When organizations began their transition to cloud, the benefits were obvious.
Flexibility, scale, and speed.
But with great power comes great responsibility to keep it secure.
Each application and service added creates new identities, each with their own sets of privileges that allow them to access the assets in those clouds.
As organizations have adopted a multi-cloud model that combines more than one Cloud Service Provider (CSP) and more applications (SaaS) than they can count, they have run into challenges of complexity and scale.
Challenges include:
This has led many organizations to seek out a Cloud Infrastructure Entitlement Management (CIEM) solution to help take control of their identities in the cloud.
In this blog, we will lay out what are some of the core features that you should look for in your CIEM solution, along with a couple of helpful questions for consideration in your search.
Cloud Infrastructure Entitlement Management (CIEM) is the process of managing identities and privileges in the cloud.
The primary use case that is most often associated with CIEM is in helping organizations to work towards a state of Least Privilege.
CIEM has become an increasingly important tool as security professionals understand the visibility limitations that they have in their IAM stack, like their Okta, Entra ID, or PAM solutions.
While initially conceived for handling issues in CSPs like AWS, Azure, and GCP, the category of CIEM tools has expanded to include coverage for SaaS under the banner of “CIEM for all”, making it a much more comprehensive solution for achieving security.
The list of capabilities for a CIEM solution is long. Read our CIEM Buyer’s Guide for a much more comprehensive list and explanations, as well as the RFP template provided there for a fuller understanding of what is out there in the marketplace.
Here below though are a few of the primary capabilities that CIEM comes with, and why they actually matter.
Privilege creep, over-privilege, unused privileges, and inactive identities. These are all basic risks that can open the door for attackers. Organizations are obviously aware that they need to clean up stale identities and privileges, but lack the activity visibility to make intelligent decisions about how to remediate.
A CIEM solution should be able to not only identify all of the privileged identities and privileges, but also monitor activity to see which ones are not being used. An identity or privilege that has not been used for say 30, 60, or even 90 days is probably not essential for getting work done, and therefore can be removed.
Identity has moved from being simply a posture management field, to one that deals with active threats.
Once attackers have gained a foothold in their target, taking over an identity, they will attempt to escalate privileges and may try to make changes to the identity’s privileges.
The creation of new admins or privileges may be indicative of a breach. Similarly, sudden use of access privileges to assets that fall outside of the identity’s normal use should also throw up red flags.
If your CIEM solution takes the “CIEM for all” approach, then you should be able to detect suspicious activity not only in your CSP, but also your SaaS and any other platform you’re using.
Visibility over who has access to what, and how they have that access is the start of how you secure your identities in the cloud. And this means being able to see an identity’s entire access path from the IdP all the way to all of their assets, regardless of if their path takes them along different roles or groups in the CSP, or even across into their SaaS applications.
A good example of this is being able to easily pull up your users who have privileged access to production in AWS or Azure, and important repositories in your GitHub.
Understanding effective access is important not only because it shows you what an identity has access to, but how they gained that access. This allows you to find multiple access paths that are unnecessary and/or risky, and remove them.
The overly permissive S3 bucket is a classic when it comes to data leaks because it leaves the door open for unauthorized access without much effort from the attacker.
More advanced CIEM solutions can detect when a security policy for a cloud resource is excessive. A common case is where the policy uses a simple [*] to allow access, as opposed to specifying who should have the access.
Your CIEM solution should be able to help you not only detect these insecure policies, but also automate remediation by offering more secure policies that you can approve.
Often called Service Accounts or Workload Identities, non-human identities play a significant role in how organizations automate their development processes in their cloud infrastructure. And they are growing with the ratio of non-human to human identities reaching a whopping 10:1 as of 2023.
To keep them secure, your CIEM solution needs to not only be able to identify these non-human identities that are spun up and down at a breakneck pace, but also detect if they are performing suspicious activities or are over-privileged.
One key point to watch for with non-human identities is that you need to be able to tell if a non-human identity is using a human identity, alerting you to the need to remediate.
To learn more about CIEM, download our Buyer’s Guide, or simply reach out to us to discuss your identity and access challenges.
The post 5 Must Have Elements for Cloud Infrastructure Entitlement Management (CIEM) appeared first on Authomize.
*** This is a Security Bloggers Network syndicated blog from Authomize authored by Gabriel Avner. Read the original post at: https://www.authomize.com/blog/5-must-have-elements-for-cloud-infrastructure-entitlement-management-ciem/