The global pandemic has forced many businesses to turn to the public cloud and its ability to support a remote and distributed workforce. However, moving to the cloud has exposed companies to compromises and cyberattacks against which most of them were unprepared to defend. Many of those problems can be attributed to one of the most basic tenets of cybersecurity: protecting identities and managing entitlements.
Research giant Gartner acknowledges that properly protecting identities and managing entitlements is one of the last remaining barriers to cloud adoption and is recommending that organizations tackle the risks of the cloud consciously.
Ermetic, a cloud security services vendor, aims to bring that consciousness to cloud infrastructure by solving the securing identities and managing entitlements conundrum and ultimately changing the way organizations secure interactions with the cloud. What’s more, Ermetic goes above and beyond to bring forth granular, least-privilege policies to organizations that seek to properly secure cloud interactions.
A closer look at Ermetic
Ermetic uses a SaaS (software as a service) platform to inject security into cloud infrastructure by resolving the most critical issues with identity and entitlements. Simply put, compromised identities and improperly assigned entitlements are the root cause of most breaches and attacks. If an organization lacks certainty in who is accessing what and why, that organization lacks effective protection of cloud services.
Ermetic is all about establishing the concept of least privilege access across the cloud infrastructure environment, a concept that culminates in only allowing vetted and authorized users to access the absolute minimum of resources they need to perform legitimate tasks. As a concept, it establishes granular control over access, brings full visibility to secure interactions and prevents dreaded unauthorized account elevations.
Ermetic accomplishes the lofty goal of least privilege access using numerous advanced analytical tools that identify accounts, entitlements, applications and interactions. That level of analytics creates the metadata needed to create policies that leverage granular, least privilege access controls, and applies those policies across multiple applications, clouds and services.
Ermetic addresses the biggest risks to cloud infrastructure, such as excessive privileges and improper IAM entitlements. Solving those problems requires a teardown of the traditional security silos, which have failed to prevent the majority of cyber-attacks against cloud-based applications. Security silos are replaced with Ermetic’s unified security management system, which uses a platform approach to bring least privilege access policies to AWS, Azure and GCP. Ermetic fully interfaces with cloud services providers and brings both visibility and analytics to a centralized management paradigm that enables cybersecurity staffers to fully comprehend the security picture of entitlements, permission and access to cloud infrastructure.
Ermetic fully analyzes the policies and entitlements granted to human users and machine identities (compute resources), identifies the risks and creates new improved policies which can then be deployed into an environment automatically or through defined pipelines. Those new policies deliver on the concept of least privilege access in the cloud by ensuring that users and associated systems are only granted the lowest level of access to an application, which in turn can prevent insider attacks, privilege escalation, and lateral movement across cloud applications.
Hands on with Ermetic
Getting started with Ermetic proves straightforward, thanks to SaaS nature of the product. Ermetic offers integration with leading cloud providers, which eases the configuration process while also importing critical information to further speed adoption of the product. However, administrators should be keenly aware of how policies work and should have familiarity with enterprise applications, services and cloud providers.
At the start of the integration process, default IAM (identity and access management) policies are ingested by Ermetic and analyzed to calculate the effective access available to any human user or role (machine identity), as well as other contextual factors that impact risk, including network configuration and resource configuration. That analysis provides a basis to create new policies that enforce the concept of least (or lowest) privileged access.
IAM analysis incorporates a discovery process, which enables the product to build an understanding of what best practices should be employed to manage permissions for least privileged access. Discovery is extensive and takes into account metadata, such as account information, location, devices, time of access–and even machine-to-machine interactions.
Discovery, along with the associated analysis is what gives Ermetic a foothold in the definition of policies, which supports the goal of easing entitlements management. What’s more, Ermetic excels in identifying unused, unnecessary and high-risk entitlements, allowing those risks to be remediated immediately. It should be noted that entitlement management is one of the core principles of effectively protecting cloud resources. With that in mind, Ermetic incorporates anomaly detection along with privilege escalation and scenarios where a resource, such as a sensitive data store, is accessed either for the first time, or uncharacteristically based upon gathered information.
As mentioned above, Ermetic is all about entitlement management, something that is basically impossible without the context of the full stack. By discovering context, Ermetic is able to identify the level of risk associated with accessing resources. For example, gathering contextual information is a must to understand how data is stored, where the data is stored, the network segments connected to that data store and what resources or users have permissions to access a given data store. While that may be a simplified example of what occurs under the hood, it is illustrative of the complexity that Ermetic is able to overcome to generate relevant information to establish least-privileged access.
Visualizes information so admins can better understand it
What’s more, Ermetic is able to visualize that information so that administrators can better understand the intricacies of access. Administrators are able to view the effective access to resources from multiple perspectives, such as via a specific identity or an associated role. That proves to be quite useful for compliance, audits and other cyber functions that many administrators must now take on. Administrators are provided with a comprehensive view of who can access what, and what type of access the user or role has, as well as seeing the associated risk.
The context of access and resources helps to tear down security silos and gives administrators a holistic understanding of the identities, roles, resources in the environment. Problems such as excessive permissions, misconfigurations, publicly exposed resources, inactive identities, overprivileged third-party access and numerous other factors that contribute to increased risk can be quickly identified and remediated.
What’s more, Ermetic has the ability to monitor access events and associated data in real time, which brings forth several additional advantages. For example, Ermetic is able to correlate identities, data and resources into a unified management model, which solves the problem of sensitive data, applications and user access all being in their own management silos. In other words, the platform garners a comprehensive view of all of the elements that must be managed to understand effective access entitlements and mitigate risks.
Ermetic presents information using browser-based dashboards, which support full drill-down into access events, roles and identities while also giving administrators a real time view of the security posture of cloud applications. The product’s dynamic views help to lessen the load on DevOps by surfacing critical security elements, which has become a critical consideration for organizations leveraging agile development methodologies. The product also provides Terraform and Cloudformation templates, allowing policies to be updated as part of an organization’s CI/CD pipeline.
Beyond visibility, analytics, and dynamic policy enforcement, Ermetic also detects anomalies, such as those that indicate suspicious activity. Anomaly detection exposes behaviors, such as sensitive data access, privilege escalation, account tampering and so on. Ermetic supports compliance initiatives and monitors for violations, benefiting compliance initiatives. Additional support comes in the form of compliance reports, which offer detailed information on anomalies and other violations for auditing purposes.
All of those capabilities add up to a platform that can give full visibility into all human and machine identities, as well as data and compute resources, and it correlates that information with environmental context and activity logs to identify risks and generate new, secure policies.
Ultimately, Ermetic leverages automation to generate access policies that optimize security and then enforces those policies to eliminate excessive access and privileges. What’s more, those policies are built using the process of discovery and monitoring to identify appropriate access patterns and the sensitivity of the data.
Conclusions
Ermetic successfully brings forth a new security paradigm that goes well beyond legacy cloud security solutions. That security paradigm, which is built upon the concept of least privilege access, takes into account one of the most critical factors of cybersecurity, risky entitlements. Ermetic addresses poorly defined policies that govern permissions and access by helping organizations understand and reduce the level of risk involved with their users, devices, services and applications.
Frank Ohlhorst is a veteran IT product reviewer and analyst who has been an eWEEK regular for many years.