Running confused deputy attacks exploiting the AWS Serverless Application Repository Early this month at …
Today, we want to introduce one more cloud security term: Cloud Infrastructure Entitlements Management (CIEM).
Table Of Contents
What is CIEM?
An essential part of every effective cloud security is properly administering identity and access management (so-called IAM) policies to users, workloads, and data (also called entitlements).
As an ever-increasing number of organizations is shifting their applications and workloads to the cloud, the number of cloud users, data, and workloads a security team has to manage increases drastically. This makes it challenging for security teams to assign the policies and permissions to the right actors. To cope with that, organizations rely on Cloud Infrastructure Entitlements Management (CIEM) solutions to properly manage IAM policies in cloud and multi-cloud environments.
CIEM solutions support security teams in applying the Principle of Least Privilege to the cloud resources and services, helping organizations defend themselves against data breaches, malicious attacks, and other risks posed by over-permissioned cloud resources.
What problems does CIEM solve?
IAM policy and entitlement misconfigurations or overly-permissioned resources can happen easily, as anyone within a company may unknowingly or unintentionally give a particular service or user too many permissions. A CIEM tool checks and identifies such errors and overly-permissioned services and users.
Preventing excessive privileges
Common security risks are overly-permissioned resources, which attackers may abuse to escalate their permissions. An (in-)famous example of the impact of over-permissioning is the Capital One Hack. To avoid the exploitation of excessive privileges, CIEM solutions apply the Principle of Least Privilege.
Monitoring identities and entitlements
A typical cloud environment comprises hundreds or even thousands of different identities, e.g., users, applications, cloud services, cloud resources, IoT devices, network components, and so on. All these actors own associated permissions, which grant them access to other actors or data. CIEM solutions help cloud security teams keep track of the different identities, associated IAM policies, and entitlements used in a cloud environment.
Checking for compliance
To detect any potential threats like permission abuse, CIEM analyzes the existing entitlements against enterprise policies. CIEM flags any suspicious entitlements that violate an organization’s compliance policies and helps cloud security teams by providing mitigation strategies.
Enforcing the Principle of Least Privilege
To reduce the attack surface and apply zero trust, CIEM solutions can help to apply this Principle by identifying all identities that have access to some resource and recommending reduced IAM policies.
Monitoring and inventory identities and entitlements
To successfully track identities and entitlements, an properly and up-to-date CIEM inventory is necessary. CIEM tools can automatically inventory and update all IAM policies and entitlements such that cloud security teams and tools, like SIEM can validate them.
Defining global policies
To enforce policies and compliance rules CIEM solutions monitor and check cloud environments. To make efficient use of these capabilities, organizations need to define common guidelines for all cloud environments and setups.
CIEM solutions support security teams in applying the Principle of Least Privilege and administering identity and access management in cloud environments. Nevertheless, as a siloed solutions CIEM tools only provide a limited value, a holistic view of the cloud environment in combination with cloud security posture management (CSPM) and risks assessment is a reasonable augmentation that is likely to produce a stronger security posture.