Managing access permissions in the public cloud can be a very complex process. In fact, by 2023, 75% of cloud security failures will result from the inadequate management of identities, access and privileges, according to Gartner. Join us as Guy Flechter, CISO of AppsFlyer, presents a real-world case of how his company works to enforce least-privilege and to govern identities in their cloud. This webinar will also provide an overview of how to govern access and achieve least privilege by analyzing the access permissions and activity in your public cloud environment. With thousands of human and machine identities, roles, policies and entitlements, this webinar will give you the tools to examine the access open to people and services in your public cloud, and determine whether that access is necessary. In this workshop, you will learn about: The risks of IAM misconfiguration and excessive entitlements in cloud environments The challenges in identifying and mitigating Identity and access risks for both human and machine identities How to automate cloud identity governance and entitlement management with Ermetic

1. How to Govern Identities
and Manage Entitlements
in Cloud Infrastructure
AppsFlyer Case Study

2. 75%
Gartner predicts that
“by 2023, 75% of security failures will result from mismanagement of IAM privileges”

3. 79% of the respondents
admitted to
experiencing a cloud
data breach in the past
18 months
3
IDC Survey of 300 US CISOs
Confirms the Challenge
Top IaaS/PaaS Concerns
In a survey of 300 companies in the United States, we asked senior decision
makers responsible for cloud security about their concerns regarding their cloud
production environments. Below are the top responses.
Security Misconfigurations IAM Lack of Visibility Improper IAM Configurations
67% 64
%
62
%

4. CIEM
•Cloud Infrastructure Entitlement
Management (CIEM) – a new category named
by Gartner
CIG
Cloud Identity Governance (CIG) –
a new category named by
Forrester

5. 5
▪ A toxic combination:
▪ EC2 is exposed to the internet
▪ EC2 has privileged permissions
▪ The role is over-provisioned
▪ Potential mitigation:
▪ Review and remove risky
permissions
▪ Review network exposure
CASE STUDY
Poor Access Controls Lead
to Cloud Breaches
EC2
Virtual
Server
S3
Virtual
Storage
AWS
Account
Internet
Network
exposure
Privileged
permissions

6. Common
Challenges
6
“ Knowing who can
access what and
making permissions
granular are top
goals for security
teams ”
Stephen
Schmidt, CISO,
AWS
▪ Quantify IAM risk
▪ Resolve organizational
disconnects
▪ Govern 3rd party (e.g. SaaS)
access
▪ Govern user and machine
permissions
▪ Protect access to sensitive
resources
▪ Unblock access and accelerate
business

7. Governing Identities
and Entitlements in
IaaS and PaaS
7
Platform Capabilities
Visibility
Discover all human
and machine
identities, data and
compute resources,
roles and policies
Analytics
Analyze all access
policies and activity
to model and identify
risks, while ensuring
business continuity
Enforcement
Eliminate excessive
access and privileges
based on actual
access patterns and
data sensitivity
• “Who can access
what?”
• “Which resources
this user can
access?”
• “Who has access
to this bucket?”
• “Who are all my
privileged users?”
• “What is the risk
of this 3rd party?”
• “What
permissions does
this app require?”
• “How do I remove
stale access, at
scale?”
• “How do I
remediate over
provisioned users
and apps?”

8. 8

9. 9

10. 10
Marketing measurement
and analytics platform
What is
AppsFlyer?

11. 11
AppsFlyer In Numbers
Marketers and
Developers
75K+ 55B+
Mobile Actions
Measured Per Month
5,000+
Integrated
Partners
7B+
Devices with
AppsFlyer SDK
0
On-Prem Servers
100B+
Mobile Actions
Measured Per Month
3+5
3 Different cloud providers
(AWS, GCP, AliCloud) in 5
Different countries
15,000+
Servers
80T
Of Data on a
Daily Basis

12. 260
56
Number of Developers
Last 2 years

13. 13
WE ARE OUTNUMBERED
</> </> </> </> </> </> </> </>
</> </> </> </> </> </> </> </>
</> </> </> </> </> </> </> </>
</> </> </> </> </> </> </> </>
</> </> </> </> </> </> </> </>
</> </> </> </> </> </> </> </>
</> </> </> </> </> </> </> </>

14. 14

15. 15

16. 16

17. 17
Security @AppsFlyer
Guardrails, not Gates!

18. 18
Security work isn’t
“special”. It gets
planned the same as
other engineering
work.

19. 19
How do we do it?

20. 20
New Service
Host Image
Container Image
Secrets
Dependencies
Health, Logs, Utils
Other services
Network

21. New Service
Host Image
Container Image
Secrets
Dependencies
Health, Logs, Utils
Other services
AWS Account
Security Groups & IAM Configuration
Network

22. 22

23. Demo

24. 24
▪ SaaS platform
▪ Subscription service
▪ Predictable pricing model
▪ API-based, agent-less
▪ Rapid, easy deployment
▪ REST API
▪ IaC support
Technology, Architecture,
and Licensing

25. Introducing
Ermetic
Full-stack Cloud
Identity Governance
and Entitlement
Management
Solution
25
Unique Leadership
Truly Global Presence
Your
picture
here
USD 30M Investment
Arick Goomanovsky
CBO & Co-founder

26. THANK YOU

27. Introducing
Ermetic
Full-stack Cloud
Identity Governance
and Entitlement
Management Solution
27
Amy Ariel, CMO
Meta Networks (PFPT),
Secdo (PAN)
Shai Morag, CEO
Secdo (PAN), Integrity P. (MLNX)
8200, Talpiot elite program
Michael Dolinsky, CTO
Aorato (MSFT)
IDF cybersecurity unit
Sivan Krigsman, CPO
Aorato (MSFT)
Israeli Air Force
Leadership
Arick Goomanovsky, CBO
Sygnia (Temasek), McKinsey
8200, Talpiot elite program
USD 30M Investment

28. It is Difficult to Manage
Entitlements in Public
Cloud Infrastructure
28
• Lack of visibility
• Complex
configurations
• High scale KMS
AWS Cloud
IAM user
Role3
DynamoDB
RDS
S3
KMS
DynamoDB
RDS
S3

29. It is Difficult to Manage
Entitlements in Public
Cloud Infrastructure
29
• Lack of visibility
• Complex
configurations
• High scale KMS
AWS Cloud
IAM user
Role3
DynamoDB
RDS
S3
KMS
DynamoDB
RDS
S3