Breaking down the hype around Cloud Infrastructure Entitlements Management (CIEM).
What is Cloud Infrastructure Entitlements Management (CIEM)?
Cloud Infrastructure Entitlements Management (CIEM) -- also referred to as Cloud Identity Governance (CIG) -- has emerged as an important class of cloud security management solutions. It establishes a new paradigm for protecting an enterprise's cloud assets in the highly dynamic and constantly evolving environment of public cloud. By identifying all cloud identities, and detecting and mitigating excessive entitlements, CIEM reduces an organization's cloud attack surface -- and the risk from lateral movement upon a cloud data breach.
Identity is the new perimeter
According to Gartner, through 2023, 99% of security failures will be the customer’s fault - and 75% of those failures will be the result of inadequate management of identities, access and privileges.
Seventy five percent is a stunning figure. There are many risks in cloud computing, so why is the risk surrounding identities and access privileges so high? Because today, an identity is the key that unlocks the door to applications and data.
According to the Shared Responsibility model, cloud service providers are responsible for protecting the infrastructure - and after more than 15 years, it’s clear they are doing a good job. As for the applications and data hosted in the cloud, their protection is the responsibility of the customer. There are steps we can take to protect them - such as encrypting data and deploying a web application firewall. But ultimately data you put in the cloud is there to be used. Identities enable you to define who can use it, and how.
How Identity Governance (IGA) and Privileged Access Management (PAM) solutions fall short
In the data center era, solutions for Privileged Access Management (PAM) and Identity Governance (IGA) are used to manage identity and access risk. Designed to govern human access to enterprise resources, these solutions help manage the lifecycle of entitlements and to align them with enterprise policies. They also help enforce the principle of least privilege access - for example, by granting temporary, “just in time” credentials for sensitive systems, and by securely storing access keys.
In the cloud, especially in IaaS and PaaS environments, IGA and PAM solutions fall short. They were not designed to address the access challenges that are unique to public cloud environments, and make enforcing least privilege extremely challenging.
Access complexity skyrockets in IaaS/PaaS
In environments like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), the access landscape is dynamic and complex. IaaS/PaaS applications contain thousands of identities belonging to a variety of compute types (e.g. EC2, lambda functions) that have permissions to multiple resources (e.g. data resources, network resources, secret stores). Each of these resources is affected by a variety of access policies defined in different places. Simply understanding which entitlements or permissions are available for each identity - whether human or machine - is challenging.
The speed and ease with which cloud applications are deployed and expanded adds to the confusion. Developers can easily spin up environments, generally granting broad entitlements to both people and infrastructure, so that security won’t slow them down. This leads to “permission creep” that is very difficult to eliminate once an application goes to production and the security team gets involved. The number of enabled permissions in a modern production environment can easily climb as high as several million. The lion’s share of these permissions, sometimes as much as 90%, are unused, excessive, and are a tremendous risk to the environment.
And of course, every Cloud Service Provider handles permissions a bit differently, and according to a study by IDC and VMware, more than 90% of organizations use multiple cloud services.
Can you afford to take the risk of being breached when you have excessive permissions?
A misconfigured cloud infrastructure entitlement can bring down an entire application or lead to a devastating breach like the one that took place at Capital One last year. In that incident, hackers were successful in stealing customer data because the instance that hosted the Web Application Firewall had excessive permissions that enabled the threat actor to access secrets and sensitive data. Cleary the risk of excessive permissions is too great to ignore.
Protecting Applications and Data with Cloud Infrastructure Entitlement Management (CIEM) - the Main Elements
In 2020, Gartner introduced the term Cloud Infrastructure Entitlement Management (CIEM) to describe the next generation of solutions for managing access and enforcing least privilege in the cloud. According to the report, “The number of entitlements across cloud infrastructure is growing in size and complexity as more CSP offerings and services are added. It is impossible to keep pace with this change, and therefore manual methods for determining least-privilege access are not feasible nor scalable. To address this adequately, organizations need to have a more identity-centric view of their cloud infrastructure entitlements. Furthermore, as organizations begin to understand appropriate access, the ability to efficiently remove unneeded entitlements and adjust access policies is essential.”
According to Gartner, effective management of cloud infrastructure entitlements involves:
Account and Entitlement Discovery: An accurate picture of all entitlements is the first necessary step toward achieving least privilege. Given the dynamic nature of IaaS/PaaS environments, discovery must be continuous and cover:
- All of the entities in the environment (e.g. services, compute instances, data stores, secrets)
- All of the policies (e.g. IAM policies, resource policies, permissions boundaries, ACLs)
- Native and federated identities (e.g. AWS IAM, Active Directory, Okta)
The second part of discovery is analysis - understanding the relationships between all of the assets and policies in order to reveal the gap between the desired enterprise policy and the actual entitlements that have been granted.
Cross-Cloud Entitlement Correlation: Since multiple cloud providers are the norm, and each uses different mechanisms and terminology to address permissions, a central platform for enforcing enterprise policies across all platforms is essential.
Entitlements Visualization: Visualization tools enable you to understand the access available to a given entity. For example, you can visualize all of the identities that have access to a sensitive resource, or conversely, all of the access open to a given role. It’s equally important to be able to transition between a tabular and a visual representation, to filter and search, and to view metrics and scores that help quantify the risk.
Entitlements Optimization: One of the most valuable contributions of a CIEM solution is the ability to continuously remove excessive permissions and reduce the attack surface of your cloud environment. CIEM solutions use advanced analytics to understand which permissions are being used, and to assess the risk level of unused permissions. This is especially important for services and infrastructure - the ability to ensure that they have enough entitlements to run under all legitimate scenarios, and nothing more.
Entitlements Protection: CIEM solutions detect when privileges are changed and alert to changes that could indicate a threat (e.g. privilege escalation). They also provide configurable rulesets that enable you to define the entitlement guardrails that should be enforced in your cloud environment.
Entitlements Detection: One benefit of continuous monitoring of resources and policies is the ability to detect suspicious activity that could indicate an external threat or an internal human error. You should be able to configure rules that correspond with your enterprise policy and to stream data to a SIEM or EUBA platform.
Entitlements Remediation: Entitlements affect multiple stakeholders, and organizations have different processes, so CIEM solutions support multiple means of remediation. A new policy can be sent directly to the cloud provider via API, or to a ticketing system or IGA system for fulfillment. For DevOps teams, remediation can be handled as part of the pipeline using IaC platforms.
The CIEM Lifecycle
Achieving Least Privilege with Ermetic
Ermetic prevents cloud data breaches by automating the detection and remediation of identity and access risks in AWS, Azure, and Google Cloud. It automatically discovers all human and machine identities in the cloud, and analyzes their entitlements, roles and policies using a continuous lifecycle approach. By combining analytics with granular, full stack insight, Ermetic makes it possible to enforce least privilege access at scale even in the most complex cloud environments.
- Visibility: Discovers all human and machine identities, data and compute resources, policies and permissions, and provides a variety of visualization and data tools to enable you to understand relationships quickly.
- Risk assessment: Analyzes all access policies to identify all entities that can access a resource, access logs to determine which permissions are used and activity to model and identify risks while ensuring business continuity.
- Least privilege policy enforcement: Eliminates excessive access and privileges based on actual access patterns and data sensitivity to automate centralized least privilege policy enforcement.
- Anomaly Detection: Monitors all access activities to detect and alert on suspicious behavior such as sensitive data access, privilege escalation and deletion, and unusual resource access.
- Automation: Generates access policy recommendations for DevOps that optimize security while supporting end user productivity through integration with leading CI/CD tools such as Slack, Jira, ServiceNow, Jenkins, Terraform, and more.
- Benchmark audits: Performs routine assessment of configurations across cloud environments and automatically compares findings to your own enterprise policy rules or leading compliance benchmarks.