When organizations began their transition to cloud, the benefits were obvious.
Flexibility, scale, and speed.
But with great power comes great responsibility to keep it secure.
Each application and service added creates new identities, each with their own sets of privileges that allow them to access the assets in those clouds.
As organizations have adopted a multi-cloud model that combines more than one Cloud Service Provider (CSP) and more applications (SaaS) than they can count, they have run into challenges of complexity and scale.
- Each service has its own approach to IAM. How an identity or set of privileges is managed in AWS differs from Azure, which is then different from Salesforce or Google. These variations make managing identities and access exceedingly distributed and difficult.
- Traditional IAM tools cannot see activities in CSPs, so they cannot tell which identities are inactive, or if privileges are stale. They simply lack the visibility to see the activities of federated identities outside of the IdP, nor the effective access to assets.
- IAM tools miss changes to identities and privileges performed outside of their identity platforms in the apps. This creates a gap between “declared” state of privilege and your “de facto” state of privilege.
- Identities, especially the growing number of non-human ones, are usually over-privileged and unmonitored.
- Maintaining continuous compliance over the large scale of identities and privileges is untenable as a manual process from both a time and accuracy standpoint.
This has led many organizations to seek out a Cloud Infrastructure Entitlement Management (CIEM) solution to help take control of their identities in the cloud.
In this blog, we will lay out what are some of the core features that you should look for in your CIEM solution, along with a couple of helpful questions for consideration in your search.
Defining Cloud Infrastructure Entitlement Management (CIEM)
Cloud Infrastructure Entitlement Management (CIEM) is the process of managing identities and privileges in the cloud.
The primary use case that is most often associated with CIEM is in helping organizations to work towards a state of Least Privilege.
CIEM has become an increasingly important tool as security professionals understand the visibility limitations that they have in their IAM stack, like their Okta, Entra ID, or PAM solutions.
While initially conceived for handling issues in CSPs like AWS, Azure, and GCP, the category of CIEM tools has expanded to include coverage for SaaS under the banner of “CIEM for all”, making it a much more comprehensive solution for achieving security.
5 Key Capabilities for CIEM
The list of capabilities for a CIEM solution is long. Read our CIEM Buyer’s Guide for a much more comprehensive list and explanations, as well as the RFP template provided there for a fuller understanding of what is out there in the marketplace.
Here below though are a few of the primary capabilities that CIEM comes with, and why they actually matter.
Detect Stale Identities and Privileges
Privilege creep, over-privilege, unused privileges, and inactive identities. These are all basic risks that can open the door for attackers. Organizations are obviously aware that they need to clean up stale identities and privileges, but lack the activity visibility to make intelligent decisions about how to remediate.
A CIEM solution should be able to not only identify all of the privileged identities and privileges, but also monitor activity to see which ones are not being used. An identity or privilege that has not been used for say 30, 60, or even 90 days is probably not essential for getting work done, and therefore can be removed.
Detect Suspicious Behavior
Identity has moved from being simply a posture management field, to one that deals with active threats.
Once attackers have gained a foothold in their target, taking over an identity, they will attempt to escalate privileges and may try to make changes to the identity’s privileges.
The creation of new admins or privileges may be indicative of a breach. Similarly, sudden use of access privileges to assets that fall outside of the identity’s normal use should also throw up red flags.
If your CIEM solution takes the “CIEM for all” approach, then you should be able to detect suspicious activity not only in your CSP, but also your SaaS and any other platform you’re using.
Achieve Visibility Over Effective Access
Visibility over who has access to what, and how they have that access is the start of how you secure your identities in the cloud. And this means being able to see an identity’s entire access path from the IdP all the way to all of their assets, regardless of if their path takes them along different roles or groups in the CSP, or even across into their SaaS applications.
A good example of this is being able to easily pull up your users who have privileged access to production in AWS or Azure, and important repositories in your GitHub.
Understanding effective access is important not only because it shows you what an identity has access to, but how they gained that access. This allows you to find multiple access paths that are unnecessary and/or risky, and remove them.
Remediation of Risky Security Policies in Cloud Resources
The overly permissive S3 bucket is a classic when it comes to data leaks because it leaves the door open for unauthorized access without much effort from the attacker.
More advanced CIEM solutions can detect when a security policy for a cloud resource is excessive. A common case is where the policy uses a simple [*] to allow access, as opposed to specifying who should have the access.
Your CIEM solution should be able to help you not only detect these insecure policies, but also automate remediation by offering more secure policies that you can approve.
Protect Non-Human Identities
Often called Service Accounts or Workload Identities, non-human identities play a significant role in how organizations automate their development processes in their cloud infrastructure. And they are growing with the ratio of non-human to human identities reaching a whopping 10:1 as of 2023.
To keep them secure, your CIEM solution needs to not only be able to identify these non-human identities that are spun up and down at a breakneck pace, but also detect if they are performing suspicious activities or are over-privileged.
One key point to watch for with non-human identities is that you need to be able to tell if a non-human identity is using a human identity, alerting you to the need to remediate.
To learn more about CIEM, download our Buyer’s Guide, or simply reach out to us to discuss your identity and access challenges.