The public cloud eliminated traditional network boundaries, so cloud security is based on different strategies, like entitlement management. The security boundary of your cloud is your Identities, both people users and non-people identities, and they need to be managed accordingly. There can be tens of thousands of non-people identities in your cloud environment, and it is the use cases of these non-people identities make security even more complex.
Identity-based use cases are proliferating dramatically, which brings into question their entitlements. In the cloud, we call these entitlements an Identity’s Effective Permissions, the end-to-end permission of the actions that an Identity can take and the data it can access.
Cloud Infrastructure Entitlement Management (CIEM) offers the technology to monitor cloud identities and their effective permissions. Gartner explains it this way, “CIEM offerings are specialized identity-centric SaaS solutions focused on managing cloud risk via administration-time controls for the governance of entitlements in hybrid and multi cloud IaaS.”
The goal of CIEM is to define the solutions that answer basic questions surrounding identity: what are my identities, what are my identities’ effective permissions, and within the data context, what data can they access, and what are they doing with the data.
Network Security Doesn’t Work in the Cloud
Traditional on-premise identities were stored in a central repository like Active Directory. Entire processes and provisioning defined where the identities were manifest, what groups they were associated with and how they were monitored within the organization. A cycle is developed and maintained for individual identities, and entitlement checks for those identities were performed periodically – maybe every 90 days or once a year. In the cloud world, this approach to Identity governance is not only wrong but dangerous.
There is a fundamental paradigm shift when moving to the cloud, beginning with identity as the boundary. Identity associations are more diverse and widely disseminated across the cloud. And there are just a lot more different groups who have access to the identities in the cloud, such as app teams, DevOps and SecOps, and admins. With all of this activity happening in the cloud, not only are privileges obscured, but they can change quickly and possibly for only short periods of time.
What was a simple model in on-premise identities, even if it wasn’t always easy to manage, is now a complex model in the cloud that is extremely difficult to manage. And the people working in the cloud usually come in with knowledge surrounding only their role, not realizing that there could already be dozens or hundreds of other identities with the same or similar functions.
Organizations need to know what all their identities are, but unfortunately, most struggle to do so. The effective permissions for each and every one of your Identities need to be continuously monitored, not just checked every 90 days or more, and someone needs to be alerted immediately when something changes.
And if you can’t inventory identities and their effective permissions, you can’t have a secure cloud. So the first step toward cloud security is having an inventory of your identities, and CIEM helps that process.
One of the most significant security issues in the cloud is misconfiguration risk; issues like complexity, lack of training for staff responsible for cloud management, lack of visibility, and not enough people to manage security in the cloud. Addressing misconfiguration issues is another area where CIEM adds security through entitlement management.
For example, a non-person identity an effective permission of being able to access a sensitive data container, but the identity is not supposed to have this level of permission. This type of misconfiguration is actually quite common, and very concerning. They tend to arise when the full view of the permission is not understood. What might look good on the surface, can actually be a major risk.
How Organizations Use CIEM
Discovery and inventory of all the identities in our cloud environment, as well as determining and continuously monitoring their effective permissions, is what stands between good cloud security and serious cyber incidents. CIEM can be used to manage identities in the following ways better:
- Separation of Duties. Making sure that permissions are used wisely, i.e., the person who controls the keys to encrypt data can’t decrypt data.
- Access Reviews and Monitoring Cloud Service Users. CIEM is used to continuously monitor identities and effective permissions, including whether an entitlement or effective permission had changed.
- Designing and Managing Role Assignments. A CIEM monitors the role assignments of each identity and can recognize if a role assignment has been given incorrect permissions or entitlements and correct it.
- Identity Confirmation and Oversight. It offers a consolidated view of identity classification and much-needed management of identities.
Sonrai Security’s can help your organization manage cloud security and identities through four main areas:
- Identity Security. This is the heart of the CIEM platform. It offers identity inventory, continuous mapping effective permissions, and continuous monitoring for deviations.
- Data Security. Data is every company’s most valuable asset, and it needs to be protected. Knowing what identities can and cannot access the data and what’s being done with the data is vital protection against breaches.
- Intelligent CSPM. This is the foundation of your system, and if the platform is vulnerable, it adds vulnerability to identities and data.
- Governance Automation. Your CIEM needs to scale to your needs and work at the same speed as the cloud. It allows you to mitigate potential threats quickly.
Keeping your cloud security requires effective and continuous monitoring of both people and non-people identities in your cloud environment. CIEM offers visibility into your identities and entitlements, which lets you manage them more effectively. In the cloud, identities are your boundary, and if you don’t know what your identities are or the effective permissions they are granted, you are essentially opening the gate for risk.