Cloud Infrastructure Entitlement Management (CIEM) Explained

Request CNAPP Demo

As today’s enterprises transition more of their systems and business processes to the cloud, the challenge of governing and monitoring access to those resources grows increasingly complex. Cloud resources are no longer static and predictable. In addition, enterprises no longer operate in just one cloud but instead are adopting multi-cloud approaches to their infrastructure. Therefore, establishing proper permissions for accessing those resources is no longer straightforward. The solution to this challenge is cloud infrastructure entitlement management (CIEM).

What are cloud infrastructure entitlements?

Cloud providers operate with a shared responsibility model. With infrastructure as a service (IaaS) offerings, the cloud provider makes available services and storage and guarantees the physical security of its data centers. However, the user of the IaaS offering is responsible for security, establishing who (or what) can and cannot access those infrastructure resources.

Dynamic resources and the complexity of multi-cloud setups

In an environment with static resources, cloud providers use Identity and Access Management (IAM) rules to govern access. For example, any user with the deployments-manager role could have permission to reboot a certain compute (e.g. EC2) instance. Meanwhile, a CI/CD pipeline with the automated-test-runner role might have permission to SSH into that instance in order to execute a test.

In today’s cloud environments, however, resources are ever-changing. Many resources are ephemeral—provisioned or deprovisioned based on the scaling needs of any given moment. Although cloud providers have solutions in place for granting permissions to ephemeral resources, each cloud provider has its unique way of doing so. This leaves enterprises with the challenge of managing and understanding permissions across multiple clouds.

Cloud infrastructure entitlements comprise the various permissions granted to entities to access cloud resources. As we’ll see, in a multi-cloud environment operating at the scale of thousands of resources, managing and keeping track of an enterprise’s cloud infrastructure entitlements is an incredibly complex task.

What is cloud infrastructure entitlement management (CIEM)?

CIEM is a relative newcomer in the cloud security technology space, and it gained prominence through its inclusion in Gartner’s Hype Cycle for Cloud Security, 2020. In that report, Gartner provides the following definition:

Cloud infrastructure entitlement management (CIEM) offerings are specialized identity-centric SaaS solutions focused on managing cloud access risk via administration-time controls for the governance of entitlements in hybrid and multi-cloud IaaS.

CIEM helps enterprises to manage entitlements across all of their cloud infrastructure resources. The primary goal of this tool is to mitigate the risk that comes from the unintentional and unchecked granting of excessive permissions to cloud resources.

What challenges does CIEM address?

Managing and monitoring access to cloud resources presents several challenges which CIEM seeks to address.

Managing access to ephemeral resources

In today’s cloud environments, people or processes might provision or deprovision resources at any given moment. Managing access to those resources requires a dynamic approach. Monitoring access to those ephemeral resources is similarly complex.

Over-permissioned access to cloud resources

With a manual or careless approach to permissions, many enterprises err on the side of granting access in a manner that is too coarse. Consider the example of attaching IAM policies to a new member of the engineering team. Perhaps to avoid blocking the new member from performing tasks or to prevent the new member from repeatedly needing to ask for more permissions, the enterprise errs on giving that member excessive permissions to perform all sorts of actions—including actions not related to their tasks or responsibilities.

This granting of excessive permissions significantly raises the risk of a security breach.

Gaining clarity at scale

Cloud infrastructure access is not as simple as users accessing resources. Resources that may need to be accessed include:

• Virtual machines
• Containers
• Serverless functions
• Databases
• Persistent storage
• Applications
• … and more

Meanwhile, the entities that need to access these resources may include:

• Users
• IoT devices
• Other serverless functions
• Other applications
• Other cloud accounts

In an environment with hundreds of resources or more, coupled with potentially hundreds or thousands of entities requiring access to some resources but not others, the need for clarity in access management is tremendous. Especially if enterprises err on the side of over-permissioning, those enterprises need a clear understanding of what entities have more privileges than they ought to. That clarity will allow them to rein in excessive permissions and reduce the risk of a security breach.

Multi-cloud complexity

Many enterprises adopt a multi-cloud approach, choosing to host their resources in different clouds because of cost, availability, or other factors. AWS, Azure, and GCP each have different approaches to IAM, as does every other cloud provider. This leaves enterprises without a single, unified approach to managing permissions across all of their cloud resources. Instead, they need to parcel out and coordinate multiple approaches for multiple cloud providers.

Tracking and discovery of access risks

With various users, applications, and machines each given various privileges to access cloud resources, tracking access is necessary for ensuring security and improving an enterprise’s security posture. However, at a scale of hundreds or thousands of resources, this kind of tracking is immensely difficult to implement.

How does CIEM address these challenges?

Today’s CIEM solutions provide enterprise security teams with dashboards for easy visualization of all their resources across all their clouds. Built into these dashboards are controls to manage entitlements to those cloud infrastructure resources. CIEM solutions handle both the massive scale and the ephemeral nature of resources in today’s cloud environments.

The standard approach of CIEM solutions is to apply the Principle of Least Privilege, which is the approach of granting a user (or any entity) the minimum amount of permissions necessary to perform their role. By taking this approach, CIEM solutions start from a posture that avoids the dangers of excessive permissions.

CIEM solutions also unify security terminology and usage across all clouds, which reduces the need for teams to switch context on multiple cloud providers.

Lastly, many CIEM solutions use machine learning to analyze access records and configurations to determine an enterprise’s potential access risks. Through this, a CIEM can help identify excessive entitlements and mitigate the risk of a security breach.

Conclusion

The traditional IAM approach in static cloud environments is insufficient when applied to today’s dynamic, multi-cloud environments. In addition, a manual approach applied at the scale of today’s environments—with potentially thousands of resources and even more entities needing access to those resources—is untenable and would result in unintentionally excessive permissions, leading to a high risk of a security breach.

The solution to this challenge is cloud infrastructure entitlement management, which brings access governance and monitoring across multiple clouds to a central SaaS solution. CIEM offerings also provide dashboards for management, leverage AI/ML for risk assessment and identification, and unify an enterprise’s approach to access across all clouds.

Learn the CrowdStrike Cloud Security approach for access management and security posture with Falcon Cloud Security.