What Is Cloud Infrastructure Entitlement Management (CIEM)?
An emerging class of cloud security management solutions, cloud infrastructure entitlement management (CIEM), has established a new paradigm for protecting enterprise assets in the cloud. CIEM mitigates the risk of data breaches in public clouds due to excessive entitlements.
Modern enterprises have been rapidly integrating cloud computing into their business processes. With a diverse choice of cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, enterprises extend key business processes, workloads, applications, and data across multiple platforms.
The problem rises with the numbers. Large enterprises may have thousands of users and services, each requiring entitlements which would allow them to access various resources and other services. But more than half of an enterprise’s cloud entitlements are granted to applications, machines, and service accounts; users and roles are only a small part of the problem. Why do applications and machines need entitlements? Because servers and robots on the manufacturing floor (OT) and IoT devices all connect to applications and databases, constantly exchanging information. Applications also connect to other applications, such as a database in AWS connecting to Salesforce or Microsoft 365. Entitlements must be finely delineated to ensure that data cannot be shared inappropriately, and to limit unnecessary access.
As a result of this hyperconnectivity, an organization with hundreds of cloud users and tens of thousands of resources will have tens of millions of individual entitlements—numbers that can only be managed with automation.
Maintaining speed and agility for DevOps
The transition to cloud computing presents a security challenge for DevOps. DevOps teams manage the access configuration to a company’s cloud infrastructure, but these teams are driven by innovation and speed, not security. To accelerate a rollout or provision services, DevOps may grant overly permissive entitlements, which puts data at risk. But manually trying to lock down permissions to create a least-privileged access environment is too cumbersome and impedes the velocity so crucial to DevOps.
CIEM provides an automated way to remove excessive permissions without breaking the applications or disrupting DevOps, so developers can deploy code rapidly, freely, and securely.
Why overly permissive entitlements are risky
As mentioned, enterprise cloud environments can have hundreds of millions of discrete permissions granted to people, systems, and cloud services, and many of these may include unused permissions, non-federated accounts, and default and misconfigured permissions. Left unchecked, these permissions become an easy path for attackers to infiltrate cloud deployments.
There are plenty of high-profile examples demonstrating how entitlement problems can have devastating, real-world consequences.
Widely used security solutions, such as privileged access management (PAM), fail to fully address entitlement issues. Most of these tools are either unable to address risks in the cloud or focus on cloud configuration without providing visibility into enterprise entitlements.
Visibility is the key to managing entitlements
With CIEM, your enterprise gains an overview of entitlements so that you can govern “who sees what” in the cloud. CIEM provides entitlement security across multiple cloud platforms from a single dashboard and frees up DevOps to do what they do best: develop and deploy top-notch enterprise applications.
CIEM allows your security team to govern which users (both human and non-human) can access which resources, across multiple clouds, services, users, and nonhuman entities. Comprehensive, automated reporting streamlines the ability to maintain a strong security posture, minimizing disruption to your DevOps team. A unified visualization platform provides a high-level picture of entitlements and helps your team assess risk and develop mitigation strategies.
A well-designed CIEM solution can:
- Create and maintain an accurate inventory of all existing entitlements.
- Characterize normal cloud transactions. A clear picture of normal cloud behavior is the key to detecting operations that are abnormal or contrary to enterprise policy.
- Detect external and internal risks and threats, such as hostile activity, human error, or deviations from enterprise policy.
- Analyze entitlement usage and identify problematic entitlements, such as those that are misconfigured, unused, or contrary to enterprise policy. CIEM analyzes the cloud environment for discrepancies between actual entitlements and enterprise policy.
- Help automate the cleanup of problematic entitlements. By distinguishing needed from problematic entitlements, CIEM supports your DevOps team in their remediation efforts.
- Find high-priority issues and suggest actions to fix them by presenting actionable remediation plans.
- Enforce the principle of least privilege. By minimizing the attack surface, least-privileged access is a key component of zero trust.
- Implement uniform guardrails across multiple cloud environments. Different cloud service providers use different security settings with different terminology. A centralized dashboard is crucial to configuring and enforcing guardrails while preventing risky or erroneous changes.
With a good CIEM solution, your DevOps staff can visualize entitlements among all users, nonhuman identities, and cloud resources as well as analyze the entitlements landscape to expose deviations from enterprise policy. CIEM lets your enterprise detect threats and maintain a least-privileged security posture.
Zscaler, with its 2021 acquisition of Trustdome, has made CIEM available as an integral component of the Zscaler Cloud Protection (ZCP) solution. Zscaler CIEM, along with CSPM, provides a top-flight security solution using machine learning (ML) algorithms and cohort analysis to identify and remediate problematic entitlements and configurations.