Global spending on cloud service providers is set to increase in 2021 by 18.4% to $304.9 billion, up from $257.5 billion in 2020. Organizations face the major challenge of reducing complexity in their cloud environments while enforcing least privilege through managing high volumes of people and non-people identities and their access. As these companies move to the cloud, security teams must contend with entitlements tied to people identities, managing up to tens of thousands of non-people identities. Those already in the cloud may not even be aware of this security risk, so they start to look for what is known as a Cloud Infrastructure Entitlement Management (CIEM) solution.
Traditional PAM solutions do not effectively manage identities in your cloud. It isn’t really their fault; PAM just was not built for people and non-people identities. Their view of entitlements is too short-sighted, and they are not able to keep up with the speed, scale, and complexity of a single cloud, let alone manage across multiple clouds. Due to the complexity of managing identities in and across clouds, a new breed of solution has emerged; CIEM.
CIEM refers to next-generation cloud security technology that grants, resolves, enforces, revokes, and administers access. CIEMs purpose is to manage entitlements, remediate cloud access risk, and enforce the principle of least privilege across multi-cloud environments to reduce excessive permissions, access, and cloud infrastructure entitlements.
At the heart of any cloud security strategy is Identity Management. Identities (both people and non-people) form your security boundaries - not networks. Thus to ensure that you are effectively protecting your environment, and the data residing within it, you need to shift your perspective and take a new approach to identity management. Failure to do so leaves your organization blind to significant risks.
You can’t manage what you don’t know about. In the average cloud, there are often 100s, if not 1000s, of identities. Non-people identities make up the majority in your cloud. By leveraging a CIEM solution, you will be able to inventory all of the identities in your cloud. However, this is not a static inventory that is executed once every quarter but is actually done continuously. That means at any given moment, you must have visibility into every single identity and ensure that there are no gaps. By doing this, you now have a strong foundation on which to manage entitlements.
You need to know what your identities can access and what they can do with that access. Managing entitlements, or permissions, for your identities in cloud is an extraordinarily complex and challenging task. To securely manage your cloud, you need to take a holistic approach and determine, for each and every identity, its effective, end-to-end permission. This involves not only evaluating the policies and/or access controls directly attached to the identity but mapping out what that identity can do with those permissions.
To help put this into context, let’s examine the following example. Sam is a DevOps engineer with what is supposed to be a limited set of permissions in her company’s AWS dev account. She is assigned to an AWS Group that provides her identity with the permissions needed to do her job, including the ability to assume an AWS Role, a non-people identity within that same account. However, due to lack of visibility, the role that she can assume has permissions to assume another AWS role, this time into a production account. Making matters worse, this role (as shown below) is grossly over-permissioned and has full admin permissions on all DynamoDBs in production.
So from a traditional entitlements perspective, Sam’s AWS user has only the permissions she needs to do her job. However, when we use a CIEM to determine her effective permissions, we can see that she has Full Admin access to all of of the DBs in her company’s production environment.
Identities are your security boundary in the cloud. To appropriately manage risk and protect your cloud, you need to have full visibility into all of your identities (both people and non-people), as well as know at all times what their effective (end-to-end) permissions are. This is where the traditional PAM tools start to fall down and where a CIEM solution is required.
In 2020, traditional tools didn’t cut it, and week after week, we read about breach after breach, each having an average cost of $3.86 million. If data is the most expensive commodity on the planet, why are most organizations not doing enough to protect it? The honest answer here is that teams have been doing their very best without the support of adequate tooling. Being able to know at all times, what every identity in your cloud (even across multiple clouds) has access to, is what has been missing here. By leveraging a CIEM, they are now able to lock down and secure data at the scale and speed of cloud.
Start by taking a data-centric IAM approach. Using the identity inventory and their effective permissions (entitlements) from your CIEM, you are now able to determine not only what data your identities can access, but also how they can access the data, and what they can potentially do with the data. With this continuous visibility, you can effectively determine where you have risks and then, in turn, manage those risks to ensure that your cloud, and all of the data (both critical and non-critical) within it, stays secure. At the end of the day, this is the ultimate goal of the modern security team in the cloud.
As we’ve seen, CIEM is critical to managing risk in your cloud environments. However, not all solutions are created equal. The right CIEM needs to not only be able to inventory your people and non-people identities and determine their effective permissions, but a CIEM solution needs to be able to do this at the scale and speed of your cloud.
In cloud, things change quickly and your audit practices need to as well. At one time, identity inventory and entitlement audits were performed on a defined schedule. While this might have made sense back in the data center where changes were less frequent, it makes no sense in cloud. With the multitude of teams active in your cloud, coupled with the ephemeral nature of the environment, you need to know what is going on at all times. You need to be continuously auditing your cloud so you can immediately detect deviation or a misconfiguration, you need to be able to alert the right teams.
In a recent customer issue that we encountered, a user (people identity) assumed an overly permissive AWS role (non-people identity) and, as that assumed role, escalated the permission of another AWS role, which they then also assumed, giving them access to a critical data store. This all happened in a matter of minutes. Luckily, this organization had a CIEM in place that was continuously auditing all of this access drift, and as soon as the effective permissions of the role changed, the right team was alerted. This would have never been caught using a traditional identity and data security approach.
Sending all security issues to one single team never worked, so why are you doing it now in cloud? You have the ability in your CIEM to organize your cloud contextually. What this means is the ability to view your cloud in a way that makes sense to your business. A typical example we commonly see is that organizations divide their cloud up into environments based on things like applications and data classification, as well as based on the teams tasked with operating and securing them. This ensures that issues can be routed to the teams that created them and are in the best position to remediate them. Getting the right ticket to the right team enables intelligent workflows to ensure that your existing IAM processes and best practices can be leveraged for CIEM in your cloud. Lastly, by organizing your cloud contextually you are able to use automation to fix your CIEM issues once again at the speed and scale of cloud.
Managing identities and their entitlements in the cloud is a complex affair. With so many identities (both people and non-people) traditional tools, like PAM, do not go wide and deep enough to provide you with the visibility that you need to be able to effectively secure your cloud. Throw in a multi-cloud environment and the complexity that obviously adds, and its very difficult to keep up. What is required to solve this problem is a CIEM solution.
Sonrai Security can help. Sonrai Dig is an enterprise security platform for AWS, Azure, Google Cloud, and Kubernetes. It is built on a sophisticated graph that identifies and monitors every possible relationship between identities and data that exists inside an organization’s public cloud. Dig’s Governance Automation Engine automates workflow, remediation, and prevention capabilities across cloud and security teams to ensure end-to-end security.
We believe identity and data controls are central to securing your cloud. Your cloud is flooded with non-people identities, sprawling data, and imminent danger. It’s why Sonrai Dig, built on patented graphing technology, perfectly maps all possible access and activities. This is how you automatically enforce least privilege, monitor access to crown jewel data, and automate CSPM. You get security far superior to anything possible before.
Using Sonrai’s Dig, our enterprise cloud security platform with platform CIEM, you can continuously inventory your identities, compute their effective (end-to-end) permissions, and alert on any deviations as soon as they are detected. With this in place, you can manage risk at the scale and speed of your cloud and not find yourself in the headlines for the next embarrassing data breach.