Identity-first Cloud Security

Find and fix operational risks
Automate governance and compliance
Secure cloud data

Schedule a Demo

Stack Identity Research Report

View Sample Report

Register for Report



The biggest risk to protecting cloud data is securing who has access to it, and in an overly-permissioned environment with multiple identities involved, data exfiltration can occur through multiple shadow access pathways. Continuous visibility with rich context is essential to empower security and engineering teams to audit, govern, and promptly rightsize access.

Sean Ventura, Head of Security & Compliance, KinderCare

Managing the inventory of what is out there in the Cloud and who has access to what, will be a big challenge with the containerized and microservices based deployment in Public Cloud.

Director, Global Information Security

Top 5 US Bank, NY

Our AWS cloud ecosystem is a mix of automated DevOps and manually managed infrastructure. “Stack Identity gives continuous visibility into our data exposure risks with the ability to automate least privileged enforcement for both our security and engineering operations teams.”

Steve De Jong, Distinguished Engineer at Vercara.

Transform IAM across your Clouds

Shadow Access is unauthorized, invisible or unmonitored access to cloud data, applications, and software.

Shadow Access is caused by toxic combinations of identities and permissions used to breach cloud environments and exfiltrate data.

AWS alone has 12,800 API connections with 13,800 permissions to access cloud data and services

Our approach quickly revealed

PROGRAMMATIC ACCESS TO AN EXTERNAL VENDOR WAS COMPROMISED

THAT CAUSED S3 TO BE USED FOR CRYPTO MINING AND MALWARE HOSTING

SERVER-LESS (LAMBDA) FUNCTION REPLACED WITH MALICIOUS CODE THAT

ADDED AN IAM USER FOR AN ATTACKERS ACCESS FROM OUTSIDE

ABUSED IAM PERMISSIONS ATTACHED TO AN APPLICATION INSTANCE OR APPLICATION RUNNING ON

A COMPUTE INSTANCE TO EXFILTRATE SENSITIVE DATA

COMPROMISED RESOURCE BASED POLICY TO

CREATE A BACKDOOR FOR THE ATTACKER

INVISIBLE ACCESS FOR AN ATTACKER

BECAUSE THE AWS POLICY CONSOLE DOES NOT SHOW UP EFFECTIVE PERMISSIONS OR INHERITED PERMISSION TO AN IDENTITY OR RESOURCE

Cloud security demands a new approach to cloud IAM operations

Continuously monitor all identities, cloud services and data

Identities

Human

Machine

Cloud services

Data

Prioritise, remediate and govern risks across all access and breach pathways

Create the foundation for Cloud IAM Operations

Consolidate all things access onto a single IAM data platform

Cloud IAM Data Lake

Take control of your access and fix all your gaps across the security lifecycle:

Audit & Compliance – Data Security – IAM Governance

Key Use Cases

Continuous access monitoring of third party access

Detect and remove “Shadow Access Risks” in the Cloud

Rightsizing permissions and entitlements to cloud data (CIEM)

Automatic cloud permission and access drift detection (CAPM)

Automating Quarterly Cloud Access Audit

Identify and remove vulnerabilities in cloud datastores (DSPM)

Cloud Identity and Access Governance

Excessive Access:

An identity would be given some permissions initially, but it might use only a subset of the attached permissions.
• Full admin permissions are given to an identity, but it only does management operations on specific resources
• Read/write access given to an identity, but it only uses read access

Unsafe Access:

• MFA not enabled for a user with admin permission
• Login/access attempts from an IP blacklist
• A role being assumed from a compute which is directly exposed to the internet or running a vulnerable software
• An administrator with tons of powerful access (wide scope of resources)
• A password not rotated in last days

Unused Access:

An identity would be given some permissions initially, but it might not be using all those permissions.
• Full admin permissions given to an identity, but it never carries out any management operations

Invisible Access:

An identity can assume a role and thus obtain different sets of permissions to resources in an environment.
• An identity can log in to a compute and run an application that can assume a role that has different permission attached to it

Privileged Access:

Privileged Access is a term used to designate special access or abilities above and beyond that of a standard user. Privileged Access can be associated with human users as well as non-human users such as applications and machine identities.
• An identity that has admin permissions or management permissions
• An identity is authorized to assume a role that has higher privileges/permissions associated with it
• An identity with read access to a resource can assume a role that gives it read/write access to that resource
• An identity with no access to a resource can a assume role that gives it read/write access to that resource