Tenable Cloud Security (Ermetic) Step by Step
Tenable’s acquisition of Ermetic was a pivotal move to strengthen its cloud security capabilities, notably emphasizing cloud identity and entitlement management. Tenable completed the acquisition of Ermetic in October 2023 for $265 million.
https://www.tenable.com/cloud-security
Ermetic is an Israeli cybersecurity startup specializing in cloud-native application protection platforms (CNAPP) and cloud infrastructure entitlement management (CIEM), providing advanced solutions for risk visibility, access control, and cloud security analytics across AWS, Azure, and GCP.
Introduction & Architecture
Tenable integrated Ermetic's capabilities into its Tenable One Exposure Management Platform, directly enhancing contextual risk visibility, prioritization, and remediation not just across cloud assets, but also identities—addressing modern cloud threats that increasingly target misconfigured permissions and toxic access combinations.
The Tenable CNAPP automates complex cloud infrastructure security operations. It unifies full asset discovery, deep risk analysis, runtime threat detection and compliance reporting, combined with granular visualization and step-by-step guidance. Using an identity-first approach, Tenable Cloud Security dramatically reduces your cloud attack surface and enforces least privilege at scale.
The acquisition positioned Tenable as a leader in unified CNAPP and CIEM by combining agentless/cloud-native assessment, identity management, compliance, and exposure analysis in simple workflows. This supports organizations in managing cloud security even without deep in-house cloud expertise.
Identity-First Cloud-Native Application Protection
- Multi-cloud Asset Management and Unified Visibility. Benefit from deep, centralized visibility into all of the identities, data, infrastructure and workloads in your cloud environment.
- Cloud Workload Protection (CWP). Scan and detect critical risks identifying vulnerabilities, exposed secrets / sensitive data, malware and misconfigurations across virtual machines, containers and serverless functions.
- Secure Cloud Identities and Entitlements (CIEM). Surface findings that are near impossible to detect manually and enjoy precise, automated remediation.
- Self-Service Just-in-Time (JIT) Access. Get speedy approval for as-needed access, minimizing the cloud attack surface and avoiding the risk of unrevoked long-standing privileges.
- Kubernetes Posture Management (KSPM). Ensure Kubernetes clusters are secure by default or, should a misconfiguration be detected, proactively alert about the issues so relevant stakeholders can quickly mitigate them.
- Automated Remediation. Speed up remediation of cloud infrastructure risks by executing automated response actions to fix problems.
- Full Stack Risk Analysis & Prioritization. Leverage full stack analysis to surface risk – including toxic scenarios that can expose sensitive data – and deliver actionable insights.
- Governance and Compliance (CSPM). Simplify cloud compliance with a single platform that continuously scans configurations and resources across clouds, identifies violations and automates remediation.
- IaC Security to Shift Left. Uncover misconfigurations and other risks in Infrastructure as Code (IaC), to harden cloud infrastructure environments as part of the CI/CD pipeline.
- Cloud Detection and Response. Apply continuous behavioral analysis and anomaly detection to quickly identify and investigate cloud threats.
Dashboard
Your Tenable Products:
https://us.app.ermetic.com/customer/
Onboard Azure Environment
Tenable Cloud Security Dashboard - Settings - Accounts - Azure
Add Microsoft Entra ID Tenant
Add Azure Organization - subscription
select Entra id tenant
Add Organization
To onboard an Azure organization, first onboard the Microsoft Entra ID tenant that’s linked to the organization. Afterwards, you can proceed with organization onboarding. Do you want to onboard the tenant now?
Add Subscriptions
Select the Tenant added in previous step
Select Subscription ID:
Enable Permissions:
Monitoring (read-only)
Workload Protection
Remediation (read-write)
Just-In-Time Access (User Access Administrator)
Assign Roles:
ARM (Azure Portal)
- A. Click here to create a Custom deployment.
-
B.Configure the project and instance details as follows:
-
Subscription: Choose the subscription you want to add
-
Region: Specify a single region
-
Principal ID is set to:
-
Data Protection Permissions is set to false
-
Workload Protection Permissions is set to true
-
Remediation Permissions is set to false
-
Just In Time Access Permissions is set to true
-
-
C.Click Review + create
-
D.Click Create
-
E.Wait until the deployment is completed successfully
Manual (Azure Portal)
-
B.Assign roles to the Tenable Cloud Security Connector app by repeating the steps below for each of the following roles:
-
1.Reader
-
2.Key Vault Reader
-
3.Azure Kubernetes Service Cluster User Role
-
4.Azure Kubernetes Service RBAC Reader
-
5.Disk Snapshot Contributor (Virtual Machine Scanning)
-
6.User Access Administrator (JIT)
-
-
C.Navigate to Access Control (IAM) and click on Add -> Add role assignment
-
D.Search for and select a role from the list above and click Next
-
E.Click + Select members
-
F.Search for and select Tenable Cloud Security Connector and then click Select
-
G.Click Next and then click Review + assign to finish. Repeat these steps for all additional roles.
Inventory
- High - Virtual Machine has vulnerabilities that should be addressed
- High - Virtual Machine has an unpatched operating system
- Medium - Public Virtual Machine
Cloud Security
Data
Configure the following settings (Object Storage, Managed DB, Data Platform) and scope to fine-tune how Tenable Cloud Security scans your data across object storage, managed database, and data platform resources.
IaC
Configure the following settings on the IaC settings page.
Settings > Cloud Security > IaC
IAM
Configure the following settings on the IAM settings page.
Settings > Cloud Security > IAM
Within the context of excessive permissions, Tenable Cloud Security enforces a learning period for the following activities, during which no new findings (related to excessive permissions) are created:
- When a new human identity is created - the default is 90 days (configurable via IAM settings).
- When a new service/machine identity is created - the default is 90 days (configurable via IAM settings).
- When the permissions of an identity are changed - 30 days
Network:
Configure the following settings on the Network settings page:
To enable the Network Scanner:
- In the Tenable Cloud Security Console, make sure you are in the correct scope.
- Go to Settings > Cloud Security > Network.
- Click on the Network Scanner tab.
- In the Scanner row, click the three dots menu icon and select Edit.
- In the Edit Setting window, click Enable.
- Click Save.
The scanner originates traffic from:
3.147.184.1223.19.220.21
Vendors
A vendor refers to a 3rd party that operates within your cloud environment - typically through AWS IAM roles, Microsoft Entra ID Application, or integrations. These entities require access to your environment to deliver their services. Accurately mapping vendors improves visibility into external access and strengthens your overall security posture.
The Vendor feature allows you to manage 3rd party vendor mappings, providing enhanced visibility and control over external access to your cloud environments.
Workload
Configure the following settings on the Workload settings page.
Settings > Cloud Security > Workload
Secrets
Tenable Cloud Security scans for exposed secrets, such as access keys, tokens, and passwords, that are embedded in cloud resource configurations or infrastructure code. When detected, these secrets appear in relevant findings to help security teams assess and remediate the risk.
To enable Secret Masking:
- In the Tenable Cloud Security Console, make sure the Organization account scope is selected.
- Go to Settings > Cloud Security > Secrets.
- In the Secret masking row, click the three dots menu icon and select Edit.
- In the Edit Setting window, click Enable.
- Click Save
Onboarding AWS account
Onboarding AWS account into Tenable Cloud Security:
Explore
Risks
Policies
Operations
Reports
Generated Reports
Compliance:
GDPR:
Settings
Accounts
Integrations
Licensing : Standard
Functionality Matrix
Each license supports a different set of features and functionality, as described in the table below. For more information about licensing, contact your Tenable representative.
| Category | Functionality | JIT | CIEM | Standard | Enterprise |
|---|---|---|---|---|---|
| Coverage | AWS, Azure, GCP, OCI | ✔ | ✔ | ✔ | ✔ |
| Federated identity providers (for example, Ping Identity, Microsoft Entra ID, Okta) |
✔ | ✔ | ✔ | ✔ | |
| Sovereign Clouds (e.g. US Govcloud) |
✔ | ✔ | ✔ | ✔ | |
| Kubernetes (GKE, EKS, AKS, OKE) | ✔1 | ✔1 | ✔ | ✔ | |
| Risk Assessment and Remediation | Cloud Inventory | ✔ | ✔ | ✔ | ✔ |
| Public exposure policies | ✗ | ✔ (IAM only) |
✔ | ✔ | |
| Custom risk policies | ✗ | ✔ (IAM only) |
✔ | ✔ | |
| Misconfiguration policies | ✗ | ✔ (IAM only) |
✔ | ✔ | |
| Exposed secrets | ✗ | ✗ | ✔ | ✔ | |
| Compliance management | ✗ | ✗ | ✔ | ✔ | |
| AI-SPM | ✗ | ✗ | ✔ | ✔ | |
| Infrastructure as Code | CI/CD pipelines / repositories | ✗ | ✗ | ✔ | ✔ |
| KSPM | Inventory | ✗ | ✗ | ✔ | ✔ |
| Misconfigurations | ✗ | ✗ | ✔ | ✔ | |
| Network exposure | ✗ | ✗ | ✔ | ✔ | |
| Least privilege recommendations | ✗ | ✗ | ✔ | ✔ | |
| Admission Controller | ✗ | ✗ | ✗ | ✔ | |
| Advanced Identity and Access Management | Identity-based least privilege recommendations | ✗ | ✔ | ✔ | ✔ |
| Resource-based least privilege recommendations | ✗ | ✔ | ✔ | ✔ | |
| On-demand least privilege recommendations | ✗ | ✔ | ✔ | ✔ | |
| Permissions Query | ✗ | ✔ | ✔ | ✔ | |
| Identity Intelligence | ✗ | ✔ | ✔ | ✔ | |
| Excessive Permissions | ✗ | ✔ | ✔ | ✔ | |
| Workload Protection2 | Vulnerability Scanning - SaaS | ✗ | ✗ | ✔ | ✔ |
| Host-based compliance3 | ✗ | ✗ | ✔ | ✔ | |
| PII detection3 | ✗ | ✗ | ✔ | ✔ | |
| Stored secrets3 | ✗ | ✗ | ✔ | ✔ | |
| CI/CD scanning | ✗ | ✗ | ✔ | ✔ | |
| Registry scanning | ✗ | ✗ | ✔ | ✔ | |
| Scan workloads onsite | ✗ | ✗ | ✗ | ✔ | |
| Scan Kubernetes Workloads for Vulnerabilities (via agent) | ✗ | ✗ | ✗ | ✔ | |
| Data Protection | Managed databases | ✗ | ✗ | ✔ | ✔ |
| Public and private storage | ✗ | ✗ | ✔ | ✔ | |
| Cloud Detection and Response | Activity Log | - | 30 Days | 30 Days | 90 Days |
| Anomaly detection | ✗ | ✔ | ✔ | ✔ | |
| Workload Malware detection3 | ✗ | ✗ | ✔ | ✔ | |
| Platform | API Access | ✔ | ✔ | ✔ | ✔ |
| Reports | ✗ | ✔ | ✔ | ✔ | |
| Integrations | ✔ | ✔ | ✔ | ✔ | |
| Automations | ✗ | ✔ | ✔ | ✔ | |
| Automatic remediation | ✗ | ✔ | ✔ | ✔ | |
| Role-based access control | ✔ | ✔ | ✔ | ✔ | |
| Tenable JIT Access | Manage eligibilities | ✔ | ✔ | ✔ | ✔ |
| Request access | ✔ | ✔ | ✔ | ✔ | |
| Review access requests | ✔ | ✔ | ✔ | ✔ | |
| View audit trail information | ✔ | ✔ | ✔ | ✔ |
1 Only clusters are visible
2 Covers virtual machines and containerized workloads
3 Planned capabilities
Offboard Cloud Accounts
https://docs.ermetic.com/docs/offboarding-cloud-accounts
Offboard Azure Subscriptions
Follow these steps to offboard Azure subscriptions and/or organizations.
- Remove the role assignments that you added to the Tenable Cloud Security app during onboarding.
- Remove the Tenable Cloud Security app from Microsoft Entra ID.
- Delete the organization/subscription from the Tenable Cloud Security Console:
-
Organization: Navigate to Settings > Integrations > Azure Organization, and then click Delete next to the relevant organization.
-
Subscription: Navigate to Accounts > Azure, and then click Delete next to the relevant subscription.
If the subscription/s or folder/s belongs to an organization which is configured to automatically onboard new subscriptions, you need to delete the organization first.
-
Video
References
- https://docs.ermetic.com/docs/aws-overview
- https://docs.ermetic.com/docs/azure-overview
- https://docs.ermetic.com/docs/licensing
- https://www.youtube.com/watch?v=nCGU_GeX_uo
共有 0 条评论