Why CIEM will become an indispensable part of the region’s future technology environments
Michael Byrnes, director – solutions engineering, iMEA, BeyondTrust, writes on delving into the need for CIEM and the benefits of the technology.
The GCC is humming with cloud activity, and understandably so. The cost-benefit analysis of cloud services had already proved favorable before the pandemic. Governments looking to deliver on economic visions were using it. Businesses looking to align with those visions and be part of their success story were using it. And consumers looking for streaming entertainment and cheap storage for self-made media were using it.
When COVID reared its head, those organizations that were still evaluating cloud had to get down from the fence and run to the barn. The cloud was the only way to deliver safety to employees (through remote work) and business continuity (through several other services). Right now, the list of hyperscale cloud providers that have regions in the GCC or are building them includes Google, Oracle, Microsoft, AWS, and IBM. Many of these launches were before the pandemic, so these companies definitely believe in the future of cloud in the region.
But the downside of cloud is the complexity of the technology environment, especially as it relates to security and identity management. Multiple clouds, personal devices and overworked IT and security staff — these factors combine to impose severe risk burdens on regional organizations.
Say ‘Hello’ to Kim
CIEM, pronounced “Kim”, stands for Cloud Infrastructure Entitlements Management, and it is designed for precisely the kinds of environment that we see more commonly today. Not only does it manage permissions and entitlements, it discovers them. And most importantly it enforces least-privilege standards throughout cloud ecosystems. CIEM is the ultimate multi-cloud watchdog.
Good for both public and private single-cloud setups, CIEM’s value is unlocked to a greater degree in multi-cloud. It is of immediate benefit to security teams that currently rely on a disparate bunch of tools, each native to a different cloud. The cloud’s flexibility adds a layer of complexity in multi-cloud arenas where different identities weave in and out of sensitive areas. These identities, whether for employees or third parties, tend to be over-provisioned. They therefore present a risk because if they are hijacked, they can offer widespread access to a malicious party.
Another tendency that exacerbates risk is the lack of portability of native identity-management tools. They cannot be used to manage identities in other clouds. This issue is at the center of the risk factors associated with multi-cloud.
The need for CIEM
Managing cloud identities and their entitlements through just-in-time (JIT) provisioning and least privilege may be Cloud Security 101 but finding the right solution to cover multi-cloud environments can be tricky. Such a system requires standardized controls, full visibility of the environment, and the ability to plug cloud security gaps and uncover compliance anomalies. Only then can security teams be assured of being able to chase down and prevent breaches.
CIEM enables the discovery, management, and monitoring of entitlements in real time. It can build comprehensive behavior models for each identity across multiple cloud infrastructures, including hybrid environments. Anomalies are flagged. Least-privilege is enforced. The changing of policies and entitlements is automated and capable of extending to traditionally incompatible cloud resources.
CIEM integrates with Privileged Access Management (PAM) solutions to homogenize the management of secrets, passwords, least privilege, and remote access. Least-privilege security models mean that each session, machine, employee, contractor, process — anything that uses a digital identity — will only receive enough permissions to perform a specific task. Additionally, the JIT access model ensures that those permissions expire when the task is completed. These practices greatly reduce the risk of compromised credentials, so the integration of CIEM with PAM is an excellent way to plug gaps.
The benefits of CIEM
By now, the benefits of CIEM should be clear. It is able to reach into every corner of the environment (from premises to multi-cloud) and provide a rich view of cloud identities and their entitlements. It enables the granular monitoring and configuration of permissions and tracks privilege models across the different cloud service providers they visit. And it automates a range of processes to maintain the integrity and relevance of each active identity and ensure it has access to every resource it needs for its owner (human or otherwise) to be productive, but no more than necessary.
CIEM is also capable of comparing cloud environments, discovering their differences, and issuing actionable insights on how to address the risks these dissimilarities may pose to the organization.
The ideal CIEM solution
CIEM has become a prerequisite of robust cloud-identity security and should be sought as part of an advanced PAM platform if security teams are going to receive the tools they need to address all the challenges they face regarding identities in cloud and multi-cloud environments.
The ideal CIEM solution will be able to automatically discover accounts and assess their entitlements, create an inventory of identities, and classify them by permissions sets, all in real time. This capability alone is a boon to organizations that are trying to align their security posture with the dynamic nature of cloud environments and the fleeting existences of their native resources.
Part of the discovery and inventory will be the determination of which identities are unique to a cloud and which are shared. The result will be a searchable repository that can be readily audited, and managed. Based on the information gathered, CIEM solutions can flag over-provisioning and enforce least privilege automatically. Real-time discovery also enables the identification of changes in account privileges, and the judgement of their necessity or appropriateness. Anomalies can be flagged for assessment as potential liabilities. And identities can be deleted or blocked if they violate any policy.
The future
CIEM will be an indispensable part of the region’s future technology environments. Its uncompromising policing of identities across multi-cloud environments is a perfect fit for current technology trends. Only with CIEM can organizations hope to conquer the unavoidable complexities with which they wrangle daily.