Petya Petrova - Fotolia

Energy company swaps index cards, Excel for DevSecOps

Manually tracking thousands of cloud connections was unsustainable for a $36 billion energy company, forcing a cultural and technical shift to DevSecOps.

DevSecOps has become a necessity for a major energy company as it completes its migration to public cloud.

World Fuel Services, a public company with $36 billion in annual revenues based in Miami, ranked 91st on the 2020 Fortune 500 list of the largest US companies. The corporation spent the last two years moving its massive IT infrastructure from 22 self-managed data centers to AWS and Azure public clouds as part of a plan to modernize the business. But halfway through the cloud migration in early 2020, the company's IT staff realized it would require more than just moving servers and data.

"Traditional IT security folks were obsessed with IP addresses and data centers, but we are in a completely different world now," said Richard Delisser, SVP of land technology, cloud and infrastructure at World Fuel Services.

Richard DelisserRichard Delisser

The company also added more IT automation such as infrastructure-as-code tools as it expanded cloud deployments, and needed to account for faster, subtler changes to the infrastructure as a result.

The reality that manual management of cloud resources wouldn't work hit home as security teams at the company struggled to track the connections between more than 200 AWS accounts, 2,000 roles and more than 10,000 cloud server instances.

"We used to have to map it all out on a massive table with index cards, to trace through identities, what they could do and what data they could access," Delisser said.

Delisser and his team asked other IT pros at Silicon Valley companies how they secured cloud deployments, and during these discussions, met Sonrai Security CEO and co-founder Brendan Hannigan. Hannigan advised World Fuel Services on how to establish a cloud security operating model, and had also launched a software company, Sonrai Security, in early 2019. World Fuel Services decided to deploy its products six months ago.

Sonrai boosts World Fuel's security octane

Sonrai's Dig software uses graph analytics to automatically track the interactions between human, service and machine identities in cloud environments. Graph analytics is built on graph databases, an emerging alternative to traditional relational databases, which rely on fixed, predetermined relationships between data.

Graph databases and analytics, by contrast, can uncover relationships between data that aren't immediately obvious. For example, a cloud user account might not have direct access permissions for a particular data store, but another system it can access might let it connect to that data store indirectly.

Sonrai let us define policies that were cloud-agnostic, and if someone mistakenly [introduced risk], automatically switched it off.
Richard DelisserSVP of land technology, cloud and infrastructure, World Fuel Services

Sonrai uses this mechanism to determine which cloud identities have access to which IT resources and data, including indirect access that developers and SecOps teams might miss. The tool can detect violations of IT security policies and enforce those policies by blocking vulnerable connections in the production network.

Sonrai's tools alert developers to misconfigurations, provides recommendations to remediate issues, and can launch bots to automatically fix them. The vendor's Governance Automation Engine ties into CI/CD pipelines, where it can block vulnerable application code from being pushed to production.

World Fuel Services also considered built-in AWS and Azure security automation tools but decided to use Sonrai Dig because it offered one point of DevSecOps management for both clouds and required less custom scripting work to set up.

"We don't want to have too much centralization, which could slow down developers, but we didn't want to let [application deployments] go until we had assurance nobody had accidentally opened an S3 bucket to the internet," Delisser said. "Sonrai let us define policies that were cloud-agnostic, and if someone mistakenly [introduced risk], automatically switched it off."

DevSecOps from platform to pipeline

World Fuel Services plans to add Governance Automation Engine to "shift left" into code pipelines with DevSecOps, but must complete the cloud migration first -- its last two data centers will be shut down in 2021. In the meantime, developers can use feedback from Sonrai Dig to help them correct vulnerabilities in their apps.

Avi BoruAvi Boru

As with most of the cultural shifts that have accompanied DevOps and DevSecOps, embedding security in the application development pipeline will take time, said Avi Boru, senior manager of cloud engineering at World Fuel Services. 

"We first showed developers what the infrastructure looks like and added it to their way of working rather than imposing it on them," Boru said.

Sonrai has already encouraged some collaboration between security and DevOps teams, and replaced Excel and SharePoint-based vulnerability lists that developers found difficult to relate to specific code, Boru said. If a problem is common to multiple apps, cloud engineers can use a bot to correct it.

"The bot lets us just fix it rather than having 10 people fix the same problem in 10 places," Boru said.

Amid the upheaval of both the cloud migration and a pandemic, which came with layoffs, the number of security incidents has held steady over the last year since World Fuel Services deployed Sonrai's tools, while the number of releases has risen 40%, Delisser said.

As the teams expand DevSecOps workflows, Boru said he hopes Sonrai will donate more code to open source beyond its remediation bots or allow for users to exchange modifications and integrations for Dig among themselves. A Sonrai rep said the company is considering opening policies and other aspects of the platform to community development.

"We'd like to engage more customer-to-customer and learn from each other rather than having Sonrai lead those talks," Boru said. "Engineers just want to directly build and use code and fix bugs."

Dig Deeper on Systems automation and orchestration