What is CIEM and Why Should Enterprises Make it a Priority?
Global spending on cloud service providers is set to increase in 2021 by 18.4% to $304.9 billion, up from $257.5 billion in 2020. Enterprise organizations face the major challenge of reducing complexity in their cloud environments while enforcing least privilege through managing high volumes of person and non-person identities and their access. As organizations move to the cloud, security teams must contend with entitlements tied to people identities, managing up to tens of thousands of non-people identities. Enterprise organizations already in the cloud may not even be aware of this security risk, so they are looking for a Cloud Infrastructure Entitlement Management (CIEM) solution.
Traditional PAM solutions do not effectively manage identities in your cloud. It isn’t really their fault; PAM just was not built for people and non-people identities. Their view of entitlements is too short-sighted, and they are not able to keep up with the speed, scale, and complexity of a single cloud, let alone manage across multiple clouds. Due to the complexity of managing identities in and across clouds, a new breed of solution has emerged; Cloud Infrastructure Entitlement Management (CIEM).
What is a CIEM solution? CIEM refers to next-generation cloud security technology that grants, resolves, enforces, revokes, and administers access. CIEMs purpose is to manage entitlements, remediate cloud access risk, and enforce the principle of least privilege across multi-cloud environments to reduce excessive permissions, access, and cloud infrastructure entitlements.
Identities are the New Security Boundary
At the heart of any cloud security strategy is Identity Management. Identities (both people and non-people) form your security boundaries – not networks. Thus to ensure that you are effectively protecting your environment, and the data residing within it, you need to shift your perspective and take a new approach to identity management. Failure to do so leaves your organization blind to significant risks.
Inventory Everything, All the Time
You can’t manage what you don’t know about. In the average cloud, there are often 100s, if not 1000s, of identities. Non-people identities make up the majority in your cloud.. By leveraging a CIEM solution you will be able to inventory all of the identities in your cloud. However, this is not a static inventory that is executed once every quarter but done continuously. That means at any given moment, you must have visibility into every single identity and ensure that there are no gaps. By doing this, you now have a storing foundation on which to manage entitlements.
Effective Permissions, Entitlements in the Cloud
You need to know what your identities can access and what they can do with their access. Managing entitlements, or permissions, for your identities in the cloud is an extraordinarily complex and challenging task. To securely manage your cloud, you need to take a holistic approach and determine, for each and every identity, its effective, end-to-end permission. This involves not only evaluating the policies and/or access controls directly attached to the identity but mapping out what that identity can do with those permissions.
- Can it take on, or assume, another identity? If it can, it now takes on the permissions of that identity.
- What can it do with these new permissions? If we looked only at the first level, we would be blind to everything else. This is where organizations get into trouble and where a CIEM is crucial.
- To help put this into context, let’s examine the following example.
Sam is a DevOps engineer with what is supposed to be a limited set of permissions in her company’s AWS dev account. She is assigned to an AWS Group that provides her identity with the permissions needed to do her job, including the ability to assume an AWS Role, a non-people identity within that same account. However, due to lack of visibility, the role that she can assume has permissions to assume another AWS role, this time into a production account. Making matters worse, this role is grossly over-permissioned and has full admin permissions on all DynamoDBs in production.
So from a traditional entitlements perspective, Sam’s AWS user has only the permissions she needs to do her job. However, when we use a CIEM to determine her effective permissions, we can see that she has Full Admin access to all of of the DBs in her company’s production environment.
Identities are your security boundary in the cloud. To appropriately manage risk and protect your cloud, you need to have full visibility into all of your identities (both people and non-people), as well as know at all times what their effective (end-to-end) permissions are. This is where the traditional PAM tools start to fall down and where a CIEM solution is required.
CIEM Helps to Protect Your Most Valuable Data
In 2020, traditional tools didn’t cut it, and week over week we read about another breach, all in all having an average cost of $3.86 million. If data is the most expensive commodity on the planet, why are most organizations not doing enough to protect it? The simple answer is that teams have been doing their very best without adequate tooling. Being able to know at all times, what every identity in your cloud, even across multiple clouds, has access to is what has been missing. By leveraging a CIEM, you are now able to lock down and secure your data at the scale and speed of the cloud.
Start with the Data
Take a data centric IAM approach. Using the identity inventory and their effective permissions (entitlements) from your CIEM, you are now able to determine not only what data your identities can access, but also how they can access the data, and what they can potentially do with the data. With this continuous visibility, you can effectively determine where you have risks and then, in turn, manage the risks to ensure that your cloud, and the data within it, stays secure. At the end of the day, this is the ultimate goal of the modern security team in the cloud.
Managing CIEM at the Scale and Speed of the Cloud
As we’ve seen, CIEM is critical to managing risk in your cloud environments. However, not all solutions are created equal. The right CIEM needs to not only be able to inventory your people and non-people identities and determine their effective permissions, but a CIEM solution needs to be able to do this at the scale and speed of your cloud.
Quarterly Audits are a Thing of the Past
In the cloud, things change quickly and your audit practices need to as well. At one time, identity inventory and entitlement audits were performed on a defined schedule. While this might have made sense in the data center where changes were less frequent, it makes no sense in the cloud. With the multitude of teams in your cloud, coupled with the ephemeral nature of the environment, you need to know what is going on at all times. You need to continuously audit your cloud so you can immediately detect deviation or a misconfiguration, you need to be able to alert the right teams.
In a recent customer issue that we encountered, a user (people identity) assumed an overly permissive AWS Role (non-people identity) and, as that assumed role, escalated the permission of another AWS Role, which they then assumed, giving them access to a critical data store. This all happened in a matter of minutes. Luckily, this organization had a CIEM that was continuously auditing all of this access drift, and as soon as the effective permissions of the Role changed, their security team was alerted. This would have never been caught using a traditional identity and data security approach.
Sending all security issues to one single team never worked, so why are you doing it in the cloud? You have the ability in your CIEM to organize your cloud contextually. What this means is the ability to view your cloud in a way that makes sense to your business. A typical example we see is that organizations break their cloud up into environments based on things like applications and data classification, as well as based on the teams tasked with operating and securing them. This ensures that issues can be routed to the teams that created them and are in the best position to fix them. Getting the right ticket to the right team enables intelligent workflows to ensure that your existing IAM processes and best practices can be leveraged for CIEM in your cloud. Lastly, by organizing your cloud contextually you are able to use automation to fix your CIEM issues at the speed and scale of the cloud.
Prioritize Identity and Data Risk with CIEM
Managing identities and their entitlements in the cloud is a complex affair. With a plethora of identities, both people and non-people, traditional tools, like PAM, do not go wide and deep enough to provide you with the visibility that you need to be able to effectively secure your cloud. Throw in a multi-cloud environment and you are lost. What is required to solve this problem is a CIEM solution.
Sonrai Security can help. Sonrai Dig delivers an enterprise cloud security platform focused on identity and data security inside AWS, Azure, and Google Cloud. Our enterprise cloud security solution can show you all the ways data has been accessed in the past and can be accessed in the future. Our platform delivers a complete risk model of all identity and data relationships, including activity and movement across cloud accounts, cloud providers, and third-party data stores.
Sonrai Security enables you to protect the “crown jewels” by continuously monitoring critical data inside object stores and databases. You can constantly see where your data is and its classification, what has access to your data and from where as well as what has accessed your data and what has changed. Sonrai Security can help with identity security and identity access management across your public cloud.
Using a Sonrai’s Dig, our enterprise cloud security platform with platform CIEM, you can continuously inventory your identities, compute their effective (end-to-end) permissions, and alert on any deviations as soon as they are detected. With this in place, you can manage risk at the scale and speed of your cloud and not find yourself in the headlines for the next embarrassing data breach.
The post What is CIEM and Why Should Enterprises Make it a Priority? appeared first on Sonrai Security.
*** This is a Security Bloggers Network syndicated blog from Blog - Sonrai Security authored by Eric Kedrosky. Read the original post at: https://sonraisecurity.com/blog/what-is-ciem-and-why-should-enterprises-make-it-a-priority/