Organisations understand the business value of cloud environments like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), but many haven’t realised how these infrastructures increasingly place the onus on them to manage security risk. In fact, Analyst firm Gartner has estimated that over the next three years 99% of cloud security failures will be the customer’s fault. Further, Gartner predicts that 75% of those failures will result from inadequate management of identities, access and privileges.
To manage and reduce their attack surface, organisations must gain control over all human and machine identities and their access privileges within their cloud environments. This is no small task, as the number of enabled permissions in a typical enterprise cloud infrastructure can easily reach into the millions. In AWS alone, there are over 2500 permission settings that can apply to users, devices, applications and services.
Typical IaaS/PaaS applications can contain thousands of identities that belong to a variety of compute types, such as EC2 or lambda functions, and each of these identities have discrete permissions to access multiple resources including data repositories, network assets and secret stores.
Plus, enterprise developers who are under pressure to quickly spin up environments often grant broad entitlements to both people and infrastructure, and these excess permissions are nearly impossible to identify and eliminate once applications are in production. The problem of excess privileges has exceeded the capabilities of humans and our manual processes to manage them.
Given that just one misconfigured cloud entitlement can bring down an application or lead to a devastating breach, as occurred with Capital One, it is imperative to reduce this attack surface by enforcing “least privilege” across the board.
Taming cloud entitlements
Cloud Infrastructure Entitlement Management (CIEM) was introduced as a technology category this year by Gartner to describe a new approach designed specifically for managing access and enforcing least privilege in the public cloud. CIEM provides the following capabilities to automate the management of cloud infrastructure entitlements at scale:
Account and Entitlement Discovery: The first step toward achieving least privilege is to gather an accurate inventory of all entitlements, which given the dynamic nature of IaaS/PaaS environments, must be a continuous process that covers:
- All of the entities in the environment (e.g. services, compute instances, data stores, secrets)
- All of the policies (e.g. IAM policies, resource policies, permissions boundaries, ACLs)
- Native and federated identities (e.g. AWS IAM, Active Directory, Okta)
The second step of the discovery process is analysis so that the gaps between enterprise policy and the granted entitlements are exposed.
Centralised cross-cloud correlation: Virtually every organisation in the cloud now uses more than one service provider, and each cloud platform uses different mechanisms and terminology to address permissions. It’s become imperative to have a centralised mechanism that can enforce enterprise policies across all clouds.
Visualising entitlements: To make sense of the complex web of access permissions associated with a given identity, it’s important to have a way to visualise which ones have access to sensitive resources or what the access is for different roles, etc. It’s especially helpful if the visualisation can be switched back and forth between a tabular and graphical representation in order to filter, search and view metrics and scores that help quantify risks.
Optimising entitlements for least privilege: One of the most valuable benefits of CIEM is its ability to continuously analyse and remove excessive permissions, and reduce the attack surface of a cloud environment. This is typically accomplished through analytics that understand which permissions are being used, which are not being used and which are unnecessary for the identity to perform its functions. For identities related to services and infrastructure, CIEM can ensure they have sufficient entitlements to run under required scenarios, and nothing more, ensuring both security and business continuity.
Providing guardrails for entitlements: CIEM can also be used to detect when privileges are changed, for instance alerting to privilege escalation threats. Through configurable rulesets, CIEM can define and enforce critical entitlement guardrails in cloud environments.
Detecting threats: An additional benefit provided by CIEM is continuous monitoring of resources and policies to detect suspicious activity indicative of external threats, insider attacks or even human errors. This can be accomplished by configuring rules that correspond with existing enterprise security policy and streaming output to a SIEM or User Entity Behavior Analytics (UEBA) platform.
Remediating entitlements: Since entitlements can span multiple stakeholders and business processes, organisations can use CIEM to support their remediation orchestration pipelines. CIEM can send a new policy directly to the cloud provider via an API, a ticketing system or Identity Governance and Administration (IGA) system for fulfillment. For DevOps teams, remediation can be handled as part of the pipeline using Infrastructure as Code (IaC) platforms.
CIEM fills the void left by two adjacent technologies, cloud access security broker (CASB) and cloud security posture management (CSPM), by enabling organisations to govern identities, access entitlements and enforce least-privilege policies across multiple cloud provider platforms. Most importantly, it reduces cloud security risks by replacing manually-intensive processes with automation for the continuous discovery, mapping and evaluation of millions of entitlements.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.