Sergey Nivens - Fotolia
What is CIEM and why should CISOs care?
Cloud infrastructure entitlement management offers companies an edge in the cloud permissions gap challenge. Mahendra Ramsinghani explains how CIEM differs from SIEM.
Among the many changes of 2020, Gartner added a new category to its Identity and Access Management Technologies Hype Cycle: cloud infrastructure entitlement management. While CIEM may sound and look similar to security information and event management, the two security solutions are not the same, and CIEM is going to be increasingly vital as organizations continue to prioritize companywide digital transformation.
For the first time, with SIEM, a single security solution could collect, store and analyze all server logs across all network traffic, generating valuable security alerts and speeding up incident response and remediation. Companies like IBM QRadar and HP ArcSight have been in the SIEM market for a long time, and cloud-native SIEM vendors, including Splunk, Sumo Logic and Exabeam, offer a wider set of capabilities suited for cloud-first and hybrid environments. But none of these SIEM vendors offer CIEM as of yet.
According to Gartner: "Cloud infrastructure entitlement management (CIEM) offerings are specialized identity-centric SaaS solutions focused on managing cloud access risk via administration-time controls for the governance of entitlements in hybrid and multicloud IaaS. They typically use analytics, machine learning (ML) and other methods to detect anomalies in account entitlements, like accumulation of privileges, dormant and unnecessary entitlements. CIEM ideally provides remediation and enforcement of least privilege approaches."
For us, this means CIEM is the next generation of solutions for managing access and enforcing least privilege in the cloud. And, while CIEM does not fit neatly into any of the existing four cloud buckets --access management, identity and governance, privileged access and user authentication -- it has the potential to play across all of them while addressing new challenges in the multi-cloud universe.
Multi-cloud increases security complexity
By the end of 2020, the worldwide public cloud market reached an estimated $250 billion, and Gartner predicted: "By 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020." The Capital One breach is the most notable example of these increasing security challenges.
As multi-cloud adoption continues to increase, movement of workloads to such environments requires keen analysis of IaaS accounts, privileges, and activity and granular controls since privileges and access control work differently for each cloud provider. This has created both a permissions gap in the marketplace and an opportunity in the marketplace. Gartner research showed: "By 2023, a new category of SaaS-delivered, converged identity and access management (IAM) platforms will be the preferred method for identity governance and administration (IGA), access management (AM) and privileged access management (PAM) in more than 45% of new IAM deployments."
So, why should CISOs care?
With a focus on digital transformation and multi-cloud environments, here are four risks that contribute to the cloud permissions gap that CISOs and security operations center teams need to look out for right now:
- Inactive identities and super identities. Every company has at least a few inactive identities. Former employees? Testing and proof of concept? The inactive identities from these and many more scenarios are still hanging out there. Even more dire, there are other identities known as break-glass accounts or super identities that are floating around with unlimited permissions and unrestricted access to all cloud resources offered across the organization.
- Overpermissioned active identities. Continuously tracking and monitoring the proliferation of new services, roles and permissions in the cloud is almost impossible to do manually.
- Cross-account access. Organizations leverage cross-account roles to allow identities to access different environments -- development, test, production, etc. -- and allow third-party entities to access their accounts. This is both convenient and a potential vulnerability for the organization. The inherent danger is when an IAM role in these instances is overprovisioned. Since these roles grant permissions to an entire account, the misconfigured permissions tied to the role can cause significant, and costly, ripple effects.
- Anomalous behavior among machine identities. Nonhuman -- machine identities, including scripts, bots, access keys, etc. -- identities typically perform the same repetitive actions. If a machine identity executes an action it has never performed on a resource that it has never accessed, chances are someone is misusing credentials.
Each of these examples, and more, have created a new attack surface for bad actors on the cloud, and organizations are incredibly vulnerable. The number one way to combat them is by enforcing principles of least privilege with a CIEM solution because of the key ways the new category detects and automatically remediates anomalous behavior while simultaneously enforcing least privilege approaches.
About the author
Mahendra Ramsinghani is author of The Business of Venture Capital (Wiley) and co-author of Startup Boards. When he is not writing books or blogs, he is investing in next-generation security companies, such as CloudKnox, Attivo Networks, Accurics, Tigera and others.