Cloud Infrastructure Entitlement Management, or CIEM, has emerged as the latest buzzword in the world of cloud security. But just because CIEM is buzzworthy doesn’t mean everyone should integrate it into their cloud security strategies.
Keep reading for an overview of what CIEM means, how it compares to other cloud security activities, and how to implement CIEM if you decide it’s right for you.
What is cloud infrastructure rights management?
Cloud infrastructure rights management is the automated review of privileged access policies (also known as rights) within cloud environments. The goal of CIEM is to identify access rules that grant human or machine users a higher degree of privilege than they need. In this way, CIEM wants to follow the principle of: least privilege within the cloud.
For example, CIEM tools flag a cloud account that has the ability to create, delete, and run virtual machines if the user associated with that account only needs to use machines. In that case, the user would have too many rights. The CIEM tools recommend eliminating the create and delete privileges for the user.
In addition to identifying rights risks, some CIEM tools can automatically mitigate them by changing access policies.
It is worth noting that, despite the term “cloud infrastructure rights management”, CIEM does not only deal with the privileges associated solely with cloud infrastructure. CIEM can also identify and mitigate risks arising from access policies for Software-as-a-Service (SaaS) applications, cloud-based data, or other resources that you may not necessarily consider cloud infrastructure.
How is CIEM different from CSPM?
If CIEM is very similar to Cloud Security Posture Management or CSPM, it is because the two practices are similar in many ways. CSPM is the use of automated security tools to identify configuration issues that can lead to security risks in the cloud.
However, CIEM differs from CSPM in the following respects:
- Focus on privileges: CIEM only addresses security risks related to privileges and access policies. CSPM addresses different types of configuration risks, such as not requiring data encryption.
- Detailed access review: Most CIEM tools can automatically determine what access rights a human or machine user should have, and then compare them with the rights that the user actually has. CSPM tools usually don’t perform this kind of detailed, contextualized case-by-case assessment; they simply look for configurations that are known to be unsafe.
- Check for permission changes: CIEM tools can detect suspicious changes to permissions rules, such as suddenly granting administrative privileges to a user whose previous activity does not require those privileges. CSPM does not provide this type of anomaly-based risk detection.
Despite these differences, reasonable people may argue whether CIEM is simply an extension of CSPM, or whether the two are fundamentally different cloud security domains.
Why CIEM and why now?
Indeed, it’s likely that at least part of the reason CIEM has become a buzzword in the past year is that CSPM platform marketers have latched onto CIEM in an effort to differentiate their platforms from other CSPM solutions — just like how many application performance management tools have been renamed “perceptibility” platforms in recent years, or how marketers use the “AIOpslabel on IT automation tools that were born before anyone talked about AIOps.
This is to say that the CIEM trend is likely just reflecting marketing buzz to some extent. Some of the functionality that CIEM tools provide was already available in traditional CSPM platforms before vendors defined CIEM as a new type of cloud security category.
Still, there’s more to it than devious marketing. The rise of CIEM also reflects the fact that cloud environments have become so massive in size and so mind-boggling in complexity that manual approaches to privilege management are no longer sufficient to mitigate security risks. In a cloud environment with hundreds of users and thousands of workloads, hundreds of thousands of access rights may be configured. CIEM tools provide an automated means to ensure that each of these privileges is properly configured in accordance with the least privilege principles.
Also, keep in mind that in a multicloud architecture, a business will likely use multiple access control frameworks at once, as each cloud has its own system for defining privileges and access rights. The exact meaning of different access policies and conditions can also differ between clouds; for example, what Azure calls a group is different from what AWS defines as a group. An advantage of CIEM tools in this context is that they provide a central platform for assessing privileges across clouds, regardless of the specifics of how policies are configured or managed.
So, who needs CIEM? And where can you get it?
In general, any company with a large-scale cloud environment can benefit from CIEM. And the more clouds and cloud services you use, the more useful CIEM will be in mitigating security risks everywhere.