How to Implement CIEM – A Checklist
What differentiates a CIEM solution from other cloud security platforms, and how should a CIEM be used in an organization? Read on to find out.
CIEM solutions provide visibility into cloud identities to secure access management. With cloud adoption growing and entitlements taking center stage as the security boundary in the cloud, more organizations are looking for the right security solution for their identity-related needs. For permissions management in the cloud, that solution is CIEM. In this article we present a checklist on how to approach CIEM assessment and implementation, including best practice tips.
What is CIEM and Why It’s Needed in Cloud Infrastructures
Governing cloud identities and their permissions (entitlements) through access management is a key component in cloud security strategies. The global transition to distributed public cloud infrastructure and SaaS applications that are not owned and controlled solely by the enterprise has turned identity into the new security perimeter. While enterprises are still required to protect their own data, identities and application configurations, they can no longer do so by securing the network perimeter. Instead, the way to do so is through secure access management.
Yet the growing scale and complexity of public cloud environments has introduced thousands of new identities and permissions that require managing and monitoring. On top of human users, service principals also require identities and permissions to perform actions. This makes permission management hard to maintain and control.
When deploying a multi-cloud environment, organizations find it even more challenging to ensure permission management consistency across different public cloud providers, each with different configurations, tools and terms for access management.
These challenges are intensified by a global shortage of cloud expertise. The required technological depth combined with the newness of the cloud have generated a skills gap that the market has not yet – even with the recently softer economy – not yet overcome.
Finally, the cloud has also distributed the roles and responsibilities of cloud security. While security was once the purview of IT teams alone, in modern cloud infrastructures, stakeholders across disciplines are involved in security: developers, DevOps, DevSecOps, security teams and others. This often begs the question of who’s in charge. As we know, when everyone’s in charge, no one is.
CIEM (Cloud Infrastructure Entitlement Management) solutions were developed and designed to bridge this gap. CIEM is a Gartner cloud security category that encompasses the tools and technologies that address access risk management and eliminate excessive permissions. These solutions automate, analyze and mitigate cloud infrastructure access risk by monitoring humans and service identities and permissions, providing visibility into cloud environments and, ideally, auto-remediating risky and excessive permissions with policies based on the principle of least privilege.
CIEM solutions can address identity-related threats that arise from different use cases, including developer privileges, supply chain attacks, identity threat detection and response, and more.
According to a 2022 Gartner Emerging Tech report, CIEM’s penetration in the market will increase as the end user’s cloud maturity increases. In the same report, Gartner noted seeing a 30% year-over-year increase in CIEM related client inquiries. In short, CIEM adoption can be expected to grow as digital transformation accelerates globally.
Are All Identity-Related Access Tools Part of CIEM?
The short answer is no. Identity management is a broad ecosystem that encompasses multiple capabilities. However, a CIEM solution can complement or partially replace other identity-management solutions. According to Gartner, adjacent categories like IAM, PAM and CSPM will broaden their scope to include CIEM capabilities while strong CIEM vendors will broaden their scope to include capabilities from adjacent categories.
Let’s look at the differences in these adjacent categories:
CIEM vs. IAM
IAM (Identity Access Management) refers to the technologies and processes that organizations use for digital identity management and security, and to govern user access to their systems, data and resources. With IAM tools, IAM and identity professionals determine and control the level of access that users have within the organization.
CIEM solutions add an essential layer of security to IAM in cloud-based environments, where identity management and security is more complex. Misconfigurations and excessive permissions are a ubiquitous problem in the cloud that IAM cannot answer, as IAM solutions were designed for access management and not for monitoring permissions and mitigating risks in cloud environments.
A CIEM complements IAM with important security capabilities such as:
- Visibility into permissions and access rights at a granular level and with context
- Alerts about anomaly detection for excessive permissions and misconfigurations
- Auto-remediation of issues and automated rightsizing of permissions
- Multi-cloud consistency of identities and permissions
CIEM vs. PAM
PAM (Privileged Access Managed) solutions are tools or systems for governing access to privileged accounts with digital password vaults. PAM tools verify users before providing them with credentials that will give them access to sensitive assets. In addition, PAM solutions monitor actions to enable auditing and achieving compliance.
While PAM solutions were designed and developed for on-premises infrastructures, CIEM solutions offer a degree of PAM capabilities for the cloud. CIEM platforms enable managing, monitoring and controlling identity access, including privileged users’ access, to sensitive data and resources. CIEM bridges the gap that PAM tools have in the cloud by providing granularity, visibility and automation to the access management process.
CIEM vs. CSPM
CSPM (Cloud Security Posture Management) platforms are solutions that assess cloud infrastructure settings and configurations to determine their level of compliance. Organizations use CSPMs to map risks to industry standards and security best practices, such as SOC2, ISO, CIS, PCI DSS, HIPAA, CIS and CISA for Kubernetes.
CIEM solutions enhance and complement CSPM tools by identifying permissions vulnerabilities and mitigating them. Some CSPM solutions combine with CIEM to offer organizations a comprehensive view of misconfigurations and identity-related risks, and auto remediation of the detected flaws and risks. To learn more, read our post what is CSPM.
Implementing CIEM: What to Look Out For
Ideally, your CIEM solution will be part of a more comprehensive cloud infrastructure security solution such as a CNAPP solution. But beware: not all CIEM solutions are alike. There are a few key features to look out for when implementing CIEM, to ensure you have a true understanding of your cloud security reality and can protect it.
Here’s what to look out for when implementing CIEM:
- Visibility into PermissionsDepth of visibility is the most important feature to look for in a CIEM capability. Without profound awareness of the access granted to every identity and resource, you may have a CIEM tool but you will not have a true understanding of your cloud security reality. Visibility means the ability to see into all components – data, infrastructure, logs, identities, network and resources – and for the relationships to be revealed in context. Having deep visibility also requires sophisticated risk analysis of permissions to reveal toxic combinations that pose risk. An advanced CIEM solution will provide these capabilities based on deep monitoring, not only visualizing data from public cloud APIs.
- Multi-Cloud SupportMany organizations deploy a multi-cloud architecture for maximum organizational flexibility, ensure redundancy and reduce costs. But for security teams, this means triple the trouble. A robust CIEM solution can provide full visibility into the permissions of all layers across different cloud provider environments, creating a single view for all public cloud vendors and showing how many resources are exposed and which permissions are excessive.
- Rightsizing of PermissionsAn identity-first cloud security approach enforces the principle of least-privilege including through mechanisms such as JIT (Just-in-Time) access management. Right-sizing privileges to grant only the permissions needed to get the job done dramatically reduces the cloud attack surface – and the potential damage from lateral movement upon a breach. JIT capabilities add the vector of time, limiting elevated access to only the scope and time required for the task to be performed, and no more. JIT is an essential capability for avoiding the highly risky yet common practice of long-standing permissions. As an added bonus, JIT automates the process of requesting privileged access approvals, reducing the time and friction that can impede adoption of security controls.By automatically adjusting permissions at scale, for hundreds of thousands of identities, and by retiring unused identities, CIEMs help dramatically reduce unauthorized access – a key focus area for dealing with identity-related risk.
- Advanced AnalyticsPermissions management is not a ‘fire and forget' task. The dynamic nature of the cloud requires users and services to continuously require access to resources and systems. This ever-changing access reality requires the environment to be continuously monitored and investigated for misconfigurations, excessive permissions and leaked credentials.A CIEM solution provides analytics for identifying permissions risk, unusual and anomalous access, unauthorized use of access keys, and more. In addition to the auto-remediation that CIEM provides, security teams can use enriched data to assess policies, investigate incidents and rightsize permissions.
- Compliance AutomationAn advanced CIEM solution provides compliance audit capabilities as they relate to identity access management and misconfigurations monitoring across the public cloud. By monitoring configuration changes, identifying flaws and enforcing the principle of least privilege, a CIEM solution can help identify whether the organization is still compliant and also help report on compliance during audits.
CIEM Best Practices
Congratulations! You’ve implemented your CIEM solution. Now what? Here are some best practices to help polish your access management security strategy:
Monitor identity relationships
Manage an inventory of your assets and make it a habit to view the relationships between them on a daily basis to discover over-privileged identities and anomalies.
Determine which permissions should be long-standing (when absolutely warranted) and which should be revoked and provided on a JIT basis.
Detect credential vulnerabilities
Look for vulnerabilities that can be exploited such as static credentials that haven’t been rotated or used, absence of MFA and lack of password hygiene.
Track suspicious behavior that could indicate an attacker is performing reconnaissance or progressing laterally.
Create automated workflows
Reduce the risk of manual oversight through automated remediation and alerts, and using shift-left policy enforcement.
The Role of CIEM in Your Organization
CIEM is an essential component in your cloud strategy because it provides a solution to an identity and access management security gap not addressed by IAM solutions. Use caution in evaluating tools: not all identity-related tools are CIEMs or provide the necessary capabilities for effectively securing identities and entitlements. Effective cloud security relies on deep visibility into cloud identities, and the ability to detect and remediate risks with precision. To determine which CIEM solution is right for you and ensure your cloud will be protected, take to heart the CIEM checklist and best practices provided here. For further insights, consider reading up on the strategic pursuit of cloud security maturity.