A CISOs guide to CIEM-I: What is Cloud Infrastructure Entitlement Management?
I. Introduction
Traditional identity and access management (IAM) solutions deliver access control capabilities that work well in static self-hosted or on-premise infrastructures. As companies move workloads to public cloud environments, the cloud infrastructure, services, and applications they leverage become more transient and dynamic than their on-premise counterparts. While cloud service providers like AWS, GCP, and Microsoft Azure have native access controls to help businesses enforce granular IAM policy, most companies employ a multi-cloud strategy to support their business needs.
Cloud Infrastructure and Entitlement Management (CIEM) is a relatively recent term that gained prominence through its inclusion in Gartner’s 2020 Hype Cycle for Cloud Security. In that report, Gartner provided a CIEM definition:
“Cloud infrastructure entitlement management (CIEM) offerings are specialized identity-centric SaaS solutions focused on managing cloud access risk via administration-time controls for the governance of entitlements in hybrid and multi-cloud IaaS.”
In this blog post, I will describe what cloud infrastructure entitlement management (CIEM) is, what problems CIEM solutions solve, and the benefits CIEM capabilities provide to your teams.
II. What is Cloud Infrastructure Entitlement Management (CIEM)?
Cloud infrastructure entitlement management (CIEM) is a set of capabilities focused on managing cloud access risk via the governance of entitlements in hybrid and multi-cloud IaaS. According to Gartner, 81% of organizations report working with two or more public cloud providers. Given that different cloud providers don’t natively integrate, companies employing a multi-cloud strategy find managing entitlements for each cloud environment overwhelming.
CIEM tools fill a critical gap in providing cloud ops/infra teams visibility into multi-cloud entitlement sprawl while enabling security teams to apply the Principle of Least Privilege to cloud resources and services. The purpose is to understand which entitlements exist across your cloud environments, then identify and mitigate risks related to entitlements that provide a higher level of access needed for the resources in question. The end goal is to reduce your overall cloud attack surface and minimize risks posed by excessive permissions.
III. What problems do CIEM solutions solve?
Identifying, managing, monitoring, and remediating access risks in cloud environments presents several challenges that CIEM solutions seek to address. These include:
a. Multi-cloud access governance
As referenced above, a good number of enterprises (81%) adopt a multi-cloud approach in operating their business and choose to host their workloads in different clouds because of cost, availability, scalability, etc. However, as AWS, Azure, and GCP have different approaches to managing identities and implementing access controls, enterprises have struggled to take a unified approach to managing resources, entitles, and fine-grained permissions across all their cloud resources. Instead, they must parcel out work and coordinate multiple, sometimes duplicative, activities for the various cloud providers.
b. Access Risk Discovery
Users, applications, and endpoints are each given various privileges to access cloud resources. Tracking access and access lineage are necessary to ensure security while working to improve an enterprise’s security posture. However, this kind of tracking is challenging to implement at a scale of hundreds or thousands of resources.
c. Scaling access controls
Cloud infrastructure access is more complex than a 1:1 relationship of users accessing a resource. The entities that access resources in a cloud-native world include:
- End-users (Jane Doe etc.)
- Service Accounts (HRIS application account etc.)
- Devices (IoT device etc.)
- Digital secrets (certificates, SSH keys, API keys, etc.)
- Other serverless functions
- Other cloud accounts
Further, the resources that need to be accessed could include:
- Databases
- Applications
- Virtual machines and containers
- Serverless functions
- Persistent storage
d. Managing access to cloud resources
People or processes might instantly provision or de-provision resources in today’s cloud environments. Managing access to cloud resources requires a dynamic approach to ensure business continuity and integrity. Monitoring access to those transient resources is similarly complex. Organizations will take a liberal approach to manage permissions where access is granted at a coarse-grained level resulting in over-permissioning. This is further exacerbated due to the manual nature of access onboarding. Excessive permissions significantly raise the risk of a security incident being realized.
IV. Key Benefits of CIEM
The main benefits of CIEM solutions are summarized below:
- Multi-cloud visibility into entitlements: Gain a comprehensive view of identity permissions, policies, and access risks across multi-cloud environments.
- Improved identity and access governance: According to Gartner, over 95% of accounts in IaaS use less than 3% of their assigned entitlements. Inactive identities, overpermissioned resources, delegated access permissions, etc., are all issues CIEM solutions continuously monitor and help remediate.
- Automatic detection and remediation: CIEM calculates baseline activity and detects events like account compromise, insider threats, stolen access tokens, and other potentially malicious activities.
- Compliance-ready: Monitoring and securing entitlements across your cloud platforms help enterprises adhere to regulatory compliance requirements and standards related to user permission management.
V. Conclusion
Today’s dynamic, multi-cloud environments require a new approach to solving IAM-related risks. Further, given the scale of today’s cloud environments with potentially thousands of entities and resources, solving identity and fine-grained access risk requires capabilities that can scale with your environments without limiting your teams’ capacity.
The solution to this challenge is CIEM which brings access governance and monitoring across multi-cloud infrastructure via a centralized control point. In addition, some CIEM capabilities now provide additional functionality like AI/ML for automated risk identification and prioritization and unified mitigating controls to minimize access risks across environments. These new capabilities will help security teams scale and limit burnout while enabling the business to function as intended. Exciting times are ahead!
