Israeli cloud access risk security company Ermetic announced on May 6 an analytics-based solution that prevents cloud data breaches by automating the detection and remediation of identity and access risks in Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings from Amazon, Google and Microsoft. The company recently raised $10M in financing from Glilot Capital Partners, Norwest Venture Partners and Target Global.
According to research firm Gartner, 99% of cloud breaches occur due to human errors such as configuration mistakes. For example, at last count there were more than 2500 IAM (identity and access management) permissions in AWS. They apply to users, devices, applications, services and more. This complexity makes manual management of access policies in IaaS and PaaS infrastructures virtually impossible.
“Monitoring and managing cloud security risks associated with human identities is a big challenge on its own, but reducing the attack surface created by machine accounts is manually unfeasible,” said Gerhard Eschelbeck, former CISO for Google. “Ermetic has developed a very precise and scalable approach that uses data science-based automation to solve this problem and give control back to the organization.”
Untangling Cloud Access Risks
The analytics-based Ermetic platform automatically discovers all human and machine identities in the cloud, and analyzes their entitlements, roles and policies using a continuous lifecycle approach. This full stack visibility enables Ermetic to provide the following advantages:
- Detect permission gaps, between privileges that should be maintained and those that should be revoked
- Map and decouple complex, overprivileged relationships between identities and roles, and generate turn-key policy changes that remediate cloud access risks
- Analyze all access activity to detect and alert on privilege escalation, suspicious access and data deletion indicative of credential theft or abuse
“Monitoring and managing cloud access risk is challenging and becomes even more complex over time as users and applications accumulate permissions that far exceed their technical and business requirements, resulting in vulnerabilities that hackers can actively exploit,” said Shai Morag, CEO of Ermetic. “Using analytics and automation, Ermetic eliminates the manual effort and costs associated with determining the precise permissions necessary for each user, service or application in complex environments like AWS, Microsoft Azure and Google Cloud.”
End-to-End Automation for Reducing Access Risk
Ermetic eliminates manual-effort roadblocks to enforcing least privilege, reduces the cloud attack surface and improves security posture across IaaS and PaaS infrastructures by providing the following capabilities:
Discovers all human and machine identities, data and compute resources, policies and permissions.
Analyzes all access policies to identify all entities that can access a resource, access logs to determine which permissions are used and activity to model and identify risks while ensuring business continuity.
Eliminates excessive access and privileges based on actual access patterns and data sensitivity to automate centralized least privilege policy enforcement.
Monitors all access activities to detect and alert on suspicious behavior such as sensitive data access, privilege escalation and deletion, and unusual resource access.
Generates access policy recommendations for DevOps that optimize security while supporting end user productivity through integration with leading CI/CD tools such as Slack, Jira, ServiceNow, Jenkins, Terraform, Ansible, Chef and Puppet.
Best Practice & Benchmark Auditing
Performs routine assessment of configurations across cloud environments, automatically compares findings to leading compliance benchmarks and alerts on deviation from best practices.
Ermetic was founded by Shai Morag (CEO), Sivan Krigsman (Chief Product Officer), Arick Goomanovsky (Chief Business Officer) and CTO Michael Dolinsky (CTO). They have previously built successful enterprise security companies including Aorato acquired by Microsoft, Secdo acquired by Palo Alto Networks, and Sygnia acquired by Temasek. All four began their careers in cyber intelligence roles with the Israel military.