Modern organizations continue to migrate more of their core operations to the cloud, extending processes and associated workloads, applications, and data across platforms from cloud service providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Some multicloud environments can include all of these and more.
A single organization’s cloud ecosystem can have millions of individual permissions granted to people, systems, and cloud services, including non-federated accounts, default and misconfigured permissions, and even unused permissions. Left unchecked, these massively widen your attack surface, making it easier for attackers to infiltrate cloud deployments. According to Gartner projections, by 2023, 75% of cloud security failures will result from inadequate management of identity, access, and privileges.
Widely used legacy security solutions such as privileged access management (PAM) don’t fully address modern entitlement issues—they either can’t keep up with the ephemeral, flexible nature of the cloud, or they focus on cloud configuration without offering visibility into enterprise entitlements. CIEM addresses these issues by providing deep visibility into cloud entitlements alongside automated remediation to help your organization maintain least-privileged access.
There are various CIEM solutions in the market, and no two are made entirely from the same parts or share all the same functions. However, they all share some components at a basic level, such as:
For a typical modern organization, managing cloud access risk is more than just knowing who has access to what. In fact, in many cases, there’s no “who” to manage at all. More than half of today’s cloud entitlements are granted to applications, machines, and service accounts. OT (e.g., factory floor servers and robots) and IoT devices (e.g., card readers, shipping trackers, printers) connect to applications and databases that also interconnect and constantly exchange information.
Entitlements need to be finely delineated to prevent inappropriate data sharing. However, with potentially thousands of users and services, tens of thousands of resources, and tens of millions of individual entitlements to manage, a human team simply can’t act quickly or accurately enough to keep up as requirements change. In today’s environments, only CIEM and the power of automation can do that.
Let’s look quickly at the specific challenges you can address with CIEM. An effective CIEM solution encompasses general identity and access management (IAM) configuration as well as privileged access management, providing automated governance to help you:
An effective CIEM solution lets you visualize entitlements among your organization’s users, nonhuman identities, and cloud resources; analyze the entitlements landscape to expose risk; detect threats; and maintain least-privileged access. Let’s look at this in a little more detail.
Your DevOps team manages access configuration for your cloud infrastructure, but innovation and speed drive the team, not security. The granular, manual permissioning necessary to maintain least-privileged access is too cumbersome for DevOps to keep up, so it’s common for DevOps to grant excessive permissions to accelerate a rollout or provision services more efficiently.
CIEM tools automatically remediate excessive permissions without breaking the applications or disrupting DevOps, freeing up your developers to do what they do best.
CIEM provides a centralized overview of entitlements across multiple cloud platforms so you can more easily govern “who sees what” in the cloud. This high-level picture of entitlements helps your team assess risk and develop mitigation strategies.
CIEM also allows your security team to govern which human and nonhuman users can access which resources across multiple clouds, services, users, and entities—backed up by comprehensive, automated reporting.
A well-designed CIEM solution reduces your attack surface and minimizes your public cloud risk by enabling you to:
Misconfigurations and excessive permissions are the biggest public cloud issues organizations face today. There are two different types of tools built to help you address these challenges and reduce your risk as you leverage the public cloud: cloud security posture management (CSPM) and CIEM.
Let’s compare them.
The “big three“ cloud providers alone—Azure, AWS, and Google Cloud—provide hundreds of distinct services, each with configuration options that impact security and risk. With even a modest multicloud strategy, you can end up with thousands of feature configurations to monitor. CSPM tools handle misconfiguration issues in these popular public cloud services by helping you:
While CSPM focuses on misconfigurations, CIEM tools address a different prevalent security gap in public cloud deployments: inadequate control over identities and privileges. With hundreds of cloud users, you‘ll have tens of thousands of resources and tens of millions of individual entitlements to manage—far too much for a team to handle manually. CIEM tools help you:
So, given what CSPM and CIEM tools each do to reduce your cloud risk, which one do you need to deploy in your environment? The answer is both. Misconfigurations and excessive permissions are both major sources of public cloud security risk, and by pairing CSPM and CIEM together, you can minimize the vast majority of security issues that plague public clouds.
CIEM and CSPM policies are natively built into Posture Control by Zscaler, a comprehensive cloud native application protection platform (CNAPP) that secures cloud infrastructure, sensitive data, and native application deployments across your multicloud environments.
The powerful CIEM functions in Posture Control let you take advantage of:
Comprehensive IAM risk posture visibility
AI- and ML-powered analytics help you manage the sheer volume of entitlements data. A risk-based view of human and nonhuman identities allows you to easily identify excessive high-risk permissions and inspect cloud identity configurations.
Risk-based prioritization
Most security platforms generate far too many alerts to be actionable. Posture Control prioritizes your organization’s security risks based on your profile, allowing for maximal risk reduction with minimal effort.
Entitlement rightsizing
Posture Control uses machine learning, cohort analysis, and more to identify hidden, unused, and misconfigured permissions as well as risky access paths for sensitive resources unique to each cloud platform, which you can remove to minimize your attack surface and achieve least-privileged access.
Secure DevOps
Effective entitlement management in your DevOps processes removes the need to compromise on security or innovation.
Consistent, compliant IAM configuration
By enforcing consistent policies and automated guardrails across multicloud environments and ensuring IAM compliance with CIS, GDPR, SOC2, NIST, PCI DSS, ISO, and more, you gain powerful, granular control over access to your valuable assets.
CIEM vs. CSPM: Which is Better for Reducing Public Cloud Risk?
Read the blog postThe Top 5 Benefits of a Cloud Native Application Protection Platform (CNAPP)
Read the blog postEntitlements: The Most Overlooked Risk in the Public Cloud
Read the blog post