Cloud Infrastructure Entitlements Management (CIEM) - Why Identity Management in the Cloud is Difficult

Key Takeaways

  • Identity and Access Management in the cloud is challenging because of the ever-increasing volume and complexity of “service identities” and their respective entitlements

  • Large scale hacks such as SolarWinds and the Capital One data breach (2019) occurred, in part, due to failed identity management in the cloud

  • CIEMs can detect and remediate IAM risks throughout single and multi-cloud environments, by leveraging automation and machine learning

The widespread adoption of cloud infrastructure has changed the landscape of Identity and Access Management (IAM) systems. Networks were once perimeter-based and secured physically and by firewalls. The demand for remote access due to COVID-19 coupled with the technological trend of digitalization has increased the demand for cloud infrastructures and microservice architectures. In the cloud, physical borders have disappeared and identity has become the new perimeter defense. Conventional IAM solutions were designed to control human access to a limited set of systems and applications deployed in a corporate data center. With cloud infrastructure, IAMs must control and track access privileges for human and service identities across an ever-changing variety of cloud services.

Why CISOs need to worry about Identity and Access Management in the Cloud

Cloud services are becoming increasingly critical to many business operations; however, this new infrastructure provides a new attack surface for hackers. Recent hacking success from Russia has illustrated just how vulnerable the cloud is; the infamous SolarWinds attack that impacted more than 100 large companies and 8 U.S. federal agencies was enabled by compromising cloud identity systems. The hackers stole security certificates to create their own identities which allowed them to bypass multifactor authentication and gain access. 

This is not the only large scale hack originating from a cloud weakness. In the 2019 breach at Capital One, an Amazon Web Services (AWS) vulnerability was exploited because of improper configuration by Capital One employees. The breach leaked 140,000 Social Security numbers and 80,000 bank account numbers. 

In general, the volume of attacks on cloud services more than doubled in 2019, a number only expected to grow. This number is only expected to grow along with the trend of organizations increasingly moving operations to the cloud.

Challenges of Cloud Identity Management

Besides managing human identities, cloud infrastructure introduces an ever-increasing number of service identities that need to be managed. Every resource - virtual machines, containers, applications, etc. - has an identity that requires specific permissions, or “entitlements”, that are intertwined with all other services. Applications and services are instantiated on demand, and containers are spun up and shut down continuously.   Enterprises can have tens of thousands of service identities. According to Gartner, “It is impossible to keep pace with this change, and therefore manual methods for determining least-privilege access are neither feasible nor scalable. To address this adequately, organizations need a more identity-centric view of their cloud infrastructure entitlements. Furthermore, as organizations begin to understand appropriate access, the ability to efficiently remove unneeded entitlements and adjust access policies is essential.” A multi-cloud environment only increases the complexity of communicating service identities. 

Furthermore, there is a lack of consistency and standards across clouds. Businesses leveraging services from different cloud providers need to learn and configure multiple provider-specific tools. This work can become resource-intensive, time-consuming, and prone to errors. The vast scale and diversity of the cloud are forcing an evolution in IAM.

What is a CIEM?

The same Gartner report defines a CIEM: "Cloud infrastructure entitlement management (CIEM) offerings are specialized identity-centric SaaS solutions focused on managing cloud access risk via administration-time controls for the governance of entitlements in hybrid and multicloud IaaS. They typically use analytics, machine learning (ML) and other methods to detect anomalies in account entitlements, like accumulation of privileges, dormant and unnecessary entitlements. CIEM ideally provides remediation and enforcement of least privilege approaches."

CIEMs can automatically discover all user and service identities, so the fast-changing arsenal of containers and virtual machines does not cause administrator headaches. A CIEM will also analyze all their entitlements, as granted by policies. Then, by using analytics, a CIEM will detect anomalies and enforce least privilege access. 

Most CIEM solutions provide a centralized dashboard to track and control access permissions. They can track identities across different cloud providers (AWS, Azure, Google Cloud, etc.) and prioritize risks that are detected. Cloud native IAM is a key trend for security professionals and investors to understand as they make decisions for their organizations.

It  is clear that the landscape and attack surfaces of digital infrastructure have changed dramatically in the last few years and security systems must evolve with that change. As organizations migrate to cloud infrastructure, they must also adopt a cloud-centric identity and access management system.