What is exposure?

This topic explains what exposure is, and how CEM assesses the exposure of your cloud environments.

Overview

Exposure, represented in CEM as a percentage, is the aggregated risk for a cloud entity. Granted permissions, resource attachments, and other exceptional factors influence how the percentage is calculated.

The following table defines each segment of the calculation:

Score

How the score influences the overall exposure

Permissions

To determine the permissions score for an entity's exposure, CEMconsiders the following:

  • Total platform permission - The total number of distinct permissions for the platform
  • Unused permissions - The number of permissions that are granted but are not used
  • Permission level - A lower weight is assigned to permissions that are read only. Conversely, a higher weight is assigned to any other permission type.

Resource

To determine the resource score for an entity's exposure, CEMconsiders the following:

  • Total platform permission - The total number of distinct permissions for the platform
  • Unused permissions - The number of permissions that are granted but are not used
  • Access level - The scope or access to a resource. A lower weight is assigned to access to a specific resource. Conversely, a higher weight is assigned if access includes multiple resources. For example, access to an entire subscription on Azure.

Add Permissions and Resource scores

After determining individual resource and permission scores, a total is found by combining the two. However, more weight is given to the permissions score, as this factor has a greater impact on exposing risk.

Exceptional factors

To determine the effect of exceptional factors on an entity's exposure, CEM considers the following:

If an entity has either admin rights or shadow admin rights, this is considered an exceptional factor and it increases exposure.

However, if the entity is managed, either by MFA or Privilege Cloud, this reduces the risk. A higher weight is given to unmanaged exceptional factors than to managed ones.