Cloud Infrastructure and Entitlement Management (CIEM) is a relatively recent term that was introduced by Gartner in 2020 as part of the Hype Cycle for Cloud Security, 2020 research collection. Essentially, CIEM is a specialized SaaS solution aimed at managing risks related to identity access in cloud environments using novel security controls as well as managing entitlements and data governance in multi cloud IaaS environments. It relies on machine learning (ML), artificial intelligence (AI) and statistical techniques to detect and prevent anomalies or emergent risks in account and identity entitlements. A key tenet of CIEM is the principle of least privilege, which helps establish a secure baseline defense against data breaches and malicious attacks.
Where Did It Come From?
As mentioned above, Gartner published the Hype Cycle for Cloud Security, which is a collection of documents outlining the emerging risks of cloud computing as well as ways to improve the security posture of organizations when migrating to public clouds, in 2020.
More specifically, the Innovation Insight for Cloud Infrastructure and Entitlement Management document discusses how traditional IAM approaches can be used with CIEM to achieve efficient identity-first security management. The Managing Privileged Access in Cloud Infrastructure document provides guidance for security and risk management technical professionals on deploying tools that enable the effective management of cloud infrastructure entitlements.
Together, both documents define the core meaning of CIEM and explain how it should be used by security teams to identify and prioritize access control risks across public clouds and other infrastructure resources.
What Are Its Components?
The main components of CIEM are security policies and identity roles that can be enforced at a granular level across workloads and clouds. Typically, it includes a dashboard that displays the available security policies that are in place in a single pane of glass.
It also shows an analysis of existing permission requests, checks their eligibility criteria and grants or denies them on a per-use-case or per-session basis. This view also verifies which of the requested permissions are used in the actual session and subsequently refines similar policies that are in place. Later, the system might flag policies that overuse entitlements or use them suspiciously. The end goal is to have a more secure platform for enforcing least-privileged access credentials across cloud resources and providers.
How Is It Used?
One of the main benefits of CIEM is that it allows organizations to leverage advanced techniques like machine learning to recommend least privileges for a particular kind of work.
For example, a user might request SSH access to a production machine for verifying some configuration value or for checking out some environment variable. The user can request temporary SSH key pair access to perform the work. The security team grants the user’s request and prompts him or her to use an SSO provider to acquire the keys. Once the user performs the required work, the resource access is revoked and the user cannot access the machine with those keys again. The security team knows the effective permissions of each user at all times, and they can compare them with the minimal requirements for each type of task.
Had they used a more relaxed entitlement model (such as granting the unlimited use of the keys for an indefinite period of time), they would have created a much greater security risk. Granting more than the minimum entitlements requires exposes the system to insider threats, the misuse of access keys and other potentially malicious user activity.
Why/How Do Entitlements Need to Be Monitored/Secured?
Entitlements consist of effective permissions that are assigned to users, workloads and data via the cloud provider (IAM policies) to perform necessary tasks following the principle of least privilege.
Entitlements and permissions need to be monitored because, over time, they can be easily over-allocated to users or workloads without proper security clearance. To achieve a broader level of security in this area, you’ll need a solution like CIEM that gives you visibility into the net effective permissions to resources in your cloud accounts, governance for monitoring excess and unused privileges and a responsive framework that automatically adjusts effective IAM permissions and takes actions in case of any misalignment.
The main benefits of monitoring entitlements are summarized below:
- Continuous visibility: With CIEM, you have a complete view of active policies and the signals that access those policies as well as a framework to manage them securely.
- Automatic detection and remediation: CIEM calculates the baseline activity and can detect events like account compromises, insider threats, stolen access keys and other potentially malicious user activities. It will then trigger notifications to relevant parties.
- Audit-ready: Monitoring and securing entitlements across your cloud platforms also helps you adhere to compliance regulations and standards related to user permissions.