What Is Cloud Infrastructure Entitlement Management (CIEM)?

Why Are CIEM Solutions Necessary?

Modern organizations continue to migrate more of their core operations to the cloud, extending processes and associated workloads, applications, and data across platforms from cloud service providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Some multicloud environments can include all of these and more.

A single organization’s cloud ecosystem can have millions of individual permissions granted to people, systems, and cloud services, including non-federated accounts, default and misconfigured permissions, and even unused permissions. Left unchecked, these massively widen your attack surface, making it easier for attackers to infiltrate cloud deployments. According to Gartner projections, by 2023, 75% of cloud security failures will result from inadequate management of identity, access, and privileges.

Widely used legacy security solutions such as privileged access management (PAM) don’t fully address modern entitlement issues—they either can’t keep up with the ephemeral, flexible nature of the cloud, or they focus on cloud configuration without offering visibility into enterprise entitlements. CIEM addresses these issues by providing deep visibility into cloud entitlements alongside automated remediation to help your organization maintain least-privileged access.

Components of CIEM

There are various CIEM solutions in the market, and no two are made entirely from the same parts or share all the same functions. However, they all share some components at a basic level, such as:

• Identity governance: Rules that determine which human and nonhuman entities are subject to which policies
• Security policies: Rules that determine the who, what, when, where, and why of cloud and workload access
• Centralized management: A dashboard that lets your team manage your entire multicloud ecosystem from one place

The Role of CIEM in Modern Cloud Security

For a typical modern organization, managing cloud access risk is more than just knowing who has access to what. In fact, in many cases, there’s no “who” to manage at all. More than half of today’s cloud entitlements are granted to applications, machines, and service accounts. OT (e.g., factory floor servers and robots) and IoT devices (e.g., card readers, shipping trackers, printers) connect to applications and databases that also interconnect and constantly exchange information.

Entitlements need to be finely delineated to prevent inappropriate data sharing. However, with potentially thousands of users and services, tens of thousands of resources, and tens of millions of individual entitlements to manage, a human team simply can’t act quickly or accurately enough to keep up as requirements change. In today’s environments, only CIEM and the power of automation can do that.

The Challenges of Entitlement Management

Let’s look quickly at the specific challenges you can address with CIEM. An effective CIEM solution encompasses general identity and access management (IAM) configuration as well as privileged access management, providing automated governance to help you:

• Overcome roadblocks to fast, agile DevOps so developers can continue to deploy code quickly and securely
• Manage complex monitoring and governance in dynamic multicloud environments that can span the globe
• Rein in excessive permissions to prevent misuse or abuse by human and nonhuman accounts, including privileged accounts
• Maintain visibility and ensure compliance across multiple cloud infrastructures with different security frameworks, governance requirements, etc.

Benefits of CIEM

An effective CIEM solution lets you visualize entitlements among your organization’s users, nonhuman identities, and cloud resources; analyze the entitlements landscape to expose risk; detect threats; and maintain least-privileged access. Let’s look at this in a little more detail.

Speed and Agility for DevOps

Your DevOps team manages access configuration for your cloud infrastructure, but innovation and speed drive the team, not security. The granular, manual permissioning necessary to maintain least-privileged access is too cumbersome for DevOps to keep up, so it’s common for DevOps to grant excessive permissions to accelerate a rollout or provision services more efficiently.

CIEM tools automatically remediate excessive permissions without breaking the applications or disrupting DevOps, freeing up your developers to do what they do best.

Visibility from a Single Dashboard

CIEM provides a centralized overview of entitlements across multiple cloud platforms so you can more easily govern “who sees what” in the cloud. This high-level picture of entitlements helps your team assess risk and develop mitigation strategies.

CIEM also allows your security team to govern which human and nonhuman users can access which resources across multiple clouds, services, users, and entities—backed up by comprehensive, automated reporting.

Stronger Overall Security Posture

A well-designed CIEM solution reduces your attack surface and minimizes your public cloud risk by enabling you to:

• Create and maintain an accurate inventory of all existing entitlements
• Identify and automatically remediate entitlements that are misconfigured, unused, contrary to policy, or otherwise problematic
• Detect anomalous cloud transactions that may constitute internal or external threats, such as hostile activity, human error, or deviations from your security policies
• Find high-priority issues and present actionable remediation plans to help you fix them
• Enforce the principle of least privilege, a key component of zero trust
• Implement uniform guardrails across multiple cloud environments that each have their own security settings and terminology

CSPM vs. CIEM

Misconfigurations and excessive permissions are the biggest public cloud issues organizations face today.  There are two different types of tools built to help you address these challenges and reduce your risk as you leverage the public cloud: cloud security posture management (CSPM) and CIEM.

Let’s compare them.

Anschauen

CSPM Tools Reduce Misconfigurations

The “big three“ cloud providers alone—Azure, AWS, and Google Cloud—provide hundreds of distinct services, each with configuration options that impact security and risk. With even a modest multicloud strategy, you can end up with thousands of feature configurations to monitor. CSPM tools handle misconfiguration issues in these popular public cloud services by helping you:

• Monitor public cloud configuration issues
• Track your digital inventory and calculate your security posture
• Prioritize issues by risk profile and automatically remediate them
• Enforce policy guardrails to maintain security and compliance

CIEM Tools Address Excessive Permissions

While CSPM focuses on misconfigurations, CIEM tools address a different prevalent security gap in public cloud deployments: inadequate control over identities and privileges. With hundreds of cloud users, you‘ll have tens of thousands of resources and tens of millions of individual entitlements to manage—far too much for a team to handle manually. CIEM tools help you:

• Discover who has access to what across your cloud environments
• Understand permissions across human and nonhuman identities
• Build and enforce a simple, transparent least-privileged access model
• Implement a multicloud security policy for entitlements

Which Do You Need: CSPM or CIEM?

So, given what CSPM and CIEM tools each do to reduce your cloud risk, which one do you need to deploy in your environment? The answer is both. Misconfigurations and excessive permissions are both major sources of public cloud security risk, and by pairing CSPM and CIEM together, you can minimize the vast majority of security issues that plague public clouds.

How Zscaler Can Help

CIEM and CSPM policies are natively built into Posture Control by Zscaler, a comprehensive cloud native application protection platform (CNAPP) that secures cloud infrastructure, sensitive data, and native application deployments across your multicloud environments.

The powerful CIEM functions in Posture Control let you take advantage of:

Comprehensive IAM risk posture visibility

AI- and ML-powered analytics help you manage the sheer volume of entitlements data. A risk-based view of human and nonhuman identities allows you to easily identify excessive high-risk permissions and inspect cloud identity configurations.

Risk-based prioritization

Most security platforms generate far too many alerts to be actionable. Posture Control prioritizes your organization’s security risks based on your profile, allowing for maximal risk reduction with minimal effort.

Entitlement rightsizing

Posture Control uses machine learning, cohort analysis, and more to identify hidden, unused, and misconfigured permissions as well as risky access paths for sensitive resources unique to each cloud platform, which you can remove to minimize your attack surface and achieve least-privileged access.

Secure DevOps

Effective entitlement management in your DevOps processes removes the need to compromise on security or innovation.

Consistent, compliant IAM configuration

By enforcing consistent policies and automated guardrails across multicloud environments and ensuring IAM compliance with CIS, GDPR, SOC2, NIST, PCI DSS, ISO, and more, you gain powerful, granular control over access to your valuable assets.