How to manage human and service identities, and their entitlements, to secure your cloud infrastructure.
The widespread adoption of cloud infrastructure has turned identity into the new perimeter. Indeed, many IAM solutions have evolved to offer management of human identities and entitlements. But first-generation cloud IAM lacks the granularity, visibility and security capabilities required to manage the complex entitlements of service identities - which make up the bulk of identities in cloud infrastructure environments. CIEM bridges this gap by providing advanced identity mapping, risk assessment and anomaly detection for cloud infrastructure services. Read on to learn how to easily and securely manage human and service identities, and their entitlements, to secure your organization’s cloud infrastructure.
Why We Need to Worry About Identity in Cloud Infrastructure
Digital transformation has accelerated in the past few years. The need for remote access due to COVID-19, combined with additional technological shifts like global connectivity and digitalization, has increased the demand for the cloud, and for microservices architectures. Most organizations have built cloud adoption and migration into their business plans. Many companies founded in the last 10 years have, in fact, were born in the cloud.
As a result, security has changed. Organizational networks were once perimeter-based and secured physically and by firewalls. But in the cloud, identity is the new perimeter, making identity and access permissions the security parameter with the greatest risk impact.
Cloud identities fall into two types:
- Human identities: End-users, admins and developers; i.e. actual human beings
- Service identities: An identity that each service assumes and that has permissions and entitlements that determine what services the identity can access and what types of activities it can perform. Every kind of resource - virtual machines, containers, data stores, secret stores, etc. - has an identity, with corresponding permissions and entitlements.
Cloud Identity Entitlements
Each of the two types of identities can receive access rights or permissions to the organization’s cloud infrastructure. These entitlements are very powerful because they determine what an identity can and can’t do across the infrastructure, and which resources it can access.
With the right entitlements, a user or service can turn virtual machines, buckets and storage services on or off, configure the network, provide access to other identities, and even access - and potentially leak - sensitive company data.
In addition, access entitlements can be inherited: If a user or service (let’s call it A) has access to another identity (let’s call it B), A can gain access to all of B’s entitlements. This means that even if A was not explicitly granted entitlements to perform an activity, such as changing VMs, it has access to B, and if B has those entitlements, A has them, too.
As you can see, entitlements and how they work makes identities potent -- and can make an organization very vulnerable. Managing and monitoring cloud identities to prevent excessive entitlements is crucial for cloud security.
The Many Challenges of Cloud Identity Management
Although of crucial importance, managing identities in the cloud is no easy feat. While traditional IAM tools are useful for managing human identities, effectively managing service identities in AWS, Azure and GCP environments is a different story. The challenges include:
- Tracking Tens of Thousands of Identities
Enterprises have tens of thousands of human and service identities, and thousands of policies and configuration settings, that determine access. Keeping track of such a large number of identities and permissions is painstaking and difficult.
- High Complexity
Each identity has granular entitlements as well as convoluted connections and relationships with other identities. The result is a large number of intertwined dependencies that are very hard to audit, check and monitor. A multi-cloud environment increases the complexity multifold.
- Lack of Visibility
Human-centric IAM tools lack the capabilities for managing service entitlements. With no suitable technology, organizations lack visibility into all identities and their entitlements, and the relationships between services and network exposure. This makes it impossible for them to manage identities - and assess their risks and vulnerabilities. Organizations are not only in the dark about identity entitlements, they also do not know the security risks of their attack surface.
Continuously monitoring access, ensuring no identity has excessive permissions and refactoring entitlements requires substantial, dedicated resources and time. Organizations typically neglect to carry out such tasks with regularity due to the massive overhead involved. This lack of governance can lead to major security risks, as in the case of the CapitalOne breach, which led to a large-scale data leak.
The Solution: CIEM
By using a Cloud Infrastructure Entitlement Management (CIEM) solution to efficiently manage human and service identities, and their entitlements, organizations can ensure the security of their cloud resources and assets. CIEM enables cloud-focused identity management and risk mitigation, achieved through advanced analytics, and methods for detecting and fixing anomalies.
Here are the six essential steps in establishing a CIEM program:
Six Steps for Getting Started with CIEM
Discover and identify all identities in your cloud infrastructure. This includes human identities as well as service identities. Be sure to include third parties and users from external identity providers.
- Gain Visibility
Get visibility into both entitlements and usage. Search for any identities that have excessive access or unused permissions, or are showcasing abnormal behavior.
Understand the risks by determining which access is justified and which isn’t - and which access rights should be removed. Be on the lookout for toxic combinations. Make note of access to sensitive data, network exposure and vulnerable workloads. Create a detailed map of permissions.
- Monitor and Optimize
Continuously review identity behavior to identify abnormalities, gain insights into which identities pose a risk and take the necessary precautions to protect your assets. Generate customized reports to help with auditing and compliance. Shift left on these processes in your CI/CD pipelines to minimize risky entitlements at source.
- Continue Investigating
Run a continuous risk analysis to detect unusual data access, unexpected permissions modifications, privilege escalation, changes in logging and audit settings or in network configuration, unusual reconnaissance and unauthorized use or theft of access keys.
- Ensure Compliance
Run compliance audits to audit and investigate threats according to industry standards and regulations.
The Future of Identity Management in the Cloud
The transformation to the cloud will continue to grow, with organizations increasingly building their businesses on AWS, Azure, GCP and other cloud providers. As a result, the sheer number of cloud identities - and especially service identities - will grow as well. The relationships between identities and their access to resources will become even more complex, posing enormous security problems for organizations. A CIEM platform can help manage identity entitlements and mitigate risks, improving organizational security posture and freeing up IT for other efforts. To learn about Ermetic’s leading CIEM platform, see a product walkthrough.
This article is based on an interview given by our CBO, which you can view here.