Authored By: Morey Haber, Chief Security Officer at BeyondTrust
Cloud Infrastructure Entitlement Management (CIEM but pronounced “Kim”) is the next generation of Privileged Access Management (PAM) solutions for discovering and managing permissions, entitlements, and implementing least privilege in the cloud. The goal of CIEM is to tackle the short comings of current Identity Access Management (IAM) solutions while addressing the need for identity management in cloud-native solutions. While the concept can be applied to organisations with a single cloud, the primary benefit is to have a standardised approach that extends across multiple cloud and hybrid cloud environments and continuously enforces the principle of least privilege and measures entitlement risk in a uniform manner.
One of the core capabilities of Privileged Access Management is the concept of Least Privilege. That is only assigning only the necessary privileges, permissions, and entitlements to a user (or machine identity) to perform a specific task and use an ephemeral model for these privileges for the time to complete the task. Privileged access should only be assigned therefore based on an as-needed basis. This will reduce an enterprise’s attack surface and protect high priority assets in the process.
CIEM is a new class of solutions built entirely in the cloud and for the cloud that allows organisations to discover, manage, and monitor entitlements in real time and model the behaviour for of every identity across multiple cloud infrastructures including hybrid environments. The technology is designed to provide alerting when risks or inappropriate behaviour is identified and enforce least privilege policies for any cloud infrastructure with automation to change policies and entitlements. This makes it simple for a solution owner to apply the sample policies across traditionally incompatible cloud resources.
The benefits of CIEM are crucial for any digital transformation project and multi cloud environments:
Provides a consolidated and standardised view for identity management in multi cloud environments and allows the granular monitoring and configuration of permissions and entitlements.
The cloud provides a dynamic infrastructure for resources to be constructed and torn down based on demand and workload The management of identities for these use cases can lead to excessive risk if overly provisioned. CIEM provides an automated process to ensure that all identity is appropriate regardless of the state in a workflow.
Identity Access Management solutions that are provided by cloud providers are designed to work only with the platform they solicit. When organisations use multiple providers, instrumenting policies and runtime to manage them becomes a burden due the inherent dissimilarities. CIEM solves this problem logically enumerating the differences and providing a single view with actionable guidance for resolution.
Mismanagement of identities in the cloud can lead to excessive risk. Without a proactive approach to managing them and their associated entitlements, an incident is bound to happen. This is especially true if an identity is over provisioned. Implementing management and the concept of least privilege for these identities can lower risk for the entire environment.
When CIEM is used with adjacent Privileged Access Management solutions, the management of secrets, passwords, least privilege, and remote access can all be managed in concert to ensure that any gaps in entitlements or privileges are managed.
With the momentum behind digital transformation strategies increasing, the use of cloud environments has exceeded the basic capabilities of legacy on premise Privileged Access Management and Identity Access Management solutions. Those solutions were never designed and implemented to manage the cloud and the dynamic nature of resources in the cloud. Therefore, CIEM is required as a next generation PAM solution to address the latest challenges of identities in the cloud and tackles these security best practices:
Account and Entitlements Discovery – As a security best practice, your CIEM implementation should inventory all identities and entitlements and appropriately classify them. This is performed in real time to adjust for the dynamic nature of cloud environments and the ephemeral properties of resources in the cloud.
Multi Cloud Entitlements Reconciliation – As workloads expand across cloud environments, organisations need to reconcile accounts and entitlements and identify which ones are unique per cloud and which ones are shared using a uniform model to simply management
Entitlements Enumeration – Based on discover information, entitlements can be reported, queried, audited, and managed by the type of entitlement, permissions, and by user. This allows for the pivoting of information to meet objectives and the management identities and entitlements-based classification.
Entitlements Optimisation – Based on the real time discover, operational usage of entitlements helps classify over provisioning and which identities can be optimised for least privileged access based on empirical usage.
Entitlements Monitoring – Real time discovery also affords the ability to identify any changes in identities and entitlements thus providing alerting and detection of inappropriate changes that could be a liability for the environment, processes, and data.
Entitlements Remediation – Based on all the available data, CIEM can recommend and in most cases, full automate the removal of identities and associated entitlements that violate establish policies or require remediation in order to enforce least privilege principals.
The primary components include:
API based connectors to enumerate identities and entitlements per cloud instance and vendor
Database for storage of current and historical identities, entitlements, and remediation policies
Policy engine for identifying threats, changes, and inappropriate identity and entitlement creation and assignments
User interface for managing solution and aggregating multi-cloud information into a single view
The primary reason this succeeds over legacy on premise Privileged Access Management and Identity Access Management solutions is based on the API based connectors operating in real time and continuously assessing the state of identities and entitlements, the policy engine and automation tailored to identify risks in cloud environments, and finally, a user interface that is attribute based to display all relevant information regardless of cloud provider. On premise technology generally relies on batch driven discovery over the network using agents, IP addresses, or asset lists that can be resolved using DNS. API discovery provides nearly perfect results compared to the error filled results of network scanning. The rest of the components are tuned for the results within a cloud environment making the results unique for CIEM as a solution.