What is Cloud Infrastructure Entitlement Management (CIEM)?

What is Cloud Infrastructure Entitlement Management (CIEM)?

As today’s enterprises transition more of their business systems and processes to the cloud, the challenge of governing and monitoring access to those resources becomes increasingly complex. Cloud resources are no longer static and predictable. Furthermore, companies are no longer operating in a single cloud, but are adopting multi-cloud approaches to their infrastructure. Therefore, setting the proper permissions to access those resources is no longer straightforward. The solution to this challenge is Cloud Infrastructure Entitlement Management (CIEM).

What are cloud infrastructure rights?

Cloud providers operate on a shared responsibility model. With infrastructure as a service (IaaS) offerings, the cloud provider makes services and storage available and ensures the physical security of its data centers. However, the user of the IaaS offering is responsible for security, establishing who (or what) can and cannot access those infrastructure resources.

Dynamic resources and the complexity of multi-cloud configurations

In an environment with static resources, cloud providers use identity and access management (IAM) rules to control access. For example, any user with the deployments-manager The role might have permission to restart a particular compute instance (for example, EC2). Meanwhile, a CI/CD pipeline with the automated-test-runner The role might have permission to SSH into that instance to run a test.

However, in today’s cloud environments, resources are constantly changing. Many resources are ephemeral: they are provisioned or deprovisioned based on the scaling needs of a given moment. Although cloud providers have solutions for granting permissions to ephemeral resources, each cloud provider has its own unique way of doing it. This leaves enterprises with the challenge of managing and understanding permissions across multiple clouds.

Cloud infrastructure rights comprise the various permissions granted to entities to access cloud resources. As we will see, in a multi-cloud environment operating at the scale of thousands of resources, managing and keeping track of a company’s cloud infrastructure entitlements is an incredibly complex task.

However, in today’s cloud environments, resources are constantly changing. Many resources are ephemeral: they are provisioned or deprovisioned based on the scaling needs of a given moment. Although cloud providers have solutions for granting permissions to ephemeral resources, each cloud provider has its own unique way of doing it. This leaves enterprises with the challenge of managing and understanding permissions across multiple clouds.

Cloud infrastructure rights comprise the various permissions granted to entities to access cloud resources. As we will see, in a multi-cloud environment operating at the scale of thousands of resources, managing and keeping track of a company’s cloud infrastructure entitlements is an incredibly complex task.

What is Cloud Infrastructure Entitlement Management (CIEM)?

CIEM is a relative newcomer to the cloud security technology space, gaining prominence through its listing in Gartner’s Hype Cycle for Cloud Security, 2020. In that report, Gartner provides the following definition:

Cloud infrastructure rights management (CIEM) offerings are specialized identity-centric SaaS solutions that focus on managing cloud access risk through administration-time controls for rights governance in IaaS hybrid and multi-cloud.

CIEM helps companies manage rights across all of their cloud infrastructure resources. The main objective of this tool is to mitigate the risk that arises from the inadvertent and uncontrolled granting of excessive permissions to cloud resources.

What challenges does ICES address?

Managing and monitoring access to cloud resources presents several challenges that CIEM seeks to address.

Manage access to ephemeral resources

In today’s cloud environments, people or processes can provision or deprovision resources at any time. Managing access to those resources requires a proactive approach. Monitoring access to those ephemeral resources is equally complex.

Excessive permissioned access to cloud resources

With a manual or careless approach to permissions, many companies err by granting access too crudely. Consider the example of attaching IAM policies to a new member of the engineering team. Perhaps to avoid blocking the new member from performing tasks or to prevent the new member from repeatedly needing to request more permissions, the company is wrong to give that member excessive permissions to perform all sorts of actions, including actions unrelated to their tasks or responsibilities. .

This granting of excessive permissions significantly increases the risk of a security breach.

Gain clarity at scale

Access to cloud infrastructure is not as simple as user access to resources. Resources that may need to be accessed include:

  • Virtual machines
  • containers
  • Serverless Features
  • databases
  • persistent storage
  • Applications
  • … and more

Meanwhile, the entities that need to access these resources may include:

  • Users
  • IoT devices
  • Other serverless features
  • Other apps
  • Other cloud accounts

In an environment with hundreds or more resources, along with potentially hundreds or thousands of entities that require access to some resources but not others, the need for clarity in access management is tremendous. Especially if companies go wrong over permissions, those companies need a clear understanding of which entities have more privileges than they should. That clarity will allow them to control excessive permissions and reduce the risk of a security breach.

Complexity of multiple clouds

Many companies take a multi-cloud approach, choosing to host their resources in different clouds due to cost, availability, or other factors. AWS, Azure, and GCP have different approaches to IAM, just like any other cloud provider. This leaves companies without a single, unified approach to managing permissions across all of their cloud resources. Instead, they need to spread and coordinate multiple approaches for multiple cloud providers.

Access risk tracking and discovery

With multiple users, applications, and machines each having various privileges to access cloud resources, access tracking is necessary to ensure security and improve a company’s security posture. However, at a scale of hundreds or thousands of resources, this type of tracking is immensely difficult to implement.

How does CIEM address these challenges?

Today’s CIEM solutions provide enterprise security teams with dashboards for easy visibility of all their resources across all their clouds. Integrated into these panels are controls to manage rights to those cloud infrastructure resources. CIEM solutions handle both the massive scale and ephemeral nature of resources in today’s cloud environments.

The standard approach of CIEM solutions is to apply the Principle of Least Privilege, which is the approach of granting a user (or any entity) the minimum number of permissions necessary to perform their role. By taking this approach, ICES solutions start from a posture that avoids the dangers of over-permitting.

CIEM solutions also unify security terminology and usage across clouds, reducing the need for teams to switch contexts across multiple cloud providers.

Finally, many CIEM solutions use machine learning to analyze access logs and configurations to determine a company’s potential access risks. Through this, an ICES can help identify excessive entitlements and mitigate the risk of a security breach.

Conclution

The traditional approach to IAM in static cloud environments falls short when applied to today’s dynamic multi-cloud environments. Furthermore, a manual approach applied at the scale of today’s environments, with potentially thousands of resources and even more entities needing access to those resources, is unsustainable and would result in inadvertent excessive permissions, leading to a high risk of a data breach. security.

The solution to this challenge is cloud infrastructure rights management, which brings monitoring and access control across multiple clouds to a central SaaS solution. CIEM’s offerings also provide dashboards for management, leverage AI/ML for risk assessment and identification, and unify an enterprise’s approach to accessing all clouds.

Download the Improving Your Cloud Security Posture infographic and learn Crowdstrike Cloud Security’s approach to access management and security posture at https://www.crowdstrike.com/products/cloud-security/falcon-horizon -cspm/

Leave a Comment