Gartner coined the term Cloud Infrastructure Entitlement Management (CIEM) in their 2020 paper, Managing Privileged Access in Cloud Infrastructure, to encompass the need of a new category of solution that addresses the approach to managing identity, access and permission management in a hybrid cloud world.
The Gartner report lists the following seven pillars as core features of a CIEM solution:
Account and Entitlements Discovery
Creation of an inventory, and having continuous discovery, of identities and entitlements across an enterprise’s cloud infrastructure that includes, identification and tracking of identities, analysing access policies, and discovery of federated and native cloud identities.
Cross-cloud Entitlements Correlation
Correlation and normalising of accounts and entitlements across clouds into a unified access model.
Creation of new methods of visualising and analysing cloud infrastructure entitlement data.
Comparing the entitlement with usage data to determine the optimal least-privileged entitlement assignments.
Protecting the integrity of cloud infrastructure by comparing to policy and remediating changes that are outside of policy.
Monitoring and detecting changes to entitlements that are considered anomalous, atypical, or high-risk.
Remediation of elevated permissions by triggering a change process that incorporates an updated policy or entitlement assignment.
This article forms part of a series of articles that look at various acronyms used in cyber security, explain them, and explore Microsoft’s solution. For more acronyms please visit: https://simonangling.com/cyber-security-acronyms
Why is CIEM Important?
As company’s continue to adopt multi-cloud strategies there is a proliferation of identities that becomes increasing complex to manage. Across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) there are over 40,000 permissions to manage.
According to Microsoft’s 2021 State of Cloud Permissions Risks Report
- More than 90 percent of identities are using less than 5 percent of the permissions that they are granted.
- More than 50 percent of permissions are high-risk and can cause catastrophic damage.
With least-privilege being a core component of a zero trust strategy, tooling that assists with the management of identity permissions across an organisation is becoming increasingly important.
Microsoft’s CIEM Solution
Microsoft Entra Permissions Management is Microsoft’s CIEM solution that is based on Microsoft’s 2021 acquisition of CloudKnox Security.
Entra Permissions Management provides comprehensive visibility into permissions assigned to all identities across Azure, AWS, and GCP infrastructures and helps detect, right-size, and monitor unused and excessive permissions, thus mitigating the risk of data breaches by enforcing the principle of least privilege the cloud. It addresses the seven pillars of CIEM by adopting a life-cycle approach of continuously discovering, remediating and monitoring.
Taking a lifecycle approach acknowledges the reality that:
- Organisations will continue to move and create new workloads in clouds.
- Cloud providers will continue to add new capabilities that will increase the number of potential permissions.
- The number of identities (especially non-human) will grow exponentially.
The discover phase creates a baseline and usage profiles, creating granular visibility into each action performed by every identity, on every resource and which permissions were used to perform these actions. This baseline can then be used by Entra Permissions Management to detect any unusual or suspicious behaviour but also to discover the ‘permissions gap’ where users don’t utilise the permissions granted to their account.
The remediation phase is intended to consistently and enforce the principal of least privilege by reducing the ‘permissions gap’. Entra Permissions Management can ‘right-size’ identity permissions based upon standard usage of identities and allow for the usage of ‘permission on-demand’ workflows when elevated permissions are required.
With many thousands of identities across a multitude of systems and services ongoing and continuous monitoring is the third phase of the life cycle.
Entra Permissions Management continuously monitors all activity, to detect anomalous permission usage and generates detailed forensic reports. This detection can also be used to initiate a remediation process or inform the appropriate security team to allow for appropriate and timeous investigation and remediation.
Why Microsoft Entra Permission Management?
Cloud Security is only ever going to be as good as an organisations ability to continuously control the access levels and permissions assigned to both human and non-human identities at ‘machine speed’. Microsoft Entra Permissions Management solution offers organisations enterprises a practical, scalable, cloud-native way of controlling the proliferation of identities across multiple clouds and can form part of an integrated zero trust strategy.