Veza Product Update - December'23

December Highlights

Access Monitoring

• Activity Monitoring for AWS: The AWS integration is now supported for Activity Monitoring, now available in Early Access for right-sizing permissions, identifying underutilized permissions, and detecting suspicious activity. When enabled, Veza generates and shows Overprovisioned Access Scores (OPAS) for AWS IAM Users based on the S3 Buckets and Secret Manager Secrets they have utilized their permissions on. Dormant AWS entities and queries related to Overprovisioned Access Scores appear on the Activity Monitoring dashboard.

Access Intelligence

• Additional note types for Risks: Until now, while suppressing a risk, users could optionally add a reason for suppression. However, many customers requested the option to add general comments to a risk. To that end, we’ve added an extra field for keeping notes on any entity shown on the Risks page.

  • You can add notes to individual risks by browsing to the Access Intelligence > Risks page and opening the _Risks_tab. Expand the actions menu next to a risk and click Add Note. Adding a note will overwrite an existing one.

  • Any notes appear in a column on the Risks tab.

  • Suppression reasons persist until a risk is unsuppressed. General notes are shared and can be updated by any user.

• Enhanced Risk Scores: Risk Scores are numeric values ranging from 0-100 to indicate the count and levels of all the risks associated with a given node. Now, clicking on a Risk Score shows all the contributing queries that led to the particular Risk Score value.

Access Workflows

• Workflow Query Improvements: Workflow queries can now use combinations of AND or OR statements in attribute filters to additionally limit the scope of an access review.

• Intermediate Entity Attributes: Reviewers can now view and filter on any waypoint entity attribute Veza has discovered (such as metadata for a group or role connecting users and resources). This applies to any Workflow that uses Advanced Options > Relationship to show a waypoint entity in Certification results.

Veza Integrations

• New integrations for gathering Confluent, 1Password, and Privacera groups, roles, and users. On-prem Jira Cloud deployments are now supported targets for Orchestration Actions.

• GitHub and Microsoft AD Enhancements: Added support for discovering GitHub custom repository roles, and additional filterable attributes for Microsoft AD users.

• Okta MFA types: Okta Users now have an MFA Factors attribute listing the types of multi-factor authentication enabled for their account.

• CSV Import Enhancements: Improved flexibility and additional attributes when creating custom providers from CSV files.

More Details

See below for a full summary of all the enhancements in the latest releases:

Access Visibility and Intelligence

• Enhanced Risk Details: Clicking a risk score in Query Builder results now reveals all queries with risk levels contributing to the risk score. Users can optionally run any contributing queries or view them on the Risks page. Risks in the Authorization Graph sidebar now show risk levels as Warning or Critical.

• Activity Monitoring for AWS: Supported AWS entities and access monitoring queries are now shown on the Activity Monitoring dashboard when the Early Access feature is enabled. See [Activity Monitoring for AWS] for more details on enabling the integration.

• Notes for Risks: Users can now add custom Notes to entities on the Risks > Risks tab, and add a Suppression Reason when marking an exception. These fields can provide extra context for a decision or track the remediation status for a particular entity.

• Risk Descriptions: Out-of-the-box assessments with a critical or warning risk level now include descriptions, shown when clicking Show Explanation on the Risks page. Additionally, users can add their own descriptions to risk queries that they write themselves.

• Attribute Filter Group Enhancements: Attribute filters for Query Builder and Authorization Graph can now use two levels of AND and OR operators. Before, all operators had to be at a single level.

• Simplified dashboard views for 6-month and 1-year periods: Dashboard views for long time ranges now show a single value for each week, instead of a value for each day.

Access Reviews

• Intermediate Entity Attributes in Certifications: Certifications for Workflows that use the Relationship advanced option to show columns for intermediate entities now include all waypoint entity attributes Veza has discovered. Reviewers can toggle column visibility using the dropdown to assist in decision-making.

• Attribute Filter Combinations: Workflow queries now support groups of attribute filters with AND or OR operators, enabling reviewers to place more complex conditions on which entities to include in an Access Review.

Veza Integrations

• Confluent Integration: New integration for gathering Confluent Cloud Users, Groups, and Roles.

• 1Password Integration: New integration for gathering Users and Groups from 1Password.

• Privacera Integration: New integration for gathering Privacera Users, Roles, and Groups.

• CSV Import Improvements: Enhanced flexibility in CSV data import for custom providers, including more user name and status options and a searchable email user attribute.

• Okta MFA Types: Okta Users now have an MFA Factors attribute listing the types of multi-factor authentication enabled for their account.

• GitHub extraction settings: Integration configurations now have repository allow and deny lists to customize which resources Veza will add to the Authorization Graph. The integration now implements concurrency for improved extraction times.

• GitHub custom repository roles: Added support for custom repository roles within Enterprise Server environments (before, these were only available in Enterprise Cloud). GitHub configurations now have a checkbox to enable or disable gathering external repository collaborators.

• Microsoft Active Directory Users: Veza now gathers additional user attributes: City, Company, CountryCode, Description, DisplayName, PhysicalDeliveryOfficeName, PostalCode, StateOrProvinceName, SurName, GivenName, and Title.

• Jira Orchestration Actions: The Jira Orchestration Action now supports both Atlassian Cloud (SaaS) and Atlassian Data Center (on-premise) products. Jira can now be chosen as a destination for Access Workflows, as an action when a rejected row is signed-off.

Product Design and Usability

• To simplify understanding of graph views involving more than one instance of the same authorization provider, the parent Datasource ID is now shown when hovering over Okta, OneLogin, and AD users and groups.

• AWS KMS Policy Statements are now grouped by common attributes, consolidating identical statements across different policies into a single graph node.

• AWS resource-based policy statements with a "Deny" Effect on all (*) principals are now connected to individual principals in the Veza Graph only if the statement overrides an "Allow" effect on the same resource from another policy.

• Introduced column grouping for Certifications, now available in Early Access. When enabled, parent columns are used to organize permissions, entity attributes, and result metadata for better readability.

• Administrators can now delete unused Insight Points with no associated integrations.

• Administrators can now easily add team members directly from the Settings > Teams page.

• Administrators can now assign teams and roles for individual users on the User Management page.