Achieve Least Privilege at Cloud Scale With a Cloud Infrastructure Entitlement Management (CIEM) SolutionNovember 18, 2020
Author: Mora Gozani, Head of Marketing at CloudKnox Security
When we talk about the origins of common security incidents and breaches, we rarely consider the problem as it relates to privileged identities and their access rights to cloud resources. But if you look back at the most high-profile breaches of the last few years, you will note a direct link to this emerging attack surface—which is the result of exponential and unmanaged growth in identities with excessive and powerful permissions.
These breaches underscore the concept of shared responsibility, which sharply delineates responsibilities between cloud providers and their customers. Moreover, the model places the responsibility for security “in the cloud”— including everything around identities, access, permissions, and authorization—solely on the customer (and not the cloud provider.)
As such, it puts a significant onus on internal IT resources because cloud security is only as good as an organization’s ability to control the level of access that identities have to their cloud infrastructures. Further, the actions these identities can take are dictated by the types of permissions they are granted. So, preventing the overprovisioning of both human and non-human identities, and quickly responding when those permissions are either accidentally misused or maliciously exploited, has become a top priority for enterprises.
Gartner recently predicted that 75% of all security failures by 2023 will be the result of inadequate management of identities, access, and permissions – and 99% of those will be the cloud customer’s fault. In response to this increasing threat, Gartner recently introduced a new cloud security category called Cloud Infrastructure Entitlement Management (CIEM) in its June 2020 Managing Privileged Access in Cloud Infrastructure report.
CIEM is defined as the next generation of solutions for managing privileged access and enforcing least privilege in the cloud. It addresses the limitations of existing IAM solutions and highlights the need for cloud-native identity-centric solutions that extend across multiple cloud platforms and continuously enforce the principle of least privilege at cloud scale.
CIEM includes a set of core requirements to help enterprises evaluate and implement the best solutions and processes to achieve a true least privilege state across their cloud infrastructures. While these requirements may appear daunting, the recommended lifecycle-based approach helps minimize the overall implementation burden.
A Lifecycle Approach to CIEM
A lifecycle framework for CIEM enables enterprises to continuously discover, manage, and monitor the activity of every unique human and machine identity operating in their clouds and ensures appropriate alerting of security and infrastructure teams to areas of unexpected or excessive risk. Critical aspects of a lifecycle approach include the ability to:
- Discover risk by uncovering who (identities) is doing what (actions), where (resources), and when across the cloud infrastructure
- Manage risk by ensuring identities have the least number of permissions needed to perform daily tasks – and no more
- Monitor risk by continuously tracking changes in identity activity (behavior) and prioritizing alerts based on pre- defined risk criteria
You can’t fix what you can’t see, which is why granular visibility is the first step in the CIEM lifecycle. It starts by uncovering all unique human and non-human identities that can touch an enterprise’s cloud infrastructure, what operations (or actions) they are authorized to execute, what actions they have historically performed, and which cloud resources they have accessed.
In hybrid and multi-cloud environments, this requires a CIEM solution that can abstract, collect, normalize, and present both real-time and historical identity activity in a single, unified, consumable format. It is only with this clarity and insight that organizations can begin to understand and mitigate the risk that over-permissioned identities pose.
Moreover, the solution should determine this risk by calculating the delta between permissions granted and permissions used over a specific period. From an identity perspective, security teams need this data to build “activity profiles” for each unique human and non-human identity in their cloud environments.
These profiles can then be used to baseline and measure risk, in addition to the organization’s ability to enforce and maintain a state of least privilege over time. “Activity profiles” can also be used to detect anomalous or suspicious behavior, such as an identity that suddenly performs a high-risk action for the first time on a critical or sensitive resource that it has never accessed before.
A CIEM solution should combine the visibility of real-time and historical activity data with a simple, automated remediation mechanism. Approaches to managing the risks of identities with excessive permissions may vary from vendor to vendor, but it is critical that the CIEM solution offers multiple right-sizing tactics that account for the disparities among the cloud service providers. For example, organizations should have the option to either create (or design) custom least-privilege roles based on the historical activity of one or more identities or remove unused or risky permissions directly from a high-risk identity profile.
As CIEM solutions evolve, the ability to “auto-remediate” will become key, especially as the complexity of managing multiple cloud operating models grows. This automatic functionality is about ensuring continuous “risk hygiene” and enforcing least privilege policies across an enterprise’s environment without ongoing involvement from the security and cloud infrastructure teams. For example, a periodic search for inactive identities would generate and automatically remove all permissions.
Gartner also recently advised security leaders to implement: “a process for quick and easy requesting and granting of additional privileges with minimal disruption to an individual’s workflow.” This capability, which has been referred to as privilege-on-demand (PoD), just-in-time (JIT) privileges or
JIT access, takes the least privilege concept one step further by suggesting that identities should not have any standing permissions at all unless they need them for a specific task. The idea is that, instead of granting always-on standing permissions, organizations can use this feature to limit access to permission(s) and/or resource(s) for a pre-defined time, at which point they are rescinded.
Such an approach mitigates the risk of permission abuse by significantly reducing the amount of time a cyber attacker or malicious insider has to gain access to privileged credentials before moving laterally through a system and gaining unauthorized access to sensitive data.
To maintain control and security within and across clouds, enterprises need consistent, up-to-the-minute information. But in the modern cloud environment, there are often tens of thousands of identities active at any one time. This makes comprehensive monitoring near impossible and points to the need for robust capabilities for continuous tracking of the activity patterns of all unique human and non-human identities across the cloud environment.
Enterprises should be able to monitor their cloud infrastructures from a multi-dimensional perspective. For example, monitoring activity through the “identity lens” enables security and cloud infrastructure teams to track changes based on the identity’s activity profile—and quickly ascertain which permissions have been used, which permissions have not been used, and which resources identities have accessed over time.
Continual monitoring of activity data is critical because it provides the context necessary to detect outlier or anomalous behavior, such as an identity that suddenly uses a high-risk permission (e.g. list S3 bucket) or accesses a sensitive resource (e.g. S3 bucket) for the very first time. And monitoring activity from a resource perspective accommodates tracking which identities are accessing a sensitive resource, and what types of actions they have performed on it.
Most importantly, when something anomalous does happen, the CIEM solution should include the option to invoke an automated remediation response or alert through email or third-party SIEM or SOAR tools. Security teams are overwhelmed by the avalanche of alerts, so it is simply not enough that the CIEM solution flag potential areas of risk or threat. Rather, it needs to deliver an easy and automated way to prioritize those alerts and assess them within context.
An increasing number of recent high-profile breaches and hacks have been attributable to the misuse of privileged identities with excessive high-risk permissions. Despite their best efforts with legacy approaches like RBAC and native CSP IAM solutions that fall short in functionality, enterprises still must confront a growing new attack surface – excessive permissions with access to cloud resources – created by accelerated cloud adoption.
A new approach to permissions management, CIEM, holds the promise of helping companies bring the process of properly managing permissions and roles back under control. Cloud- native CIEM offerings like CloudKnox’s Cloud Permissions Management Platform offer a lifecycle solution to permissions management by delivering continuous discovery, management, and monitoring of human and non-human identity activity across multiple cloud platforms. The usefulness of existing methods like RBAC and the limitations of CSP native IAM solutions cannot meet the specialized needs of enterprises operating in the cloud. Only through CIEM adoption will security and cloud infrastructure teams be able to protect their enterprises’ critical cloud resources and achieve a true least privilege state across their cloud deployments.
To learn more about how the CloudKnox Cloud Permissions Management Platform can help your organization reduce risk and achieve a continuous state of least-privilege across the cloud, visit cloudknox.io.BACK TO BLOG