[Tenable Cloud Security] gets more out of the raw data than the others can – the platform is very, very good at analyzing, at giving insights… providing information we can act on. For me, that was key.
Key Business Needs:
Bilfinger sought a unified security approach for their complex and fast growing multi-cloud (AWS, Azure) infrastructure, to curb identities and entitlements risk and to reduce the manual hours spent managing compliance.
After seeking a solution with multi-cloud visibility across stakeholders (IAM, Center of Excellence, IT Security), least privilege and automated compliance, Bilfinger deployed Tenable Cloud Security, a comprehensive CNAPP with market leading CIEM.
Scroll down to read the full case study.
Bilfinger gains visibility into resource risk and what to do about it using Tenable Cloud Security
Bilfinger understood that securing its rapid growth Azure and AWS environments required an approach different from the on-prem security it was familiar with. According to Bilfinger Tribe Lead Business Solutions Andreas Pfau, they wanted to “...avoid the same mistakes as 10 years ago. We wanted to build unified cloud security from day one – to do it right from the start.”
About one and a half years into its major migration, Bilfinger realized it needed to improve security around identities and entitlements. Said Pfau, “Our cloud infrastructure was getting more and more complex – we wanted to understand our identities better. Due to tight schedules, we were overprovisioning permissions and not always later revoking them; we knew we had overprivileged accounts, some hidden.” The organization also sought to better secure its growing number of Azure subscriptions, avoid manual hours spent on certain cloud risk detection processes and achieve transparency into its global multicloud operation.
A key goal was to automate least privilege access; compliance requirements -- GDPR in particular -- were another concern. At a strategic level, Bilfinger wanted an independent view into risk to complement its internal risk assessment efforts.
Thomas Lützel, Service Owner of Identity & Authentication Services at Bilfinger [whose LinkedIn motto states: “Identity securely holds the cloud together”], recalls: “I learned of [the solution] and told Andreas we should do a PoC.” Added Pfau: “Security was top of mind for our IAM team - they felt the could secure IAM more successfully with a tool like Ermetic [now Tenable Cloud Security].”
Pfau continued: “Our team evaluated several vendors. We found an array of marketing material, and it was obvious some vendors don't know what CIEM means, and how it should be done. Also, assessing and comparing a CIEM solution is difficult because it’s a new technology, a new way of thinking. All competing products, including cloud provider native tools, are using the same raw data from the API. On the other hand, this levels the playing field native tools, are using the same raw data from the API. [Tenable] showed it gets more out of the raw data than the others can – the platform is very, very good at analyzing, at giving insights. For me, that was key.”
Today, three different teams at Bilfinger are using Tenable Cloud Security on a day-to-day basis:
- IAM team (manages identities and access, including cloud)
- Cloud Center of Excellence (handles cloud services operationally and architecturally, and lends cloud expertise to the business units)
- IT Security (responsible for cloud security posture and compliance overall)
Explained Pfau, “From my perspective, these three Bilfinger teams reflect the three pillars of cloud security that the platform is providing: IAM security, cloud expertise as a main asset, and overall cloud posture security and compliance. [Tenable Cloud Security] is an independent tool giving us overall transparency and deep, unified insight into our cloud architecture across both Azure and AWS, into the accounts of multiple tenants, subscriptions and whatever is in their identities.
“[Tenable Cloud Security] sees across our entire cloud infrastructure and generates an inventory of all our cloud assets,” said Pfau. “We also found the platform to be much farther along in development and usefulness than comparable products. The [Tenable Cloud Security] risk analysis engine doesn’t just collect data; it analyzes the data and gives us information we can act on.
“[Tenable Cloud Security] is providing a very clean, straightforward view into access usage – not just at the permissions level but actual use. With [the solution] we can easily see when a permission is “over the top” – maybe we were correct at the time in thinking a certain account or group needed it but [Tenable Cloud Security] shows it’s not needed because, for example, a permission hasn’t been used in six months.”
How Bilfinger is using Tenable - Use cases
- Multicloud asset management and visibility
- Risk insight into identities and permissions including third party
- Remediation of excessive privileges
- Cloud governance process for cloud identities
- Continuous monitoring of network security, Internet exposure, misconfigurations
- Reporting and compliance audit
- Least privilege enforcement for zero trust (soon)
- Threat detection (soon)
Bilfinger's cloud infrastructure
- Microsoft Azure (hundreds of subscriptions), for main business applications and services, with Azure Active Directory as IdP
- AWS for virtual CAD workloads and others
- Security audit by internal team and 3rd party vendor
- Internal team performing compliance audit and addressing findings/security gaps
ROI and next steps
“[Tenable Cloud Security] is important in giving us a different angle, an outside-in view, acting as an independent advisor that gives insights into what we’re doing,” said Pfau. “The platform is adapting all the time, so it teaches us about current situations in the cloud, use cases and threats. While we were initially focused on solving our cloud identities and identity governance needs, [the solution]’s cloud security posture management is a bonus and fits well with our strategy of how to go forward.
“Our immediate goal is to standardize on [Tenable Cloud Security] for security scanning and acting more on its findings. We will be integrating [Tenable Cloud Security] much more into our operational day to day processes. Specifically, we will be integrating its policy remediation recommendations through more ticketing – to drive [the solution] as a platform for change. We want to ticket to different teams, SOC and others, so each manages security in their own area.
“We also seek to implement [the solution] insights into a PDCA circuit (Plan-Do-Check-Act continuous improvement, now a requirement of ISO 27001:2013). That is, we will use [Tenable Cloud Security] to reduce privileges and rein in overprivileged provisioning and then check that it’s been done. When you close a privileged account or even split roles because one role is overprivileged, you’ve effected change – we will put this complete PDCA chain in place and use [Tenable Cloud Security] to execute on it.”
“My advice,” summed up Pfau, “is to not be afraid when [Tenable Cloud Security] finds mistakes or tells you something is not done well or is a high risk. A tool like [this] can help speed up iterations so you learn faster and get a different perspective. In the fast-changing cloud platform world you need feedback loops that are internal and external – mirrors reflecting what you’re doing. [Tenable Cloud Security] provides an external feedback loop with fast insight that you can use to accelerate remediation and make incremental security improvements.
“At the end of the day, [Tenable Cloud Security] is giving us transparency that informs us about our cloud infrastructure and risks to our resources, and what to do about it. We’re just two clicks away from seeing and acting on what is really going on – and that’s creating a lot of value for us.”