Exposure Intelligence
Knowing that sensitive data exists is only half the picture. What matters is who can access it. Slim.io’s Exposure Intelligence automatically analyzes the access controls on every scanned resource to determine its real-world accessibility — from fully public to strictly private.
Exposure Levels
Every resource scanned by slim.io is assigned one of four exposure levels based on its current access configuration:
| Exposure Level | Score | Description | Examples |
|---|---|---|---|
| Public | 1.0 | Anyone on the internet can access the resource | Public S3 bucket, Google Drive “anyone with the link” sharing, public Slack channel indexed by search engines |
| Shared | 0.7 | Accessible beyond the resource owner — shared with external users or cross-account | S3 bucket with cross-account access, file shared with external email addresses, shared OneDrive link |
| Internal | 0.4 | Accessible within the organization but not externally | Private Slack channel visible to workspace members, internal GCS bucket, organization-scoped Drive file |
| Private | 0.1 | Accessible only to the resource owner or a single service account | User’s private Drive files, single-owner S3 objects with no bucket policy |
Resources classified as Public that contain restricted PII (SSN, credit card, health records) are automatically flagged as Critical risk. These represent the highest-priority remediation targets.
How Exposure Is Determined
Slim.io reads the native access control configuration of each cloud provider to compute exposure levels. This happens automatically during scanning — no manual classification required.
AWS S3
- Bucket ACLs: Checks for
public-read,public-read-write, andauthenticated-readgrants - Bucket policies: Analyzes policy statements for
Principal: "*"or overly broad allow rules - Block Public Access settings: Verifies whether account-level or bucket-level public access blocks are enabled
- Cross-account access detected via IAM policy principals referencing external account IDs
Google Cloud Storage
- IAM bindings: Checks for
allUsers(public) orallAuthenticatedUsers(any Google account) bindings - Uniform bucket-level access: Verifies whether legacy ACLs are disabled in favor of IAM-only
- Organization-scoped bindings indicate internal access
Azure Blob Storage
- Container public access level: Checks for
blob(public blob access) orcontainer(public container listing) settings - Shared access signatures: Detects active SAS tokens and their expiration
- Private containers with no public access or SAS tokens are classified as private or internal
Google Drive
- Sharing permissions: Analyzes sharing settings — “anyone with the link” (public), “anyone in your organization” (internal), specific users (shared), or owner-only (private)
- Shared drive membership: Files in shared drives inherit the drive’s sharing scope
- External sharing detected when shared-with users have email domains outside the organization
Slack
- Public channels: Messages in public channels are accessible to all workspace members (internal) and may be indexed by search engines if the workspace allows it
- Private channels: Accessible only to invited members (shared or internal depending on membership scope)
- Direct messages: Classified as private
Snowflake
- Role grants: Tables accessible via the
PUBLICrole are classified as public (any Snowflake user can query them) - Database/schema grants: Analyzed to determine whether access is scoped to specific roles or broadly granted
- Tables accessible only via named roles with explicit grants are classified as internal or private
OneDrive & SharePoint
- Sharing links: Anonymous links (public), organization-wide links (internal), specific-people links (shared), no sharing (private)
- Shared-with count: Resources shared with many users receive higher exposure scores
- Site permissions: SharePoint site-level permissions determine baseline exposure for all contained documents
Databases (PostgreSQL, MySQL, Oracle, MSSQL, Databricks, DB2)
- Role and grant analysis: Tables accessible via broad roles or with
GRANT ... TO PUBLICare classified as public - Schema-level permissions: Determines whether access is scoped to specific users/roles or widely available
- Read-only connections ensure slim.io never modifies database permissions during analysis
Access Intelligence
Beyond static access controls, slim.io factors in actual access patterns to refine exposure assessments.
- Active access detection: Resources that are both publicly exposed AND actively being accessed by external parties receive elevated risk scores compared to public resources with no recent access
- Stale sharing: Resources shared externally but not accessed in 90+ days are flagged for sharing review — the access may no longer be needed
- Ownership accountability: Every resource is mapped to an owner (bucket creator, table owner, file creator, channel creator) so remediation can be routed to the right person
Access Intelligence combines permission analysis (who CAN access) with activity signals (who IS accessing) to give you a realistic picture of exposure, not just a theoretical one.
Exposure in Risk Scoring
Exposure level is one of the four factors in slim.io’s risk scoring algorithm, weighted at 20% of the total score. The combination of exposure level and data sensitivity drives prioritization:
| Scenario | Risk Impact |
|---|---|
| Public resource + restricted PII (SSN, credit card) | Critical — highest priority |
| Public resource + low-sensitivity PII (name, email) | High — review sharing settings |
| Internal resource + restricted PII | Medium — ensure access controls are appropriate |
| Private resource + any PII | Low — monitor for sharing changes |
Resources where high exposure intersects with high data sensitivity and active access are surfaced at the top of remediation queues.
Ownership Resolution
Slim.io identifies who owns each resource to enable accountability and efficient remediation routing:
| Connector Type | Ownership Signal |
|---|---|
| AWS S3 | Bucket owner (AWS account), object uploader |
| GCS | Bucket creator, project owner |
| Azure Blob | Storage account owner, container creator |
| Google Drive | File owner, shared drive manager |
| Slack | Channel creator, workspace admin |
| Snowflake | Table owner, schema owner |
| OneDrive/SharePoint | File owner, site admin |
| Databases | Table owner, schema owner |
Ownership information appears in the Data Catalog and is included in policy alert notifications so remediation requests reach the right team.