How Enterprise Security Teams Benefit from Cloud Infrastructure Entitlement Management (CIEM)April 21, 2021 - Tag Cyber
Dr. Edward Amoroso
Chief Executive Officer, TAG Cyber LLC
The global cyber security community has always benefitted from attention to key foundational principles that help guide enterprise risk management decision-making. One of these principles is known as least privilege – and it traces its origin all the way back to the earliest days of information security in the 1980s. The principle involves ensuring that privileges are restricted to the absolute minimum required to achieve a given mission objective.
A related security principle involves management of access policies for enterprise applications. Traditionally, an access management function has been used to enforce these policies, but more recently, this function has been managed through so-called entitlements. An entitlement provides fine-grained control of who can access what applications under which conditions. When stretched across an enterprise, it creates a new layer of policy control.
As one would expect, with enterprises globally accelerating their adoption of public cloud, a corresponding obligation emerges to perform entitlements management for these virtual assets across multi-cloud or hybrid cloud infrastructure environments. The resulting Cloud Infrastructure Entitlement Management (CIEM) is a new control category being promoted across the security industry.
This paper provides an overview of how CIEM can be integrated into an existing security architecture, and how it must be coordinated to function with enterprise identity and access management (IAM) protections. The paper also lists the benefits of implementing a proper CIEM platform in an enterprise, with attention to how CIEM fits into the obvious shift for most organizations from on premise computing to public and hybrid cloud infrastructure use.
For enterprise teams who are guided by their existing legacy security configuration or by familiar protection frameworks such as the NIST Cybersecurity Framework, the concept of implementing a CIEM across their multi-cloud platforms will require a new paradigm and standardizing on a multi-cloud permissions and entitlements management platform. As such, it is imperative that CISO-led teams understand exactly how a CIEM solution integrates with their existing security and identity management tools and how it can be embedded into compliance programs.
Figure 1. CIEM Enterprise Architecture
Reference to entitlements in the context of cloud infrastructure is a minor, but important mindset shift for security teams. By combining elements of authentication and access policies into a common designation, entitlements allow security teams to remove access management from applications and integrate the function into a cloud-based service. This is welcome for teams who want more commonality in policy enforcement across multiple clouds.
At a more granular implementation level, additional factors will require attention to CIEM support for multi-cloud security posture management. Specifically, organizations will have to include enterprise security policy input to ensure proper federation to cloud. Additionally, any enterprise vulnerability and threat information will have to be integrated with CIEM support for entitlements.
Enterprise Benefits of CIEM
With enterprise IT infrastructure shifting toward more virtual, cloud-based operations, security teams are obliged to address the compliance and protection aspects of this change. The good news is that cloud entitlements can be managed with commercial platforms that offer excellent benefit, both for regulatory and compliance activities as well as for day-to-day prevention, detection, and response to cyber threats.
Below we outline five areas of benefit that have emerged for organizations who integrate CIEM platforms into their multi-cloud infrastructure. These benefits all share the characteristic of reducing overall risk – and each represents an area of cloud security management that is likely (in the opinion of this author) to become a requirement in future versions of key security frameworks such as the NIST Cybersecurity Framework (CSF).
Entitlement Management – CIEM deployments support rightsizing of entitlements allocations to ensure that permissions are allocated only when needed. Such rightsizing is consistent with least privilege goals for most enterprise permission and privilege schemes. The objective is to ensure that an exact match is provided at all times – including on-demand – for any users, systems, or workloads that require access to some resource.
The extension of enterprise computing to multi-cloud infrastructure makes this a more complex operation. The challenge is that different clouds will have their own policies and rules for accessing accounts, workloads, and data. By augmenting identity and access management (IAM) with CIEM capabilities, the access management functions for these multi-cloud services can be made more common and unform across one enterprise.
Credential Risk Reduction – The risk of credential theft or misuse is reduced when entitlements are managed in the context of an authorization model. This is important because so many modern cyber incidents include poor credential management as a root cause. The recent Verizon Data Breach Report, for example, listed stolen credentials as the number one hacking tactic for the fourth year in a row.
What this means is that CIEM integration into the IAM and multi-cloud infrastructure management not only supports improved posture assessment and compliance, but also will have a meaningful impact on reducing the intensity and frequency of actual cyber attacks. With more enterprise services moving from premise to cloud, this risk reduction should be viewed as an essential step for security teams.
Insider Risk Reduction – Since insiders tend to target user entitlements, CIEM deployments will reduce this risk – especially for cloud infrastructure access. Insiders represent a particularly insidious challenge, because they can take advantage of legitimately granted credentials and entitlements. This underscores the damage that can be done when administrators with heavy privileged access go bad.
The use of a CIEM to manage this entitlement allocation process is thus an essential aspect of any preventive cyber defense because it will help avoid the side-effects of insiders being granted more access than they actually need. In addition, if a CIEM platform includes on-demand management of entitlements, then it can also help with response actions taken during an attack on cloud resources.
Attack Surface Minimization – By improving management of cloud entitlements, the security team goes a long way toward reducing the attack surface of their organization. Where previously, an attack surface roughly matched the corporate perimeter, today’s modern attack surface extends out to hybrid multi-cloud infrastructure. This is a major departure from previous schemes and requires a new set of security controls.
As one might expect, CIEM solutions target the primary weakness in this new attack surface extension – namely, the identity and access characteristics of cloud-hosted resources. While it is certainly imperative to include many other types of protections such as activity monitoring and configuration controls, few would argue that properly orchestrating the allocation of entitlements will have a significant impact on reducing risk.
Identity-Related Compliance – Security compliance issues in the modern organization have clearly shifted from local-area systems to sprawling multi-cloud infrastructure. Amidst this change, however, one aspect of the compliance process hasn’t changed – and that is the emphasis placed on identity-related issues as a primary control for the enterprise. This has remained a significant focus area despite shifts from premise to cloud.
CIEM platforms are particularly well-suited to handling this compliance burden, because they can serve as one-stop-shop locations for the types of issues, requests, data requirements, and other obligations imposed by regulators and assessors on the security team. To that end, both security and compliance teams should be involved in the selection of a suitable commercial CIEM solution.
Enterprise teams who are operating cloud-based services or hosting applications in either private, hybrid, or public infrastructure should immediately begin to review commercial options to manage the entitlements. Luckily, many great commercial CIEM options now exist, so enterprise security portfolio managers should engage to develop requirements for their cloud entitlements management needs.
About TAG Cyber
Founded in 2016 by Dr. Edward Amoroso, TAG Cyber provides world class research and advisory services, with advanced market reporting for cyber security teams. TAG Cyber’s goal is to bridge the communication gap between commercial security vendors and enterprise practitioners. TAG Cyber’s insights are delivered through an innovative on-line portal with support for expert on-demand research.
 Several excellent commercial options are now available for enterprise security teams. The CloudKnox solution team was particularly helpful during the development of this report. They shared deep insights with our analysts into how CIEM platforms work best in the context of a modern hybrid cloud architecture.
 The existing requirements in familiar security documents such as NIST 800-53 rev. 5 do not yet include reference to the use of CIEM-like functionality in multi-cloud protection architectures.
 https://spycloud.com/a-deep-dive-into-the-verizon-2020-data-breach-investigations-report/back to newsroom