CASE STUDY

Open Raven + Sauce Labs

Using Open Raven, Sauce Labs is able to execute a data-centric approach to cloud security, restoring visibility and control amid an explosion of sensitive data from their customers, their own business growth, and acquisitions.

Sauce Labs is the provider of the world’s largest, cloud-based platform for live, automated, and continuous testing of web & mobile applications, including the renowned testing automation tool, Selenium. Serving customers from all industries (financial services, banking, healthcare, etc), SauceLabs must maintain a secure environment in which organizations can confidently use the testing platform without fear of a breach. Chief Security Officer (CSO), Justin Dolly, discusses how OpenRaven helped overcome challenges faced in cloud data security amidst business growth, acquisitions, and an explosion of customer data.

When it comes to establishing a data-centric approach to cloud security, I need visibility into everything. Our data is our biggest target."
— JUSTIN DOLLY, CSO, SAUCE LABS

Challenges in cloud data security

We asked Justin what his biggest priority for 2021 is, and security was the answer. To elaborate, he went into detail on 3 major areas of cloud data security, here’s what he had to say:

CHALLENGE

Keeping pace with the business

“There’s no choice but to move to the cloud. Devs just started using the cloud to be more nimble and to be ‘technology first’ and no one asked security/IT about it in advance, leaving those teams to catch up. It’s inevitable that almost everything ends up in the cloud.”
“Customers will continue to demand more integrations and more flexibility in services, and we must be able to satisfy those demands...”
“Traditional methods don’t address the biggest issue, the data. Identity and endpoints (etc.) are good, but making sure that the security program is data-centric and data-focused is critical.”

SOLUTION

Like Google Maps for your data

Cloud data security, compliance, and control start with visibility across your cloud estate. “Open Raven gives us that confidence that we know what we know, across AWS.” See where your data lives. Easily answer questions about your data: regulated, customer, IP, and developers’ secrets. Use default or custom classes to see and understand the relationships between your infrastructure and data.

CHALLENGE

Loss of visibility

“From protecting customer data to the ingestion of technology and data via integrations, there is a lot of risk to manage, and it’s not easy.”
“Data has never been more mobile than it is right now...lots of folks feel like they’ve got less control and visibility into their environments. It’s challenging to build their confidence in the security of the data that they have. You have
to constantly ask yourself, ‘Where is it? Where is it going? Who has access to it?’ Important questions. And, the breaches continue. Data is the biggest target.”

SOLUTION

Finding exposed data

There are many tools and services for on-prem environments, or for privacy teams and data scientists, but virtually none built exclusively for security and cloud teams. For Sauce Labs, the difference was night and day, “With Open Raven I can literally just select all AWS accounts and look for those parameters and it’s right there in the view. It shows you right there on a map.”

CHALLENGE

Scoping data risk

Justin described the struggles faced in managing the risk of data management in general. “The challenge is large enough on its own, and can only be exacerbated by acquisitions and the challenges inherent in a growing business. The challenge is vast whether the data is unencrypted or not, and whether it is backed up or not. It’s difficult to gauge the scope of this challenge. As you can imagine, it would be hard to go ‘door to door’ to find out what we need to know. To get this visibility, it took us a very long time to scan and gather the data we needed.” He went on to describe the massive gap in tools for cloud security teams to do what they need, easily, “you literally get on the phone and go person to person to attempt to find out what you need to know, and they won’t have all the answers... being able to look for all sensitive data types is incredibly useful to discover, as you may not have any other way to know that it’s actually there.”

SOLUTION

Automating business rules

From visual mapping to data classification and monitoring at petabyte scale, we restore visibility and control to cloud and security teams while automating otherwise time-consuming compliance efforts. As Justin put it, “Once I know what my environment looks like, I can ensure that my team and I are systematically notified if it changes.”

The term ‘single pane of glass’ gets thrown around an awful lot, but my team was saying Open Raven is great because of the ‘ubiquitous view across the AWS org...they can get everything in a click.’”
— JUSTIN DOLLY, CSO, SAUCE LABS

Looking forward

Having restored confidence in the security of the data, Sauce Labs’ security teams are able to maintain pace with the business, with less time and resources than before. In addition, Justin discussed that many of their clients, and Sauce Labs included, know that more regulatory changes are coming and the threat landscape is always moving. However, the flexibility and power of the Open Raven platform engenders confidence for the long term. “Open Raven easily provides me with a level of granularity to be able to adjust to future, undefined changes.”

Key use cases

Inventory cloud data and assets:

Visualize and track your data and infrastructure, bringing CMDBs and SIEMs up to date with your cloud

Monitor sensitive data,
access and flows:

Track where sensitive data sits, who has access, and how it can flow across VPCs and regions

Prevent data exposure:

Automate finding leaks of developer secrets, customer data, and other data types at scale – without breaking your budget

Automate privacy operations:

Dynamic, accurate data inventory with default reports for regulations and monitoring rules flexible enough to match custom needs

Enforce cloud and
data security policies:

Off the shelf policies for standards such as CIS Benchmarks or write your own rules using policy as code (OPA-based)

Schedule a demo today.