers. After deciding to migrate its legacy systems to Amazon Web Services (AWS), the company turned to Sonrai Security to fuel a secure path for its identities and data in the cloud.
Over the past decade, WFS has achieved exceptional growth accumulating 22 data centers - many of which were running legacy workloads. The company needed to consolidate its data centers to optimize costs and to deliver technology at the pace of a startup, so it set an audacious goal to migrate to the public cloud and get out of the business of running data centers within two years. While moving its massive IT infrastructure from 22 self-managed data centers to AWS, WFS’s IT staff realized it would require more than just moving servers and data. In early 2020, the team realized they needed a new way to secure and manage data during their cloud migration understanding the new perimeter was no longer managing IP addresses and network and manual management of cloud resources wouldn't work. The security teams at the company struggled to secure and track the connections between more than 200 AWS accounts, 2,000 roles and more than 10,000 cloud server instances. WFS team asked other IT pros at Silicon Valley companies how they secured cloud deployments, and during these discussions, met Sonrai Security, CEO and co-founder, Brendan Hannigan. After meeting with Hannigan and reviewing several cloud security platform solutions, WFS decided on Sonrai Dig to meet its identity and data security needs.
“Security is absolutely foundational for any large scale migration to the public cloud. Sonrai Dig on AWS is central to the World Fuel Services cloud security operating model. The elimination of identity and data risks, automation, and continuous monitoring has transformed our cloud security operations, and helped accelerate our cloud migration.”
- Richard Delisser, Senior Vice President, World Fuel Services
WFS knew the current method of triaging and resolving security problems was not suited to an agile cloud-first company, and a new ‘Cloud Security Operating Model’ was needed to bridge operations between cloud, security, audit, and DevOps teams. For this reason, WFS partnered with Sonrai Security to implement best of breed cloud security.
To date, WFS has closed 20 of 22 data centers and Sonrai now provides security controls for the company’s 200+ AWS accounts, with over 6,500 AWS roles, 10,000+ compute instances, and hundreds of data stores.
Any large-scale cloud migration has to build off a foundation of strong operational security, and WFS quickly realized traditional first-generation CSPM platforms would overwhelm cloud and security teams with alerts as the cloud footprint increased. An exploding number of roles and identities would add identity and access complexity, which, combined with increasing alerts, would have raised the risk to an unacceptable level.
"We don't want to have too much centralization, which could slow down developers, but we didn't want to let application deployments go until we had assurance nobody had accidentally opened an S3 bucket to the internet. Sonrai let us define policies that were cloud-agnostic, and if someone mistakenly introduced risk, automatically switched it off."
- Richard Delisser, Senior Vice President, World Fuel Services
Why WFS Chose AWS
Frequent acquisitions meant that the WFS technology group was faced with an ever-increasing array of tools, applications, and technology to manage. Because of their growth, the technology stack was a mix of many different solutions and tools, running in over 20 data centers around the world. Seeing an opportunity to both rationalize and reduce the number of different environments and tools, as well as accelerate the delivery of innovative new products and features, WFS made the decision to adopt cloud computing and DevOps. The company chose AWS as its cloud partner because Amazon has extensive experience working with companies, like WFS, to successfully move from on-premise to the cloud.
Why WFS Chose Sonrai Dig
Sonrai Dig’s cloud security platform was the perfect fit for solving the identity and data challenges. WFS uses Sonrai Dig to monitor the company’s entire cloud (QA, development, and production) for any configuration or access drift and is foundational for its large scale migration to public cloud. Identity and access risks are easily identified and systematically removed leveraging Sonrai Dig.
Results and Benefits
WFS uses Sonrai Dig to monitor hundreds of accounts and data stores to eliminate excessive privilege risks and to enforce least privilege. With Sonrai Dig, WFS has closed 20 of 22 data centers while providing security controls for 200+ AWS accounts and over 6,500 AWS roles. Data collected across all WFS accounts and subscriptions by Sonrai Dig were compiled into a normalized graph data model that quickly surfaced complex IAM and data relationships across all cloud identities. Unlike many solutions that only show singular IAM relationships (e.g. a role with EC2FullAccess), Sonrai Dig connected the dots to show all relationships in a single picture and uncovered hidden risks. Utilizing this end-to-end view, excessive privilege risks can be eliminated, and ‘least privilege’ enforced.
Sonrai Dig’s workflow automation platform helps WFS organize alerts and actions for its environments to automatically direct any issues to the correct team owners or remediation bots for resolution. Sonrai Dig organized analysis, alerts, and actions for environments into approximately 40 “swim lanes” – automatically directing issues to the right WFS team owner. Sonrai Dig gives each environment an overall importance and a single pane of glass with a visual representation of security posture and risk. The right issues go to the right team, eliminating alert fatigue. Sonrai Dig helped the team improve inventory management of people and non-people identities, providing an end-to-end view to manage coverage for all of their dynamic cloud assets. The ability to filter and get immediate information for any instance or object in their environment was key. Sonrai Dig now monitors the organization’s entire cloud (QA, development, and production) for any configuration or access drift.
World Fuel Services provides energy procurement advisory services, supply fulfillment, and transaction and payment management solutions to the aviation, marine, and land transportation industries. WFS made $36.8 billion in revenue in 2019 and has sold 19.4 billion gallons of fuel.
About Sonrai Security
Sonrai Security offers an enterprise security platform. The Sonrai Dig platform is built on a sophisticated graph that identifies and monitors every possible relationship between identities and data that exists inside an organization’s public cloud. Dig’s Governance Automation Engine automates workflow, remediation, and prevention capabilities across cloud and security teams to ensure end-to-end security.
Published August 2021