CIEM: Cloud Infrastructure Entitlement Management#

What CIEM detects#

What CIEM measures#

The signature CIEM metric is unused permissions. For every identity, Ctadel:

1. Lists every action the identity could take (effective permissions, computed across all attached policies).
2. Lists every action the identity did take in the last 90 days (from audit logs).
3. Reports the difference: actions granted but never used = candidates for removal.

This is what makes least-privilege actionable instead of aspirational. The gap between "granted" and "used" is usually 80–95% in real environments.

Cross-cloud correlation#

The Identity tab has a Cross-Cloud sub-page that surfaces identities that exist in multiple clouds. Common matches:

• Same email across AWS IAM, GCP IAM, Azure AD.
• Same SSO subject linked to native cloud accounts in two providers.
• Service accounts with the same key fingerprint.

This is how a single compromised email escalates from one cloud to another. Ctadel finds those bridges so you can break them or harden them with conditional access.

Identities in the security graph#

Every user, service account, role, and group is a node. Edges represent:

• MEMBER_OF → user → group
• ASSUMES → role → role
• CAN_PERFORM → identity → action class
• OWNS → identity → resource

That graph is what makes toxic combinations like "App user → assumes prod-deploy role → can write to billing bucket" detectable.

What's next#

• The Identity module
• CDR, runtime sibling
• Toxic combinations