With more and more applications hosted across the cloud service providers, the attack surfaces increase as well. This is due the increased permissions for human and machine identities to access critical cloud resources. The number of permissions can easily go as high as several millions. A major chunk of these permissions, sometimes as much as 90% or more are unused, excessive and they pose a tremendous risk to the environment.
Malicious insiders and attackers can exploit these permissions to get access to steal or alter sensitive data or interrupt the hosted cloud service.
Cloud security experts rate managing permissions a top challenge for human and machine identities. According to a new research by Gartner, the number one reason for cloud security failure will be the mismanagement of identities, privileges and access.
An example of data breach due to over permissioned accounts is the devastating breach that took place at ‘Capital One’ in the year 2019. The hackers were able to steal the customer data as the instance that hosted the Web Application Firewall had excessive permissions which enabled the threat actor to access the sensitive data. This incident shows that you can’t ignore the threat due to excess permissions granted to any account.
What is Cloud Infrastructure Entitlement Management (CIEM)?
Entitlement management is a technology that grants, resolves, enforces, revokes and administers authorizations or privileges. With the steady rise in number of entitlements across cloud infrastructure, it is not feasible to use manual methods for determining least-privilege access.
Cloud infrastructure entitlement management (CIEM) is a term introduced by Gartner in the year 2020 to describe the next generation of solutions for enforcing least privilege in the cloud. It addresses cloud native security challenges of managing identity access management in cloud environments.
CyberArk’s Cloud Entitlements manager is a SaaS solution that reduces risk by implementing least privilege across cloud environments. It collects data on Identity Access Management entities and applies Artificial Intelligence (AI) to generate granular and immediately deployable JSON policy remediations. These JSON policy remediations remove the excessive and unused permissions without disturbing the access for ongoing operations.
Thus you will be able to continuously access their permissions exposures and identify ways to reduce risks faster via CIEM.
Effective CIEM involves.
CIEM Lifecycle
Account and Entitlement Discovery: You need to get an accurate picture of all the entitlements across your cloud infrastructure to be able to achieve least privilege. Also, you have to understand the gap between the desired entitlements and the actual entitlements that have been granted.
Cross-Cloud Entitlement Correlation: It is most likely that your organisation is using multiple cloud service providers, each with its own rules for entitlements. It becomes necessary for you to have a central platform for enforcing enterprise policies across all platforms.
Entitlements Visualization: Visualization tools enable you to visualize all of the identities that have access to sensitive data.
Entitlements Optimization: CIEM solutions use advanced analytics to continuously identify excessive permissions and access the risk level of unused permissions. The CIEM solution then removes such permissions thereby greatly reducing the attack surface of your cloud environment.
Entitlements Protection: Whenever there are changes in the privileges, the CIEM solutions detect them. Also, they provide a configurable set of rules that should be enforced in your cloud environment that enable you to define the entitlement guardrails.
Entitlements Detection: The CIEM solutions continuously monitor the resources and policies which helps detect suspicious activity that could indicate an external threat or an internal human error.
Entitlements Remediation: CIEM solutions support multiple means of remediation. A new policy can be sent directly to the cloud provider via Application Programming Interface (API), or to a ticketing system or Identity Governance and Administration (IGA) system for fulfillment. For DevOps teams, remediation can be handled as part of the pipeline using Infrastructure as Code (IaC) platforms.
Benefits of CIEM
- Least privilege policy enforcement throughout the cloud estate. It identifies all the excessive and unused permissions in the cloud platform and immediately removes them for human and machine identities. Thus, proactively defending against insider and outsider threats.
- Proactively reduce risk and measure progress. Dynamic and environment specific exposure level scores determine the fastest paths to risk reduction.
- Operate cloud permissions securely and effectively. Leverages AI powered recommendations to easily remediate permissions.
- Gain cloud-agnostic visibility of permissions risk. All permissions to access resources across Amazon Web Services (AWS), AWS EKS, Azure and Google Cloud Platform (GCP) environments can be navigated and controlled from a centralized dashboard.
Conclusion
According to Gartner, through 2023, 99% of security failures will be the customer’s fault – and 75% of those failures will be the result of inadequate management of identities, access and privileges. With CIEM, you can implement least privilege across cloud environments, gain centralized, continuous visibility and mitigate security risk instantly.
We at
