Why Cloud Infrastructure Entitlement Management?
Analyst firm Gartner has reported that over the next three years 99% of cloud security failures will be the customers fault and 75% of these failures will be a result of improper management of identities, access and privileges.
Gaining complete control over all the identities, their access and privileges is challenging because of the large number of permissions in a typical enterprise infrastructure. There will also be several thousands of identities that have distinct permissions to access multiple resources. Add to this mix, developers who spin up environments hastily and grant excess entitlements and it quickly becomes impossible to manage and govern these identities manually.
What is Cloud Infrastructure Entitlement Management?
Gartner’s Hype Cycle for 2020 saw the introduction of a new entrant into the cloud security space – Cloud Infrastructure Entitlement Management (CIEM). Those of you familiar with the Gartner Hype Cycle must be wondering- “what is this segment?”. Let’s dig deeper into this.
“Gartner defines Cloud Infrastructure Entitlement Management (CIEM) as specialized identity-centric SaaS solutions focused on managing cloud access risk via administration-time controls for managing entitlements and data governance in hybrid and multi cloud IaaS architectures. CIEM Solutions leverage analytics and machine-learning to detect anomalies around identities and entitlements.”
Source : forbes.com
Visibility
- Discovering all the identities that sprawl your cloud infrastructure is paramount to enforcing good access policies. You need to clearly know how many Service Accounts, IAM Users, Roles, and Policies exist across accounts in your cloud provider. If you have a multi-cloud posture, then you must have this visibility across multi-cloud.
- Understanding the privileges that are being used by these identities and most importantly, understand the privileges that are NOT USED. This is the single most factor that can compound your IAM risk score and result in privilege creep.
- Ability to see the granular permissions held by IAM Users, Roles and Service Accounts. This is important to define least privilege policies.
- Identifying who are your high risk users - the ability to profile the users and see a risk score for each user based on the entitlement sprawl they may have.
Governance
- Ability to enforce least privilege policies across your identities. Privilege creep continues to be the #1 threat in the cloud ecosystem. If we introspect on any of the major cloud hacks that have happened in the last couple of years, almost all of those had to do with an identity getting compromised, the attacker then leveraging entitlements attached to the identity to laterally move within the infrastructure and finally exfiltrate data. This is one of the top concerns for CISO’s and IAM Leadership in any organization. To offset these threats, you need the following capabilities
- Ability to baseline your cloud environment for identity hygiene by validating it against compliance and best practice policies for IAM based on the cloud/s you operate in. This could be a set of best practices that are specific to identity usage as defined by that cloud provider and a combination of custom IAM governance policies that are important for you as an enterprise. Finding high risk users, identifying unused permissions etc are important metrics that help you understand your current state.
- Getting this in place is a tough act, especially when you have a large cloud portfolio that spawns multiple cloud providers and automation should be the de-facto choice here.
- The ability to create custom policies is key - every organization is different and the ability to roll out IAM governance policies applicable for your organization in a consistent manner across your multi cloud environment should be a priority.
- Ability to detect and alert on anomalous activities - crucial to detecting lateral movement within your cloud. Flag suspicious activity like data deletion, sensitive data access and login access anomalies.
IAM Auditing & Forensics
- Ability to investigate identities and identify the actions taken and resources accessed for a certain time range.
- Identify failed IAM events and narrow down to the root cause.
- Ability to help Incident response teams narrow down on the “Who did what and when” question.
- Ability to traverse from a specific identity or a cloud resource and identify configuration or access changes done is must have feature
Compliance Reporting
- Ability to report and benchmark against different industry benchmarks and compliance requirements.
Automation & Remediation
- Automation plays a big part in ensuring that your IAM teams have the right toolset to continuously analyze identity behaviour and also trigger remediations wherever possible.
- Examples - monitoring excess privileges for an identity and revoking those access based on violations to the IAM policies.
The C3M Approach to CIEM
C3M is launching it’s C3M Access Control to address all the problem statements mentioned above and help enterprises gain complete control over identities and infrastructure entitlements, and right size identity privileges. C3M Access Control would be closely integrated with the C3M Cloud Control platform and will help enterprises automate cloud infrastructure entitlement and manage identities at scale.
Get in touch with us to learn more about C3M’s CIEM capabilities.
