One AWS, Azure, or Google Cloud misconfiguration. One non-person identity with excessive privileges. One bad actor. And that’s all it took to expose the personal data of more than 204GB of customers’ information of a significant US-based healthcare provider in a widely reported 2021 security breach. It’s all it took to expose the personal data of more than 300,000 files for one government office. And again, for this cybersecurity firm that release 5 billion records. With each cloud security, data breach comes fines in the millions to the organization. All as a result of a bad actor that took advantage of an over-permissioned non-permission identity, like an AWS role, which leads to the ability to discover and exfiltrate personal identifying information.
Experts have warned us that these data breaches are coming. In 2016, Forrester Research created a report discussing the “Shift To The Cloud” that raises security concerns on how traditional security tools can’t effectively monitor data moving to and from the cloud and between cloud platforms. In July 2018, analysts warned us in the Gartner report, “Top Six Security and Risk Management Trends,” that organizations need to “avoid making outdated investment decisions. Search for providers that propose cloud-first services, that have reliable data management and automations competency, and that can protect your data at least as well as you can.” In October 2019, Gartner Analysts urged security teams to ask themselves, “Am I using the cloud securely?” In 2020, Forrester expected internal incidents to cause a third of breaches, an 8% increase compared to the previous year. And by October of 2021, the number of data breaches had already surpassed 2020’s total.
So, where can enterprises look to reduce risk in the public cloud? Enterprise organizations need to understand the new paradigm – identities are the new perimeter, and one over permissioned identity risks their cloud infrastructure. The best way to manage identity risk is to implement the principle of least privilege across their AWS, Azure, and Google Cloud environments. If they fail to secure all identities, the org risks compromising everything in the environment.
Understand the Shared Responsibility Model
Many enterprises fail to realize that protecting their identities and data in the cloud is a shared responsibility. As part of their Seven Elements for Creating an Enterprise Cloud Strategy, Gartner states that “in cloud, the responsibilities of the provider are defined by the features and capabilities of the cloud service that is being offered. The customer organization’s responsibility is to leverage the capabilities of the cloud service within the organization’s own processes to get the desired result. Cloud customers need to clearly understand what they may reasonably expect from their provider and what is their own responsibility. Also, as skills and experience are essential to responsible use of cloud services, organizations should facilitate training, education and eventually certification of their staff using the cloud services.”
Forrester Research recently explained, “the shared responsibility models that look tidy in PowerPoint slides are often murky in practice. After all, the CSPs have — or at least should have — greater expertise in how to implement security controls than their customers”. The cloud shared responsibility model breakdown depicts the division of responsibilities between the cloud providers and their customers – placing the burden of security of the cloud infrastructure on the CSPs and the responsibility for security of the customers. CSPs take care of the security ‘of’ the cloud while customers are responsible for security ‘in’ the cloud.
“It is estimated that at least 95% of cloud security failures through 2022 will be the fault of the enterprise,” according to Gartner Research. This statistic highlights the misunderstanding in the shared responsibility model.
Some enterprise customer organizations are surprised to learn they are solely responsible for the security of the resources they create in AWS. For example, AWS and Azure are responsible for the security of their services and the infrastructure that runs the AWS cloud. When an enterprise deploys a new data store, like an S3 bucket, they must manage the operating system; they need to configure the security setting of the instance. They are responsible for managing the data, classifying the data, and implementing the proper permissions for identity and access management for each identity in the instance.
To add to the complexity, AWS, Azure, and Google Cloud employ different security policies, methods, and out-of-the-box configurations, creating a massive challenge for enterprises attempting to maintain standard policies and configurations across multiple cloud deployments.
Because Cloud Service Providers generally only meet basic security standards for their platforms, enterprise organizations need to standardize how they monitor and mitigate risk across their entire environment—making it more critical than ever before for enterprises to clearly understand the division of responsibilities between their organization and their cloud service providers.
Get to the Principle of Least Privilege and Stay There
The Principle of Least Privilege is a primary pillar of any best practice security strategy. According to the Gartner report, “an effective practice embraces the entire concept of least privilege, granting only the right privileges to only the right system and only the right person for only the right reason at only the right time.”
While the concept of least privilege is not new, the complexity of implementing the principle and the severe consequences organization face by not enforcing it in the cloud is new.
In the old work of network security, organizations had fewer identities to manage and a firewall built around them to protect them. Fast-forward to now, and the cloud is full of people and non-people identities, making them the new perimeter—these identities, whether human or machine, now have the same permissions and access to sensitive data.
In today’s cloud environment, the number of identities accessing cloud infrastructure has increased exponentially, fueled by the rapid growth in non-human identities. These identities can now access unique permissions across all cloud platforms. If these permissions are improperly used, the results can be catastrophic to an enterprise’s infrastructure. As a result, people and non-people identities with excessive privilege are the risk to the new perimeter.
At the heart of any cloud security strategy is Identity Management. Identities (both people and non-people) form the security boundaries – not networks. To ensure that an organization effectively protects their cloud environments, and the data that resides within them, they need to shift their perspective and take a new approach to identity management. Failure to do so leaves organizations blind to significant risks. Gartner predicts, “By 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.”
Effective Permissions, Entitlements in the Cloud
Every enterprise needs to know what their identities can access and what they can do with their access. Managing entitlements or permissions for your identities in the cloud is an extraordinarily complex and challenging task. To securely manage cloud environments, organizations need to take a holistic approach and determine, for each and every identity, its effective, end-to-end permission. This approach involves evaluating the policies and access controls directly attached to the identity and mapping out what that identity can do with those permissions.
Can it take on or assume another identity? If it can, it now takes on the permissions of that identity. What can it do with these new permissions? If we looked only at the first level, we would be blind to everything else. This is where organizations get into trouble and where a Cloud Infrastructure Entitlement Management CIEM is crucial.
CIEM Protects Your Most Valuable Data
By leveraging a CIEM, enterprise organizations can lock down and secure data at the scale and speed of the cloud. Gartner defined Cloud Infrastructure Entitlement Management (CIEM) as a ‘specialized identity-centric solution’ focused on managing identity access risk. The rise of CIEM solutions has emerged because Identity Access Management (IAM) challenges have become more complex. With the increased usage of multi-cloud and hybrid cloud infrastructures, there was a need for better tools. These tools handle identity governance for dynamic cloud environments, typically following the least privilege principle, where identities and entities can access only what they need at the right time and for the right reason.
Using the identity inventory and their effective permissions (entitlements) from a CIEM tool, organizations can now determine what data identities can access and how they can access the data and what they can potentially do with the data. With this continuous visibility, teams can effectively determine where they have risks and then, in turn, manage the risks to ensure that the cloud environment and the data within it stay secure.
CIEM is critical to managing risk in your cloud environments. However, not all solutions are created equal. The right CIEM needs to not only be able to inventory your people and non-people identities and determine their effective permissions, but a CIEM solution needs to be able to do this at the scale and speed of your cloud.
Most enterprises today turn to traditional identity and access management (IAM) tools. However, it quickly becomes apparent that these solutions are neither granular nor dynamic enough to keep up with the highly automated and complex environments that define modern infrastructure.
Some enterprises manage permissions with the native cloud IAM tools that come with each cloud platform provider, most of which offer only basic functionality. These built-in mechanisms come with their dedicated toolsets, management screens, and workflows that won’t work for enterprises running multi-cloud and hybrid cloud deployments.
Many enterprises try to control and manage privileged access with traditional strategies like RBAC or role-based access control. RBAC is an older, static method involving the creation of standard roles with predefined and broad sets of permissions based on job descriptions and functions within an organization and assigning identities to these roles. Even with the most disciplined use of RBAC — organizations can’t keep up with managing all the new permissions made available for each cloud service in use. As a result, most roles are seldom updated, if at all. And where they are, the temptation is always to add more permissions to existing roles rather than redesign the roles entirely. Once an identity is assigned a role, it is rarely reviewed again. More often than not, the identity is never removed from a role even if it no longer performs the job function.
The limitations of existing solutions create a new market need: one for a cloud-native, scalable, and extensible way to automate the continuous management of permissions in the cloud. With this need in mind, industry analyst firm Gartner recently created a new research category, Cloud Infrastructure Entitlements Management (CIEM). The key to CIEM is its description of the next generation of solutions for managing access to permissions and enforcing the least privilege in the cloud.
Pillars of CIEM
Gartner analyst Paul Mezzera has made a strong case for the need for a new approach to identity, access, and permissions management in the cloud in his new CIEM research report. In the research, Mezzera describes the core requirements of secure cloud infrastructure. This need is pressing.
The pillars of CIEM are designed to help users evaluate and implement the best solutions for their cloud identity and permissions journeys. They include, according to Gartner, the following attributes, taken from his report:
Account and Entitlements Discovery. “… an inventory of identities and entitlements across an enterprise’s cloud infrastructure.” Characteristics, according to Gartner, include continuous, event-based discovery, identification and tracking of all identity types, analyzing all access policies, and discovery of any federated and native cloud identities, including those from CSP accounts, identity providers, and traditional directories, e.g., Active Directory.
Cross-cloud Entitlements Correlation. “Organizations need a method by which accounts and entitlements across clouds can be correlated and normalized into a unified access model.”
Entitlements Visualization. “Given the large number of entitlements that organizations need to manage, traditional table-driven visualization methods for viewing and analyzing this information is not feasible. The following characteristics are essential for effectively visualizing cloud infrastructure entitlement data within and across cloud platforms:
- Graph identity and entitlement view
- Natural language query capabilities
- Metrics dashboard”
Entitlements Optimization. “Usage data generated by privileged operations across cloud infrastructure combined with entitlement data is essential in determining least-privileged entitlement assignments.”
Entitlements Protection. “An important control for ensuring the overall integrity of the cloud infrastructure is the ability to detect changes within all managed cloud infrastructure environments and to remediate changes made outside of policy.”
Entitlements Detection. “The analysis process should detect changes made outside of sanctioned processes or changes that are deemed anomalous due to external factors, are atypical, or considered high-risk.”
Entitlements Remediation. “Changes are often required as a result of entitlement optimization or the change analysis process. In either case, an organization may prefer that security tools not make changes directly, but rather trigger a change event containing the updated policy or entitlement assignment. … The ability to detect cloud infrastructure threats and respond by generating events and performing mitigation operations is a required security function.”
The pillars of CIEM are daunting in scope. Nevertheless, enterprises must move forward in all areas to continuously protect critical cloud resources from accidental misuse or malicious exploitation of permissions and achieve the least privilege across clouds.
Manage Access and Entitlement Risk
CIEM solutions must seamlessly operate within dynamic multi and hybrid cloud environments. CIEM includes privileged access management as well as identity administration and governance. A CIEM solution should combine continuous visibility and context of data with simple automation and remediation. As CIEM solutions evolve, the ability to “auto-remediate” will become critical, especially as the complexity of managing multiple cloud operating models grows. For example, with an auto-remediation feature, a periodic search for inactive identities over 90-days can be generated to remove all of the permissions for those identities automatically. Essentially, this “auto-pilot” type of functionality is about ensuring continuous security and enforcement of least privilege policies across an enterprise’s environment without ongoing involvement from the security and cloud infrastructure teams.
Recently, Gartner advised security leaders to implement “a process for quick and easy requesting and granting of additional privileges with minimal disruption to an individual’s workflow.” A CIEM tool with automation and remediation can offer this capability by establishing that identities should not have standing permissions unless needed for a specific task. The idea is that instead of granting “standing permissions,” organizations can use this feature to limit access to permission(s) and resource(s) for a predefined time, at which point permissions are rescinded. This approach mitigates the risk of permission abuse by significantly reducing the amount of time a cyber attacker or malicious insider has to gain access to privileged credentials before moving laterally through a system and gaining unauthorized access to sensitive data.
To maintain control and security across clouds, enterprises need to know what is going on at all times. With tens of thousands of identities active at any one time, making the task of monitoring them and looking for things that are not right is an absolute nightmare. This is why it is critical that a CIEM solution provides robust monitoring and alerting capabilities that empower enterprises to continuously track the activity patterns of all unique human and non-human identities across multiple cloud deployments.
Ideally, enterprises should have the ability to monitor their cloud environments from a multi-dimensional perspective. For example, monitoring activity through the “identity” lens enables the security and cloud infrastructure teams to track changes based on the identity’s activity profile. They can quickly ascertain which permissions an identity used, which permissions have not been used, and which resources they have accessed over time.
In the breach example cited earlier, anomalous activity on a cloud resource (e.g., S3 bucket) by an overpermissioned non-human identity went undetected, causing a massive loss of customer data and triggering one of the most significant fines to date against an institution. The ability to continually monitor activity data is critical because it provides the context necessary to detect anomalous behavior, such as an identity that suddenly uses high-risk permission (e.g., AWS s3 sync s3://sensitive_ data_bucket) or accesses a sensitive resource (e.g., s3 bucket) for the first time. Monitoring activity from a resource perspective allows the team to track which identities are accessing a sensitive resource and what types of actions they have performed on it.
Most importantly, when something anomalous does happen, the CIEM solution should include the option to invoke an automated remediation response or notify the right team, either through email or third-party SIEM or SOAR tools, to take immediate action. Because security teams are already overwhelmed by an avalanche of alerts, fixing security holes requires CIEM solutions to provide context that enables prioritization. It is simply not enough for a CIEM solution to alert teams to potential areas of risks or threats; the CIEM must deliver an easy, automated way to prioritize those alerts and assess the threat in context.
In its 2020 Cloud Security Hype Cycle, Gartner defined Cloud Infrastructure Entitlement Management (CIEM) as specialized identity-centric SaaS solutions focused on managing cloud access risk. These tools handle identity governance for dynamic cloud environments, typically following the least privilege principle. Users and entities can access only what they need at the right time and for the right reason. Precisely, these solutions accomplish this via administration-time controls for managing entitlements and data governance in hybrid and multi-cloud IaaS architectures. The category of CIEM solutions has emerged because Identity Access Management (IAM) challenges have become more complex in tandem with the increased usage of multi-cloud and hybrid cloud infrastructures.
What to look for in a CIEM solution?
CIEM solutions should encompass a thoughtful and strategic approach. Most importantly, a CIEM solution should provide visibility into the entities currently accessing the organization’s cloud infrastructure: employees, clients, applications, cloud services, and more. This analysis must also cover the specific resources being accessed, the type of access, and the time. Simply put, the information gathered must include the who, the what, and the when.
That analysis then informs the next implementation step, which deals with managing risk across the cloud infrastructure. The main task within this step involves the implementation of the least privilege principle noted earlier. In short, entities can only access applications and data they need to complete their work. No other access should be given.
Finally, cloud engineers need the means and visibility to monitor cloud activity on a 24/7 basis. This includes receiving actionable alerts whenever suspicious activity happens, such as unauthorized access.
Ultimately, partnering with a top CIEM provider lets companies work with the experts to devise an implementation strategy compatible with the organization’s cloud security approach. As CIEM is a relatively new sector in cloud technology, best practices for implementing a platform are still being developed, making that expert input all the more valuable.
Typical Features of a CIEM platform
Any suitable CIEM enterprise cloud security platform must include a robust collection of features and functionality. For example, an easy-to-use module for access control and provisioning helps cloud administrators manage privileges for all accounts accessing the cloud infrastructure. This module must also facilitate enforcement of the least privilege principle and any other governance policies for the company.
A related entitlement management module gives administrators the means to control specific permissions for each user. An automated audit feature helps companies wrangle any dormant or orphaned accounts that exist. These kinds of accounts must be identified and removed, if necessary. They remain a significant security risk to any company’s cloud infrastructure. Auditing also helps cloud administrators track the current entitlement level for each account.
Many leading CIEM platforms seamlessly integrate with the top cloud providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Of course, the best platforms also support multi-cloud and hybrid cloud infrastructures. Remember, when choosing a CIEM platform, easy integration helps ensure a successful implementation.
The Benefits of CIEM
Implementing a CIEM solution offers significant benefits to any company with a complex cloud infrastructure. As noted earlier, the best platforms provide visibility into the current activity on the cloud, even hybrid and multi-cloud environments.
Using CIEM protects an enterprise’s cloud-based applications and critical data from hackers and other nefarious cybercriminals. Once again, automated features detect and alert when discovering potential threats, like dormant accounts or activities outside the norm. Even mistakes when creating new user accounts, like assigning overly permissive access, are detected by the system, preventing potentially harmful errors from impacting business operations.
Additionally, companies with significant regulatory compliance requirements benefit from a CIEM platform’s automated auditing features. This approach provides a documentation trail detailing the company’s tight controls on cloud access, especially those critical data privacy considerations. Companies in the banking, insurance, and financial sectors significantly benefit from this functionality.
Managing identities and their entitlements in the cloud is a complex affair. With many identities, both people and non-people, traditional tools, like PAM, do not go broad and deep enough to provide you with the visibility you need to secure your cloud effectively. Throw in a multi-cloud environment, and you are lost. What is required to solve this problem is a CIEM solution.