Anima Educação is a National Leader in Education in Brazil
With approximately 390,000 students and 18,000 educators, Anima Educação is one of the largest private higher education organizations in Brazil. The company’s mission is to build a national network of educational institutions committed to quality, innovation, and assessment of the learning process that is integrated with the regional culture. Anima’s activities are divided into two segments: higher education and vertical management. Founded in May of 2003, Anima Educação is based in Sao Paulo, Brazil.
Carlos Silva is one of three cloud security engineers among a team of 15 security professionals at Anima Educação. Silva joined Anima through the 2020 acquisition of the Brazilian assets of Laureate Group. Anima Educação has grown significantly through acquisition in recent years and is now undergoing a digital transformation which includes moving all its servers and applications into the cloud. Most of the servers are on AWS but there are some on GCP and Azure as well.
Anima Needed a New Cloud Security Platform
“Our main challenge is with AWS because we have about 30 accounts on this platform,” says Silva. “Many people have access to these accounts and the security team needs to see what is happening. We have a mix of technologies – VMs, containers, serverless – and we need a single security solution to see all the cloud accounts, workloads, and security issues.”
The company previously used a well-known vendor in the cloud security space, but the security team began investigating other security tools that could better meet their needs. Several requirements were top of mind as they looked at alternative tools. Most important was the ability to see their entire cloud environment and all their accounts in one platform. Another important need was to consider the company’s DevSecOps process and the opportunity to run scans on their Azure pipeline to make sure that any issues they uncover feed back into the process for remediation before they make it into a production build.
Orca Security Was a Standout Among Other Cloud Security Tools Anima Tested
The team tested over 5 different solutions. After discussions with the Orca Security sales team, Silva arranged for a Proof-of-Concept project in their environment. “The Orca representatives showed us all the features we needed so that we could choose the right solution. The PoC convinced me that the Orca Platform is the best for us,” he says.
With no agents to install, the deployment process was quick and easy, and Orca works across all three cloud platforms in use at Anima Educação. “I think what I like best about Orca is the ability to check for vulnerabilities,” says Silva. “That’s very important to us. We’ve also found the malware scanning and identification to be very valuable. Orca alerted us to malware in a WordPress instance, which allowed the team to quickly isolate and remediate it.”
Orca’s Range of Capabilities Prove It’s the Right Solution for Anima
With the private information of nearly 400,000 students and educators at stake, Anima Educação is especially attuned to cloud compliance with regulatory requirements around data privacy. The company makes every effort to comply with the Brazilian General Data Protection Law, known as the Lei Geral de Proteção de Dados Pessoais (LGPD). This law is similar to, though slightly different from, the General Data Protection Regulation of the European Union. Anima Educação was recently recognized as a leader in compliance through the Finance & Law Summit Awards 2022. “It’s important that Orca support our efforts toward privacy compliance,” says Silva. “The built-in cloud compliance frameworks help us with that.”
Silva also finds the Orca Security Score very helpful when discussing security with his Board of Directors. The score is found on Orca’s Risk Dashboard and is updated daily. Essentially, it is a composite measure of a set of data-driven performance metrics in the areas of suspicious activity, IAM misconfigurations, data at risk, vulnerable assets, and responsiveness to risks. The Orca Security Score enables Anima Educação to track its own progress as well as benchmark its cloud security performance against other companies and across business units within the organization.
“The Orca Security Score helps me demonstrate the value of the platform and how effective it is in helping us avoid issues on our cloud.”
Carlos E. Silva
Cloud Security Engineer
In addition to the Security Score, the Risk Dashboard is a great place for the team to get other important security information and details on the company’s security posture from a single view. “The dashboard is very useful to us because in Prisma, we didn’t have this kind of visibility. With that product we had to export the data into a business intelligence tool to get meaningful information,” says Silva. “With Orca, all the information is simply there on the dashboard.”
He also appreciates the API inventory feature of Orca. “We had some issues inventorying all of our URLs and APIs and on the Orca platform, we can see if a resource and corresponding APIs are exposed to the Internet. It’s so convenient because it’s all in one place,” according to Silva.
The security team uses Orca’s Attack Path Analysis when they feel they need it. This is a visual representation of an attack path, along with detailed information on each step within the chain. Orca assigns an overall score to each attack path which is based on multiple factors found within the path such as the underlying severity of a specific vulnerability and its accessibility, lateral movement risk, and business impacts.
Orca has several crucial integrations that help the security team advance threat detection and remediation activities. They are currently evaluating SIEM solutions, and once a tool is chosen and deployed, data from the Orca scans will feed into the SIEM for broader analysis of threats. The company uses ServiceNow as its ticketing system and workflow for resolution of issues that Orca uncovers. Orca’s out-of-the-box integration with ServiceNow makes getting data into the system a simple process.
“Orca is ahead of other security platforms in terms of technical capabilities, ease-of-use, and the documentation. We made the right decision to make Orca our security platform of choice.”
Carlos E. Silva
Cloud Security Engineer
Orca supports Anima Educação’s DevSecOps processes by providing context-aware Shift Left Security for cloud infrastructure and applications. This enables DevOps teams to understand the potential impact of security issues on cloud application production environments and fix those issues earlier in the software development lifecycle (SDLC). It also provides the security team with automated remediation to prevent security issues from progressing across the SDLC.
“Orca gives us more capabilities and coverage into risks than our previous solution gave us,” says Silva. “We really like the roadmap of where this product is headed.”