A brief article discussing the attributes, necessity, and significance of Cloud Infrastructure Entitlement Management (CIEM)
2020: A Prelude to CIEM
If there is one thing the 2020-2021 pandemic did to change our lives forever, it was the work-related chaos of getting everything and everyone to go digital—i.e., aka complete cloud migration. The frenzy disrupted IT personnel, CISOs and other executives who were already expecting an upcoming date to go fully digital but weren’t prepared for the overnight transition. Now, perimeters are quickly disappearing, and the effects suggest that even after restrictions subside, companies and organizations—in terms of how they store, secure, and manage access to their data and resources—will never be the same.
Besides pandemic-related restrictions, there were pre-existing reasons spurring the migration to the cloud, including cutting costs, on-demand scalability, flexibility, high availability and more. Even when compared to the disadvantages, like security concerns (discussed later in the article), upgrading, and maintenance, the future is clear: the cloud model is here to stay.
Cloud Service Types and the Shared Security Model
By now, we use at least one or more types of clouds daily. The IaaS (Infrastructure as a Service) market, one of several cloud service deployments, was valued at $38.94 billion in 2019. By 2027, Gartner projects it to reach $201.83 billion growing at a CAGR (Compound Annual Growth Rate) of 23.2%.
We can divide cloud deployment models, or service types, into three main categories: SaaS, PaaS, and IaaS.
- A SaaS (Software as a Service) application, like Office 365 email or Salesforce, is a cloud hosted software maintained by a third party CSP (Cloud Service Provider). It’s available on-demand via a web connection and doesn’t require updates or maintenance from the user.
- A PaaS (Platform as a Service) is a development platform also hosted by a CSP and used by clients to build their own applications (e.g.: Force.com).
- An IaaS is an operating cloud infrastructure used by SaaS and PaaS to run on, the most dominant vendors being Azure (Microsoft), GCP (Google Cloud Platform), and AWS (Amazon Web Services).
Each cloud deployment model, or CSP, has its own security risks with some overlapping vulnerabilities. In this article, we’ll focus particularly on the risks inherent to IaaS, but first, let’s discuss the Shared Responsibility Model for cloud security:
Cloud security is a responsibility shared between CSPs and the customer. These responsibilities are divided into three main categories:
- Vendor/CSP-only responsibilities
- Customer-only responsibilities
- Responsibilities which vary depending on deployment model (SaaS, PaaS, or IaaS)
The vendor’s responsibilities are related to safeguarding the infrastructure itself, patching, and configuration of the physical hosts and networks on which the compute instances occur and where data and other resources reside.
The customer’s responsibilities include managing identities and their access privileges (Identity and Access Management, or IAM), encrypting and protecting cloud-based data and resources, and maintaining proper security posture.
However, managing access to data and applications—particularly in the IaaS environment—has become extremely challenging, especially at a time when people are working from anywhere and everywhere and as conventional perimeters are disappearing.
The Vulnerabilities and Challenges of IaaS
Among the three deployment types, the service model which poses the most risk—as it requires more responsibility from the end-user—is IaaS. Vulnerabilities multiply as clouds are correlated with one another (hybrid or multi-cloud environments), as organizations grow and there are more identities and entitlements to manage, and as other CSPs (like SaaS and PaaS) are integrated into an IaaS platform. Additionally, each CSP has its own authorization structure which constantly evolves (e.g., AWS added over 35 services in 2019), meaning IT specialists must become domain experts in every IaaS to effectively manage entitlements, control access, maintain visibility and ensure compliance.
Of the several components related to IaaS security posture, identities and entitlements are particularly critical and difficult to manage. Effective management of cloud-related entitlements means understanding the underlying services and cloud-specific access models. For instance, determining a user’s access privileges requires knowing about each user’s policies and whether they are CSP-managed, customer-managed, or attached to groups, resources, and access control lists. Access is also affected by permission boundaries or policies at the account level. If not properly addressed, IaaS security risks can expose an organization’s data and resources to unauthorized agents.
Here are the major identity-related security risks challenging IaaS users today:
- Excessive Permissions: In attempting to eliminate excessive privileges from identities within an organization, IT teams struggle to achieve the Principle of Least Privilege (POLP). The more excessive permissions human and non-human entities have, the greater the attack surface.
- Misconfigurations: When access to data or resources is misconfigured, it becomes accessible to the public without requiring any form of authentication. This is the most exploited risk, a famous example being the Capital One data breach of 2019.
- Limited Visibility: Organizations are often unable to monitor basic risks, including who is accessing a cloud service or application, or misconfigured controls, such as inappropriately extending data storage resources to the internet.
- External Data Sharing: Due to the simplicity of a cloud’s architecture, controlling access to shared resources and data is extremely challenging. As a result, organizations are unaware of which sensitive resource or data is being shared.
The Solution: Cloud Infrastructure Entitlement Management (CIEM)
In response to the identity risks mentioned above, CSPs (mainly AWS, Azure, and GSP) created their own security solutions. For example, AWS offers AWS Config, CloudWatch, AWS Service Control Policies, GuardDuty, and IAM Access Advisor, to name a few. Similarly, Azure implemented tighter controls in its fully integrated IAM solution (Azure AD entitlements management, Azure Blueprints), but those controls need to be custom built for organizations, not the other way around.
Consequently, a new solution emerged to protect customers operating on hybrid and multi-cloud environments. In early 2020, Gartner addressed the vulnerabilities and challenges of IaaS by introducing CIEM (Cloud Infrastructure Entitlements Management) as a subset of IGA (Identity Governance and Administration):
“CIEM is a new profile that reflects the emergence of specialized SaaS-delivered IAM solutions that manage entitlements in hybrid and multi-cloud IaaS. CIEM provides important foundational capabilities to mitigate identity risks in IaaS.”
Gartner also projects this category to be subsumed into other IAM tools like IGA, PAM (Privileged Access Management), or CSPM (Cloud Security Posture Management), to name a few.
CIEM delivers a thorough set of operations to manage access to cloud platforms, IAM profiles, groups, roles, and entitlements to bolster security posture, including cloud ILM (Identity Lifecycle Management), access management services, and access governance.
CIEM provides the following features:
- Multi-cloud access control
- Access provisioning
- Entitlement management & audits
- Enforcement of SoD polices (compliance)
- Enforce least-privilege approach (removing excessive permissions)
- Identity and entitlement risk & analytics
- AI/machine learning-based entitlement outliers
- Access certification
- Detection of orphan & dormant accounts
These features address the growing gap between complete cloud security and what conventional IAM and CSPM solutions have to offer. Upon implementing, CIEM eliminates the risk of overprivileged accounts inherent to modern hybrid and multi-cloud environments. Furthermore, the IGA subset optionally broadens control over SaaS applications and delivers basic threat discovery, incident response, and forensics to IT personnel.
Authomize: More than CIEM
In recent months, some smaller, specialized vendors have stepped up to offer CIEM as part of their product suite. An example is Authomize, which natively integrates into all major CSPs’ (AWS, Azure, and GSP) infrastructure platforms with a simple API-based one-click integration, creating actionable value within hours.
Besides monitoring and protecting IaaS environments, Authomize’s platform integrates with all existing systems including SaaS, PaaS, Data, ITSM and IdPs (Identity Providers) to generate a unified access and authorization model upon normalizing and correlating all identity and account entitlements within an organization.
Authomize’s core capabilities include:
- Visibility: provides discovery of and granular visibility into all human and machine identities, resources, and entitlements within a cloud environment; results in the visibility of both the entitlements of all identities and resources, and the structure in which they are granted (via which group, etc.).
- Analytics: using SmartGroups—a proprietary core technology—it looks beyond the general role of the identity and analyses the usage of and network structure between resources, identities, and entitlements; allows data dice-and-slice based on an organization’s needs or risks and is not limited to the common “unused is bad, everything else is good” model seen in typical CIEM solutions.
- Automation: one of its key characteristics; enables IT teams to automate the full scope of ILM including JML (Joiner-Mover-Leaver) flows, permission requests, onboarding, offboarding, and certification campaigns to ensure optimal productivity and uncompromising security.
- Onboarding: enables IT teams to personnel can now streamline the onboarding of new employees with data-driven decisions, avoiding the simplistic “look-alike” model, and achieving least privilege from day one.
- Offboarding: allows IT teams to instantly revoke permissions across all apps and systems; monitors departing employee activities; identifies risky actions in the past 30 days (e.g., file sharing); detects orphaned accounts and transfers their ownership to secure ones; pinpoints and revokes API-based identities and token-based authentications; and more.
- Certification Campaigns (excessive permission clean-up processes): simplifies certification campaigns by continuously verifying certifications; recommends which stakeholders should sign off on permissions and provides a holistic picture of relevant data to assist decision-making; helps IT teams reach the finish line faster.
- Prescriptive Recommendations: its prescriptive analytics engine provides intelligent recommendations to help organizations achieve optimal results; recommends which permissions to grant or revoke while guiding IT teams through the process.
Actionable Security Measures include:
- Crown Jewel Protection: tags the most valuable company assets; delivers a holistic view of assets’ potential risks (e.g., who has access); applies additional protections and alerts.
- Achieve Least Privilege: delivers recommendations on how to achieve least privilege across an organization; allows a built-in tool to remove excessive permissions automatically and detect when a certain identity will need a certain permission.
- Enforce Cloud Guardrails: enforces security polices across hybrid or multi-cloud environments; avoids toxic combinations; complies with internal regulations.
- Detect Suspicious Behaviour: enables IT teams to track and identify risky and suspicious behaviour regarding access to sensitive data and resources.
By automating authorization management, Authomize not only offers a unique CIEM solution, it also helps organizations achieve holistic security posture where IaaS security measures fall short—all while increasing productivity.
To learn more about how Authomize can help your organization improve its security posture, request a FREE, actionable report of your organization’s authorization and access status.