CIEM is becoming a discussion point for all of us in identity management and identity governance. CIEM is defined as Cloud Infrastructure Entitlement Management – or the practice of managing the identities, policies and controls that manage our cloud-based resources. Defined: CIEM is the process of managing identities and privileges in cloud environments.
CIEM done right is the way to help us understand the access entitlements we have today and then help us understand where the threats and risk and enforcing traditional best practices such as the Principle of Least Privilege (NIST 800-53, PR.AC-6). That is – identify where privileges are over granted and excessive as it pertains to the duties of the role.
What is Covered (and not) in CIEM?
No one reading this needs to be informed that the cloud has exploded. Entitlements are the key to all of these cloud services. And not all cloud resources seem to be covered with what some products are calling CIEM. Cloud resources include, also:
- IaaS – Infrastructure as a Service
- IaaS products allow organizations to manage their business resources — such as their network, servers, and data storage — on the cloud. Most focus on IaaS alone for CIEM.
- PaaS – Platform as a Service
- PaaS products allow businesses and developers to host, build, and deploy consumer-facing apps.
- SaaS – Software as a Service
- SaaS uses the web to deliver applications that are managed by a third-party vendor.
- DaaS – Desktop as a Service
- Cloud computing offerings where a service provider delivers virtual desktops to end users over the Internet.
- IDaaS – Identity as a Service
- Identities and entitlement information is hosted in the cloud by a 3rd party, usually including SSO and MFA capabilities.
How Are We Doing with Cloud Resources and Identities?
Terrible – to be blunt.
Palo Alto Unit 42 did an extensive survey and showed that cloud entitlements were 99% overly permissive. Just as alarming – Gartner reported that Gartner recently reported that among 95% of cloud accounts, fewer than 3% of active entitlements were actually used.
This is hardly implementing the practice of least privilege.
You Have to See the Problem to Fix the Problem
In a legacy on-premise enterprise, managing identity and access was simpler. A directory such as LDAP or Microsoft Active Directory provides an identity source, every application has its user accounts and permissions, and network security safeguards prevent third parties from impersonating users.
The cloud changed this. Resources are often accessed via authentication to a centralized data store – but often not! The user identities in these centralized IAMs or often federated, which is good – but that’s not the full story.
Using a centralized directory either on premise or in the cloud helps manage the cloud identities. But in practice, cloud resources are often NOT provisioned and synchronized with a central resource. The major IAM tools today: Azure AD, Okta, JumpCloud and Ping Identity all have the ability to not only federate but also sync the users across the platforms. But many cloud resources have not provided the hooks to enable a real-time synchronization of entitlements from these IAM sources, especially fine-grained entitlements. The lack of fully integrated cloud resources is very prevalent in the key industries such as ICS, financial and health care environments.
The result is a partial (and inaccurate) view of who or what is accessing which cloud resources.
It’s More than Just Syncing
Enterprise need to understand:
- If the accounts in this cloud resources (still) exist in the enterprise
- If these accounts should even be entitled to this resource
Most resources do a reasonable job of keeping their roles in the IDaaS solution – but these non-synchronized cloud (and on prem) solutions become a problem for a well-managed enterprise.
This is where the 99% of cloud resources being overly permissive comes to play.
Because the cloud resource provider has no access to the groups/roles in the centralized IAM – the privileges are often over supplied.
YouAttest Address the Cloud Over-Privilege Problem
YouAttest allows an enterprise to determine their ISoR (Identity Store of Record) and then either natively review the entitlement privilege directly through YouAttest connector to the centralized identity store or to run a comparison of the ISoR to the siloed resources.
These non-synced cloud resources, or siloed resources, become a problem for most enterprises.
YouAttest addresses this through a siloed resource import – which allows the enterprise to:
- Compare the identities to discovered orphan and ghost accounts in the cloud resource
- Compare by GROUPs to determine the entitlements granted into these SILOED resources match the roles in the ISoR (Identity Store of Record)
With this ability – enterprises can be assured they are implementing the privilege of least privilege on both the IDaaS controlled cloud resources and the cloud SILOED resources!