Cloud Entitlements Policy Management feature allows organizations to establish, monitor, and identify discrepancies in both persistent and temporary (Just-in-Time) entitlement policies. This capability promotes consistent least privilege practices, strengthens security, and facilitates ongoing compliance within multi-cloud infrastructures.
Use cases
Defining Entitlement Policies
Defining Entitlement Policies Administrators can create granular entitlement policies through a dedicated interface, scoping them to specific Cloud Service Providers (CSPs) and accounts. Static Entitlement Policies define persistent access rules based on identity attributes (e.g., group membership, tags) and conditions, specifying allowed or denied static entitlements. And Dynamic Entitlement Policies (JIT) define temporary, conditional access rules. This involves configuring triggers, which are events initiating access requests, conditions for granting access, such as approvals or justifications, and parameters such as maximum duration, specific roles or permissions, and scope for JIT sessions.
Tracking and Monitoring Entitlement Policies
Cloud Entitlements offers continuous monitoring of cloud environments, comparing actual entitlement states with defined policies. The Monitoring Scope encompasses current static role assignments, policy attachments, group memberships, and active dynamic (JIT) sessions, including their duration and granting conditions. Reporting & Auditing provides dashboards and reports on policy compliance, active JIT sessions, and detected drift. Comprehensive audit trails are maintained for policy changes, entitlement assignments, and JIT lifecycle events.
Drift Detection and Response
Cloud Entitlements proactively identifies "drift", which occurs when actual cloud entitlements deviate from established policies. The drift detection and response process includes:
- Detection: Identifies drift for both static policies (e.g., a user receiving a forbidden permanent role) and dynamic policies (e.g., a JIT session exceeding its approved duration or being granted without proper conditions).
- Alerting & Notifications: Upon detecting drift, Cloud Entitlements generates immediate alerts, deliverable via email, Slack, and SIEM integration (Syslog), providing details of the policy violation.
- Automated & Assisted Response: Administrators can configure automated responses, such as blocking an attempted non-compliant static assignment or automatically revoking an overdue/non-compliant dynamic JIT session.
Following detection, alerting, and response, the platform provides relevant context to facilitate prompt manual investigation and resolution of any detected drift.
Benefits
- Enhanced Security: Proactively mitigates risks from excessive or misconfigured permissions.
- Continuous Compliance: Automated monitoring ensures ongoing compliance with internal policies and external regulations.
- Operational Efficiency: Streamlines entitlement audits and JIT access management through policy automation.
- Reduced Attack Surface: Enforces least privilege consistently for both static and dynamic access.