Abstract: A cloud security control platform and method enforces security controls across multiple cloud environments, services and disparate teams while providing a frictionless “Permissions on Demand” mechanism for approvals and exceptions. In contrast to the prior art, security is evaluated on a permission by permission basis, with the default being that all permissions are denied and then only given to a particular identity on an as-needed basis. This approach reduces the security risks associated with the vast capabilities available in Public Cloud environments and permits an organization that uses the platform to grant access, approve exceptions and delegate approvals with the appropriate compliance.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. The data model also supports a cloud “least privilege and access” framework. Least privilege is a set of minimum permissions that are associated to a given identity; least access is a minimal set of persons that need to have access to given piece data. The framework maps an identity to one or more actions collected in cloud audit logs, and dynamically-build a compete view of an identity's effective permissions. The resulting least privilege and access policies are then applied natively to a given cloud environment to manage access.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Based on identity and audit data received from a set of cloud deployments, and according to a cloud intelligence model, a set of permissions associated with each of a set of identities are determined. For each identity, and based on a set of identity chains extracted from the cloud intelligence model, a set of identity account action paths (IAAPs) are then determined. An IAAP defines how the identity obtains an ability to perform a given action in a given account. Using the identity account action paths together with context information, one or more roles, groups and accounts in the enterprise that are propagating permissions within the public cloud environment are then identified.

Abstract: A network-accessible service provides an enterprise with a view of all identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. The service enables an enterprise to model all activity and relationships across cloud vendors, accounts and third party stores. Display views of this information preferably can pivot on cloud provider, country, cloud accounts, application or data store. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. User reports may be generated showing all privileges and data to which a particular identity has access. Similarly, data reports shown all entities having access to an asset can be generated.

Abstract: A network-accessible service provides an enterprise with a view of all identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. The service enables an enterprise to model all activity and relationships across cloud vendors, accounts and third party stores. Display views of this information preferably can pivot on cloud provider, country, cloud accounts, application or data store. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. User reports may be generated showing all privileges and data to which a particular identity has access. Similarly, data reports shown all entities having access to an asset can be generated.

Abstract: A network-accessible service provides an enterprise with a view of all identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. The service enables an enterprise to model all activity and relationships across cloud vendors, accounts and third party stores. Display views of this information preferably can pivot on cloud provider, country, cloud accounts, application or data store. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. User reports may be generated showing all privileges and data to which a particular identity has access. Similarly, data reports shown all entities having access to an asset can be generated.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. The data model also supports a cloud “least privilege and access” framework. Least privilege is a set of minimum permissions that are associated to a given identity; least access is a minimal set of persons that need to have access to given piece data. The framework maps an identity to one or more actions collected in cloud audit logs, and dynamically-build a compete view of an identity's effective permissions. The resulting least privilege and access policies are then applied natively to a given cloud environment to manage access.

Abstract: A network-accessible service provides an enterprise with a view of all identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. The service enables an enterprise to model all activity and relationships across cloud vendors, accounts and third party stores. Display views of this information preferably can pivot on cloud provider, country, cloud accounts, application or data store. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. User reports may be generated showing all privileges and data to which a particular identity has access. Similarly, data reports shown all entities having access to an asset can be generated.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. The data model also supports a cloud “least privilege and access” framework. Least privilege is a set of minimum permissions that are associated to a given identity; least access is a minimal set of persons that need to have access to given piece data. The framework maps an identity to one or more actions collected in cloud audit logs, and dynamically-build a compete view of an identity's effective permissions. The resulting least privilege and access policies are then applied natively to a given cloud environment to manage access.

Abstract: A network-accessible service provides an enterprise with a view of all identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. The service enables an enterprise to model all activity and relationships across cloud vendors, accounts and third party stores. Display views of this information preferably can pivot on cloud provider, country, cloud accounts, application or data store. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. User reports may be generated showing all privileges and data to which a particular identity has access. Similarly, data reports shown all entities having access to an asset can be generated.

Abstract: A network-accessible service provides an enterprise with a view of all identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. The service enables an enterprise to model all activity and relationships across cloud vendors, accounts and third party stores. Display views of this information preferably can pivot on cloud provider, country, cloud accounts, application or data store. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. User reports may be generated showing all privileges and data to which a particular identity has access. Similarly, data reports shown all entities having access to an asset can be generated.