What Is Cloud Infrastructure Entitlement Management (CIEM)?
CIEM is a cloud security category that addresses the essential need to secure identities and entitlements, and enforce least privilege, to protect cloud infrastructure.
What is a Cloud Infrastructure Entitlement Management (CIEM) Platform?
A CIEM platform automates the detection, analysis and mitigation of access risk in cloud infrastructure. It provides visibility into an organization’s cloud environment by identifying all its identities, permissions and resources, and their relationships, and using analysis to identify risk. Robust CIEM solutions offer remediation, with policy optimization based on least privilege.
CIEMs are designed for use by Security, IAM and DevOps/Development practitioners.
What Are the Benefits of a CIEM Platform?
A Cloud Infrastructure Entitlement Management (CIEM) platform offers many benefits:
- Reduce the attack surface and blast radius of your cloud environment
- Empower stakeholders with a unified multicloud view into access privileges and risk, overcoming the shortcomings of existing tools (cloud-native, IGA, PAM,...)
- Achieve and shift left on least privilege, the keystone to zero-trust access
- Close expertise gaps from skills shortage, budget cuts, cloud newbie-ness and M&As
- Save time with automated entitlement management and remediation
- Improve collaboration through one transparent view into cloud assets and related risk
Who Needs CIEM?
Misconfigured identities are one of the riskiest cybersecurity threats in the cloud – just one misconfiguration can lead to a data breach – yet the hardest to detect.
The difficulty of securing IAM and entitlements is known and ongoing:
- “By 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.” (Gartner)
- Credentials are the number one attack vector (Verizon’s 2022 Data Breach Investigations Report (DBIR))
- Stolen or compromised credentials have been the number one attack vector for the past two years (IBM’s Cost of a Data Breach Report 2022)
- 84% of respondents had an identity-related attack in the past year (IDSA report)
The challenge of minimizing access risk derives from cloud complexity and the need to manage tens of thousands of identities and permissions resulting from microservices needing access to resources. Yet “the buck stops here”: companies are responsible for securing their cloud-based sensitive data.
Cloud Infrastructure Entitlement Management (CIEM) solutions are designed to overcome the challenges and provide ongoing, secure entitlement management at scale.
Key Components of a Cloud Infrastructure Entitlement Management (CIEM) Platform
CIEM platforms comprise:
Entitlement Discovery and Visualization. A multicloud inventory of identities, resources, permissions and activities, giving full visibility into the state of entitlements.
Risk Assessment. Continuous monitoring of the cloud environment and the detection and evaluation of risk factors like network exposure, misconfigurations, risky permissions, leaked secrets and identity-related threats like unusual data access.
Least Privilege Enforcement. Ability to offer least-privilege policies for use in creating automated guardrails using the minimum permissions needed for the task.
Automated Remediation. Ideally, remediation recommendations with varying degrees of automation for tailoring to company policies.
Behavior Monitoring. Ideally, the continuous monitoring for behavior anomalies and flagging of unusual activity for evaluation by incident response teams
Access Control for Developers. Ideally, a mechanism for limiting elevated permissions for only the time needed for the task.
Read about CIEM best practices here.
How Does a Cloud Infrastructure Entitlement Management Platform Work?
A Cloud Infrastructure Entitlement Management (CIEM) platform collects data (identity, permissions, resource, network, activity,...) from APIs and other sources, across cloud environments, and analyzes it alongside cloud provider permission models, policies and more to determine excessive permissions and inactive use. It ideally uses these findings to generate least privilege policies that mitigate the risk and can be used to enforce access governance guardrails. It can alert on suspicious behavior to Security Information and Event Management (SIEM) solutions for follow up.
What Should You Look For in a CIEM Platform?
Solutions often promote having CIEM capabilities as part of a greater cloud security solution. CIEM is a specialized area requiring focused, cloud-native development from the ground up to accurately identify risk and provide remediation that doesn’t disrupt - in fact, to provide remediation at all. Be sure the CIEM capabilities you are reviewing can address your key use cases. Look for:
- Multicloud asset management that provides contextual visualization of all cloud identities (including human, service; native, federated and third party), entitlements, resources and configurations for all the leading cloud provider platforms
- Full-stack risk analysis and prioritization that evaluates cloud provider permission models across identities, network, data & compute resources, and provides precise findings
- Guided auto-remediation of excessive entitlements and misconfigurations, with flexible options for acting on the remediation such as through wizards, workflows and IaC
- Access governance and shift left on least privilege enabled through auto generated access policies based on actual use and need
- Threat detection and investigation through continuous behavioral analysis and anomaly detection based on policies and data enrichment, with integration to SIEM
- Compliance audit and cloud security posture management that helps ensure and report on standards compliance, including with custom templates, and detects and remediates general cloud misconfigurations
- Just in Time access that automates the request and approval process, and revokes temporarily elevated privileges immediately after use
To be effective, a CIEM platform must be able to enable you to answer: Who can access a resource, and what entitlements the identity has.
What's the Difference between CIEM and PAM?
Both CIEM and Privileged Access Management (PAM) address the need to secure privileged access to sensitive data. CIEM is a cloud native solution, designed for securing all types of cloud credentials; it identifies excessive and underused permissions that constitute a threat. PAM originated as a software solution for on premises infrastructure and at its core is designed to manage, control and maintain access to privileged accounts through digital password vaults.
Both CIEM and PAM solutions approach securing access using the principle of least privilege. CIEM solutions integrate with other tools in the cloud environment and feature ease of use in the cloud. PAM solutions are a set of tools that implement the principle of least privilege for admin (privileged) accounts to reduce the risk of a breach on on-premises infrastructure. PAM tools authorize privileged users into the vaults, verifies the user and grants them credentials for accessing the sensitive assets that PAM protects.
Although some PAM tools are increasingly adding capabilities for cloud, suitability for cloud is not inherent in their design. They lack the required granularity, don’t support enough identity types, lack visibility, incur high costs and generate IT overhead. This is where CIEM comes in.
A robust CIEM solution offers PAM capabilities for the cloud, providing visibility, governance, compliance and granular and contextual management of privileged and non-privileged cloud identities.
What’s the Difference between CIEM and IGA?
Both CIEM and Identity Governance Administration (IGA) solutions offer capabilities for governing access management. IGA tools automate and orchestrate the management, creation and verification of user identities and permissions. By managing passwords, policies and access, IGA tools help IT departments oversee identity maintenance, reduce risk and meet compliance requirements.
IGA tools were created for on-premises infrastructure, for which IT teams need to control access to resources like local data centers. However, the cloud is made up of thousands of permissions that need access to tens of thousands of permanent and ephemeral resources. IGA solutions lack the granularity, flexibility and visibility required to manage such access for cloud infrastructure identities.
CIEM solutions fill this gap. CIEM platforms offer visibility, dynamic capabilities, granularity and context for governing identity access in the cloud. They continuously scan identity configurations (and some scan cloud configurations overall) and resources, assessing cloud identity and compliance risk against built in and custom policies, and industry frameworks. CIEM can provide secure and agile access based on modern security principles like least privilege and JIT (Just-in-Time) access, minimizing the attack surface and adhering to compliance requirements. CIEM solutions complement IGA by identifying cloud violations that IGA is not able to detect and sending remediation requirements to IGA solutions to implement.