What is Cloud Infrastructure Entitlements Management (CIEM)
CIEM is the essential next step in your cloud security strategy. CIEM solutions constantly monitor  human and service identities, permissions, and activity. Applying analytics and machine learning, CIEM continuously analyzes risk and generates least privilege access policies.

Security and Compliance Management in One Platform

See how CloudDefense can help secure your data.
Start Free Trial
Start Free Trial

Excessive Permissions Can Bring Down an Application

One of the most underestimated risks to cloud infrastructure - and the hardest to find and fix  is misconfigured identities. By 2023, inadequate identities and privileges management will be the cause of 75% of cloud security failures [Gartner]. Traditional methods for determining least-privilege access are no longer keeping pace as organizations scale their cloud environments. Excessive permissions, along with the complexity and constant change of cloud infrastructure are an accident waiting to happen.

To successfully manage your cloud security posture, you need to go deep on identities. Ermetic helps organizations manage all their cloud entitlements, remove excessive permissions and reduce the attack surface.

Monitor multi-cloud and continuously enforce least-privileged access

The Cloud Infrastructure Entitlement Management (CIEM) module provides users with broad visibility into effective permissions, continuously monitors multi-cloud environments for risky and unused entitlements, and automatically makes least privilege recommendations. Users gain simple yet powerful insight into the net-effective permissions for every role – including those associated with an IdP provider – all seamlessly integrated into Prisma® Cloud.
Query permissions across users, compute instances, cloud resources and more
Monitor excessive and unused privileges
Automate remediation of overly permissive roles

Net-effective permissions

Rightsizing permissions

IdP integration

IAM entitlement investigation

Automated remediation

Our approach to Cloud Infrastructure Entitlement Management

Net-effective permissions

Gain comprehensive visibility into who can take what actions on which resources. CIEM is purpose-built to directly solve the challenges of managing permissions across AWS, Azure, and GCP. Prisma Cloud automatically calculates users' effective permissions across cloud service providers, detects overly permissive access, and suggests corrections to reach least privilege.

Manage multi-cloud entitlements from a single solution

Gain integrated multi-cloud capabilities delivered from Prisma Cloud that extend everything we do for Cloud Security Posture Management (CSPM) to cloud identities.

Implement pre-built policies

Leverage specialized out-of-the-box policies to detect risky permissions and remove unwanted access to cloud resources.

Audit permissions for internal compliance

Quickly audit cloud permissions with related user data, service data and cloud accounts.

Rightsizing permissions

Specialized out-of-the-box policies detect risky permissions and help remove unwanted access to cloud resources. Automatically detect overly permissive user access, and then leverage automated recommendations to rightsize them to achieve least-privileged access.

Detect overly permissive policies

Remove unwanted access to cloud resources by automatically detecting overly permissive access policies.

Implement pre-built policies

Use out-of-the-box policies to detect public access, use of wildcards, risky permissions and more.

Automated recommendations

Use automated recommendations to achieve least privilege permissions.

IAM entitlement investigation

Query all relevant IAM entities, including all the relationships among different entities and their effective permissions across cloud environments. Understand which user can take what actions on which resources on which cloud. Turn queries into custom cloud-agnostic policies and define remediation steps as well as compliance implications.

Investigate IAM entitlements

See real-time and historical data to understand IAM activity and entitlements.

Query data to get the full picture of user activity

Gain a detailed view of suspicious activity as well as connected accounts and resources.

Query data specific to identity providers

Discover overly permissive roles of IdP users and correlate results with cloud identities, such as IAM users and machine identities.

IdP integration

Integrate with identity provider (IdP) services like Okta and Azure AD to ingest single sign-on (SSO) data. View effective permissions and overly permissive roles of IdP users, and correlate results with cloud identities, such as IAM users and machine identities.

Leverage integrated support for IdP Services

Ingest single sign-on (SSO) data for an effective permissions calculation and list the effective permissions of IdP users across multi-cloud accounts.

Query data specific to identity providers

Discover overly permissive roles of IdP users and correlate results with cloud identities, such as IAM users and machine identities.

Turn queries into cloud-agnostic policies

Easily build custom guardrails for IdP users by turning RQL queries into IAM security policies with specific compliance and remediation implications.

Automated remediation

Automatically adjust permissions and continuously enforce least-privileged access. Send alert notifications to 14 third-party tools, including email, AWS Lambda and Security Hub, PagerDuty®, ServiceNow® and Slack®.

Activate automated remediation for over-privileged users

Get suggestions for ideal permissions levels for any cloud user from Prisma Cloud.

Support for 14 common integrations

Seamlessly integrate Prisma Cloud alerting with your existing alert management tools with built-in support for 14 third-party tools.

Remediation playbooks

Leverage custom Cortex® XSOAR playbooks for Prisma Cloud and easily operationalize advanced security orchestration capabilities.

CloudDefense Cloud Infrastructure Entitlements Management

Get Deep, Multicloud Visibility

Leverage CloudDefenseAi's technology integrations to forward alerts to email, PagerDuty, OpsGenie, or Slack, automate ticketing with Jira or ServiceNow, and much more.

Understand the Attack Surface

Assess & prioritize risk across human and service identities, network configuration, data and compute resources

Automate Remediation

Mitigate risky privileges and faulty configurations through integration with ticketing, CI/CD pipelines, and IaC

Enforce Policies and Shift Left

Define and enforce automated guardrails for access permissions and resource configuration, from dev to production.

Detect Anomalies

Detect suspicious behavior and configuration changes with continuous behavioral analysis and alerts

Comply with Standards

Audit inventory and ensure compliance with CIS, GDPR, SOC2, NIST, PCI DSS, HIPAA, ISO and more