A CISOs guide to CIEM-II: How does CIEM fit into Cloud Security?

I. Introduction

Let’s start by defining Cloud Security, given the somewhat nebulous nature of the term “cloud computing.”

“Cloud security consists of policies, controls, and procedures usually deployed via a set of technologies that work in unison to protect cloud-based systems, data, and infrastructure.”

These measures are put in place to protect customer data, support regulatory compliance and protect individual privacy. Now that we know the “what” and the “why” of cloud security let’s dive deeper into what capabilities constitute cloud security. Given the uniqueness of business needs and the scalability of cloud offerings, individual cloud providers provide different capabilities.

II. Cloud Security Capabilities

Cloud security is gaining importance in many organizations as cloud computing becomes mainstream. Deployment models include software, platform, or infrastructure as a service (SaaS, PaaS, or IaaS), with each of these offerings having unique security considerations. Further, the three primary types of cloud environments are public, private, and hybrid clouds. These three environment types also offer different security configurations and customer commitments based on the shared responsibility model. Finally, cloud environments often have shared resources that can be exposed to or exist on the public internet. Given that the resources in question often have sensitive or, at the very least, non-public information, make cloud deployments a prime target for attackers. This risk has led to many new capabilities (often with confusing acronyms) promising to help solve the problem (at scale). These include:

a. Cloud Infrastructure Entitlements Management (CIEM)

CIEM streamlines and automates the management of user entitlements and privileges in cloud environments. By using CIEM capabilities, organizations can implement consistent access controls to enforce least-privilege policies across cloud environments.

b. Cloud Workload Protection Platform (CWPP)

CWPP protects cloud workloads by providing visibility across multiple clouds to ensure resources are appropriately deployed and have the necessary security controls like operating system and application hardening, vulnerability discovery and remediation, and application whitelisting.

c. Cloud Security Posture Management (CSPM)

CSPM examines cloud environments to detect misconfigurations and risks against compliance standards. This is achieved by providing a central control point over configurations that could impact security compliance frameworks like ISO, NIST, and CIS benchmarks.

d. Cloud Access Security Broker (CASB)

CASB tools help detect and control SaaS application usage in your organization. Controls provided include identifying shadow IT (unauthorized use of cloud services), sensitive data transmitted to and from your cloud applications, blocking of threats at the application layer, and security policy enforcement (user authentication, DLP, etc.)

e. SaaS Security Posture Management (SSPM)

SSPM focuses on SaaS applications (per the acronym) and provides visibility, monitoring, and remediation support for SaaS-related security issues. This capability provides organizations the ability to identify and remediate gaps in SaaS security controls like system misconfigurations and compliance gaps against standards like Center for Internet Security (CIS) benchmarks and PCI DSS.

III. Where does CIEM fit into all of this?

For starters, let me share an article recently published by CSO online on the top 11 cloud security threats organizations face today. What’s clear from this article (and countless others) is that identity is top of mind for security professionals when protecting their assets in an increasingly cloud-first world. To summarize:

1. Identity, credential, access, and key management was the top threat on security professionals’ radar.
2. Insecure interfaces and APIs were number 2 on the list and mentioned authorization and authentication concerns.
3. Accidental cloud data disclosure was number 8 on the list, mentioning database authentication as a risk and the need for a least-privileged IAM policy.
4. Cloud Storage Data Exfiltration was number 11 on the list, focusing on SaaS solutions where we must ensure strong identity and access control of people and non-human personas.

Further, in reviewing all the cloud security capabilities that have emerged in the last few years, it’s become apparent to practitioners like me that the base use case for every single one of them involves identity and access management (IAM). To dive a little deeper:

a. Cloud Security Posture Management (CSPM): To understand your overall cloud security posture and gaps against your industry standards and best practices, one of the first checks is against your IAM baseline. This is highlighted by the fact that most industry standards require us to focus on the least-privilege principle and perform periodic access reviews.

b. Cloud Access Security Broker (CASB): These tools, which have been around for a decade or more, do not simply uncover shadow IT usage but also give you insight into who has access to what and to what extent their access could be considered risky. Further, via policy enforcement, CASB tools can allow you to limit access and prevent data leakage to unauthorized users (DSPM — Data Security Posture Management anyone?)

c. SaaS Security Posture Management (SSPM): SaaS. A deployment model where you, as the customer, have no control over the infrastructure or the platform. What you have control over is who has access to your data in SaaS environments. Further, CIS benchmarks and other industry best practices will have you focus on access reviews and least-privileged implementation, which are critical to minimizing the risk associated with SaaS applications.

IV. Conclusion

In reality, almost every single new capability that has come to market (I haven’t even mentioned CNAPP — Cloud Native Application Protection Platform!) has an identity component. I would argue that identity is central to Public, Private, Hybrid, and Multi-Cloud Security and is foundational to any cloud security strategy. While CIEM is the acronym most of us use to dive into the entitlements and fine-grained permissions related to cloud security, identity and access management constructs provide a fundamental set of cloud security requirements that figure prominently in prevention, detection, response, and compliance-related controls. The “castle and moat” perimeter is dead. Long live the new cloud perimeter!