The Basics of Cloud Infrastructure Entitlement Management (CIEM)

CIEM Cloud Security DevSecOps Identity & IAM Least Privilege Skill Level: Learner
Reading Time: 5 minutes

Amazon Web Services (AWS), Microsoft Azure, and Google Cloud (GCP) eliminated traditional network boundaries, creating a new landscape to manage. There can be tens of thousands of identities in your cloud environment with the rise of machine identities, microservices, and Infrastructure as Code. The new boundary of cloud security is identity management. With this new perimeter, a new class of solutions is taking over, Cloud Infrastructure Entitlement Management. Let’s explore the basics of CIEM.

What is Cloud Infrastructure Entitlement Management?

Cloud Infrastructure Entitlement Management (CIEM) monitors cloud identities and their entitlements. Entitlements are the sum of all privilege assigned to an identity. Gartner explains it this way, “CIEM offerings are specialized identity-centric SaaS solutions focused on managing cloud risk via administration-time controls for the governance of entitlements in hybrid and multi-cloud IaaS.”  The goal of CIEM is used to define the solutions that answer basic questions that surround identity: what are my identities, what are the end-to-end effective permissions of my identities, and what are they doing with them?

And use cases are proliferating dramatically, which brings into question their entitlements. Normally, entitlements are tied to an identity, but with non-people identities in the cloud, the reach of entitlements has become wider and are representing compute that could put cloud security at risk. 

Why Are CIEM Solutions Necessary To Your Cloud Security Strategy?

What challenges does CIEM address?

Cloud resources are ephemeral and dynamic. Traditional identity and access management (IAM) solutions and practices are designed to protect and control access to conventional static on-premises applications and infrastructure. These solutions aren’t typically well suited for safeguarding highly dynamic, ephemeral cloud infrastructure. Because AWS, Azure, GCP, and Kubernetes are inherently dynamic, applications and services are instantiated on-demand, and continuously spun up and spun down. The transitory nature makes assigning entitlements and tracking access very difficult.

Traditional on-premise identities were stored in a central repository, like Active Directory. Entire processes and provisioning defined where the identities were manifest, what groups they were associated with and how they were monitored within the organization. A cycle is developed and maintained for individual identities, and entitlement checks for those identities were looked at periodically – maybe every 90 days or once a year. There is a fundamental paradigm shift when moving to the cloud, now, identity is the new perimeter.

Adding to the complex nature of managing the cloud is another challenge — each cloud provider has its own approach to identity and data security with distinct roles, permission models, tools and terminology, and shared responsibility models. Enterprises utilizing multiple cloud providers are forced to use multiple provider native tools, which can lead to configuration inconsistencies, security gaps, permissions gaps, and risk. Managing identities and their entitlements can become a resource-intensive, time-consuming, and error-filled function. CIEM addresses this disparate security by offering a central location to manage and view entitlements.

Some more challenges CIEM addresses:

  • Establishing Least-Privileged Access in the Cloud
  • Managing access to ephemeral resources
  • Over-permissioned access to cloud resources
  • Gaining clarity at scale
  • Dynamic resources and the complexity of multi-cloud setups
  • Tracking and discovery of access risks

Who Needs CIEM?

Organizations need to know what all their identities are, what they have access to, and context on what is shared, but unfortunately, most struggle to do so. Many enterprises manage cloud permissions and access to data in manual admin practices. Passwords and other credentials are often statically configured or infrequently rotated. Because managing access manually is risky, teams will often give out privileges unnecessarily or haphazardly, creating additional risk. Over permissioned identities and excessive cloud entitlements can make it easier for bad actors to move “permission chain” their way through and across an environment. If this sounds like your organization, you could benefit from a CIEM.

Identity access and rights are more diverse, with over 40,000+ possible actions across the major clouds, and they’re widely disseminated across many teams — DevOps, SecOps, DevSecOps, and admins. With all of this activity happening in the cloud, privileges become obscured. 

Why Does Your Organization Need CIEM?

IBM’s X-Force Cloud Threat Landscape Report found overprivileged identities to be in 99% of the breach cases they analyzed. Overprivileged and unmanaged identities pose massive risk to every organization.

Additioanlly, most enterprises are multicloud. According to Gartner, 81% of organizations report working with two or more public cloud providers. A CIEM solution helps cloud security teams understand access risk and manage all entitlements across multi cloud environments.

CIEM solutions can help your team increase visibility. Teams need to clearly know how many accounts, users, roles, services, pieces of compute, and policies exist across accounts in any cloud provider.

How does CIEM address cloud access risk?

Many organizations need to understand not only what’s in their environment, but also wha privileges are being used by those identities to detect suspicious behavior or detach unnecessary privilege. By having the ability to see the granular, effective permissions held by identities, your organization can effectively enforce policies like least privilege. The right CIEM solution can also offer continuous compliance reporting so your teams can feel confident in any audit or with any regulation.

When to Use CIEM?

To help all this new information stick, let’s review some real world use cases.

  • An AWS Lambda with cross-account access to sensitive data.
  • Excessive permissions: an employee identity with admin privilege they haven’t used in over 90 days,
  • An Azure Nested Group: an identity able to use a privilege not directly assigned to it, but inherited via several groups.
  • A toxic combination in a multicloud environment.

For more details on real-life CIEM use cases, read our blog, ‘When Would You Use a CIEM?’

How Do I Choose My CIEM Solution?

Every business and organization is unique, so first understanding what your goals and needs are helps you narrow down what you’re looking for. One approach for picking a CIEM solution, is considering if the tool has all the capabilities you need. Some capabilities to consider:

  • Automated Identity Inventory: this is the discovery of every and all identities present in your environment.
  • Effective Permissions: understanding the true scope of all identities’ abilities, even across-accounts.
  • Visualization: an identity graph or analytics is a digestible way to understand your identities and entitlements. See Sonrai’s identity graph here.
  • Detection: once your identities and privileges are at a secure baseline, monitoring capabilities can help detect suspicious behavior when an attacker is in your environment.
  • Customizable: customizable frameworks and policies so your specific needs are enforced, and customizable remediations like manual or bot-use for when risks are detected.

For more information on selecting a CIEM tool, explore our CIEM Buyer’s Guide.

Cloud Infrastructure Entitlement Management is an excellent way to understand who and what is in your cloud, what privileges they possess, and what privileges they are actually using. This insight is proving to be more and more critical as identity emerges as a major player involved in cloud breaches. Identities are the new boundary to your business and insufficient management of identities and their entitlements is a steadfast way to leave your cloud at risk.

Sonrai ciem solution