Understand the Need for Identity Management in the Cloud
Amazon Web Services (AWS), Microsoft Azure, and Google Cloud (GCP) eliminated traditional network boundaries elevating security. There can be tens of thousands of identities in your cloud environment, and the use cases of these identities make security even more complex. The boundary of cloud security is identity management – both people and non-people identities. With this new perimeter, Cloud Infrastructure Entitlement Management (CIEM) is needed, but what exactly is it?
Cloud Infrastructure Entitlement Management (CIEM) monitors cloud identities and their entitlements. Gartner explains it this way, “CIEM offerings are specialized identity-centric SaaS solutions focused on managing cloud risk via administration-time controls for the governance of entitlements in hybrid and multi-cloud IaaS.” The goal of CIEM is used to define the solutions that answer basic questions that surround identity: what are my identities, what are my identities’ entitlements, and what are the end-to-end effective permissions of my identities.
And use cases are proliferating dramatically, which brings into question their entitlements. Normally, entitlements are tied to an identity, but with non-people identities in the cloud, the reach of entitlements has become wider and are representing compute that could put cloud security at risk.
Network Security Fails in the Cloud
Cloud resources are ephemeral and dynamic. Traditional identity and access management (IAM) solutions and practices are designed to protect and control access to conventional static on-premises applications and infrastructure. These solutions aren’t typically well suited for safeguarding highly dynamic, ephemeral cloud infrastructure.
Traditional on-premise identities were stored in a central repository, like Active Directory. Entire processes and provisioning defined where the identities were manifest, what groups they were associated with and how they were monitored within the organization. A cycle is developed and maintained for individual identities, and entitlement checks for those identities were looked at periodically – maybe every 90 days or once a year.
There is a fundamental paradigm shift when moving to the cloud, beginning with the role of identity as the new perimeter. Identity access and rights are more diverse and widely disseminated across the cloud. And there are just a lot more different groups who have access to the identities in the cloud, such as DevOps, SecOps, DevSecOps, and admins. With all of this activity happening in the cloud, privileges become obscured.
What was a simple model in traditional on-premise identities, even if it wasn’t always easy to manage, is now a complex model in the cloud that is extremely difficult to manage. Organizations need to know what all their identities are, what they have access to, and context on what is shared, but unfortunately, most struggle to do so. And if you can’t discover and classify identities, you can’t have a secure cloud or understand trust relationships between pieces of compute and data. So the first step toward cloud security is having an inventory of your identities, and CIEM helps that process.
What Are Your Cloud Identity Challenges?
Conventional solutions were designed to control access to a limited set of systems and applications deployed in a data center. With cloud infrastructure, teams must monitor and control access privileges for people and non-people identities across an ever-increasing complex environment including resources, services, and accounts.
Because AWS, Azure, GCP, and Kubernetes are inherently dynamic, applications and services are instantiated on-demand, and continuously spun up and spun down. The transitory nature makes assigning entitlements and tracking access very difficult.
Adding to the complex nature of managing the cloud is another challenge. Each cloud provider has its own approach to identity and data security with distinct roles, permission models, tools and terminology, and shared responsibility models. Enterprises utilizing multiple cloud providers are forced to use multiple provider native tools, which can lead to configuration inconsistencies, security gaps, permissions gaps, and risk. Managing identities and their entitlements can become a resource-intensive, time-consuming, and error-filled function.
Many enterprises manage cloud permissions and access to data in manual admin practices. Passwords and other credentials are often statically configured or infrequently rotated, MFA is not enabled, exposing the organization to unnecessary risk including, data breaches and data leakage. Because managing access manually is risky, teams will often give out privileges unnecessarily or haphazardly, creating additional risk. Over permissioned identities and excessive cloud entitlements can make it easier for bad actors to move “permission chain” their way through and across an environment.
Why Does Your Organization Need CIEM?
As enterprises, leverage public cloud providers, like AWS, Azure, and GCP to increase the speed of innovation and operations. Many are implementing multi-cloud architectures to optimize choice, costs, or availability. For this reason, cloud providers have created their own native IAM tools and paradigms to help enterprises authorize identities to access resources in fast-growing environments. Even so, the scale, diversity, and dynamic nature of cloud IAM pose significant operational, security, and compliance challenges for Cloud Security personnel, especially in multi-cloud environments. CIEM solutions address these challenges by improving visibility, detecting, and remediating misconfigurations to establish the least privilege throughout the public cloud environments.
CIEM can help your team increase visibility. Discovering all the identities in your cloud infrastructure is paramount to enforcing security policies. Teams need to clearly know how many accounts, users, roles, services, pieces of compute, and policies exist across accounts in any cloud provider. If you have a multi-cloud environment, then your team must have a complete normalized view across multi-clouds.
Many organizations need to understand the privileges that are being used by identities and most importantly, understand the privileges that are not used. This level of insight can drastically reduce risk and prevent privilege creep. By having the ability to see the granular, effective permissions held by identities, your organization can effectively enforce policies and prevent cloud sprawl. In addition, they need to report they are effectively managing identity permissions and entitlements. Continuous compliance reporting and continuous auditing are a must in any enterprise organization. The ability to report and benchmark against different industry benchmarks and compliance requirements is a must for most enterprises.
Enterprises need to get to and maintain the least privilege across all people and non-people identities. The ability to baseline your cloud environment for identity and data risk by validating it against compliance and best practice policies for identity and data security on the cloud/s you operate in is important. Most enterprise organizations need to have the ability to remediate risk with identities and entitlements. By identifying the security context, the actions taken, and resources accessed for a certain time range, organizations can effectively remediate or prevent risk. With the security context, an organization can identify security events and narrow down to the root cause.
How Do You Use Cloud Infrastructure Entitlement Management?
Discovery and classification of identities and recognizing the permissions granted to each identity is what stands between good cloud security and serious data breaches. CIEM can be used to better manage identities in the following ways:
- Separation of Duties. Making sure that permissions are used wisely, i.e., the person who controls the keys to encrypt data can’t also decrypt data.
- Access reviews and monitoring cloud service users. CIEM is used to continuously monitor identities and effective permissions, including whether an entitlement or effective permission had changed.
- Designing and managing permissions. A CIEM monitors the role assignments of each identity and can recognize if a role assignment has been given incorrect permissions or entitlements and correct it.
- Identity confirmation and oversight. It offers a consolidated view of identity classification and much-needed management of identities.
Keeping your cloud secure requires effective and continuous monitoring of both people and non-people identities. CIEM offers visibility into your identities and entitlements, which lets your organization manage them more effectively. Identities are your boundary, and if you don’t know what effective permissions they are granted, you are essentially opening the gate for risk. Sonrai can help you get started with Cloud Infrastructure Entitlement Management (CIEM).