Cloud infrastructure entitlement management, or CIEM, has emerged as the latest buzzword in the world of cloud security. But just because CIEM is buzzworthy doesn’t mean everyone needs to integrate it into their cloud security strategies.
Keep reading for an overview of what CIEM means, how it relates to other cloud security operations and how to implement CIEM if you decide it’s right for you.
What Is Cloud Infrastructure Entitlement Management?
Cloud infrastructure entitlement management is the automated assessment of privileged access policies (also known as entitlements) within cloud environments. The purpose of CIEM is to identify access rules that grant human or machine users a higher degree of privilege than they need. In this way, CIEM aims to enforce the principle of least privilege within the cloud.
For example, CIEM tools would flag a cloud account that has the ability to create, delete and run virtual machines if the user associated with that account only needs to run machines. In that case, the user would have excess permissions. The CIEM tools would recommend eliminating the create and delete privileges for the user.
In addition to identifying entitlement risks, some CIEM tools can mitigate them automatically by modifying access policies.
It’s worth noting that, despite the term “cloud infrastructure entitlement management,” CIEM doesn’t just address privileges associated solely with cloud infrastructure. CIEM can also identify and mitigate risks that result from access policies for software-as-a-service (SaaS) applications, cloud-based data or other resources that you may not consider to be cloud infrastructure per se.
How Is CIEM Different From CSPM?
If CIEM sounds a lot like cloud security posture management, or CSPM, it’s because the two practices are similar in many ways. CSPM is the use of automated security tools to identify configuration problems that could lead to security risks in the cloud.
However, CIEM is different from CSPM in the following respects:
- Focus on privileges: CIEM addresses security risks associated with privileges and access policies alone. CSPM focuses on different types of configuration risks, such as a failure to require data encryption.
- Granular access assessment: Most CIEM tools can automatically determine which access rights a human or machine user should have, then compare them to the rights the user actually has. CSPM tools don’t usually perform this type of granular, contextualized, case-by-case assessment; they simply look for configurations that are known to be insecure.
- Monitor for privilege changes: CIEM tools can detect suspicious changes in permission rules, such as the sudden granting of administrative privileges to a user whose previous activity does not imply that those privileges are necessary. CSPM doesn’t offer this type of anomaly-based risk detection.
These differences notwithstanding, reasonable people can debate whether CIEM is simply an extension of CSPM, or whether the two are fundamentally different cloud security domains.
Why CIEM, and Why Now?
Indeed, it’s likely that at least part of the reason why CIEM has become a buzzword over the past year or so is that CSPM platform marketers have latched onto CIEM in a bid to make their platforms stand out from other CSPM solutions – much like how many application performance management tools have been rebranded as “observability” platforms over the past several years, or how marketers have slapped the “AIOps” label on IT automation tools that were born before anyone was talking about AIOps.
This is to say that, to a certain extent, the CIEM trend probably just reflects marketing buzz. Some of the functionality that CIEM tools provide was already available in traditional CSPM platforms before vendors defined CIEM as a new type of cloud security category.
Still, there’s more to the story than crafty marketing. The emergence of CIEM also reflects the fact that cloud environments have become so massive in size, and so mind-boggling in complexity, that manual approaches to privilege management no longer suffice to mitigate security risks. A cloud environment that includes hundreds of users and thousands of workloads could have hundreds of thousands of access rights configured within it. CIEM tools provide an automated means of ensuring that each of those rights is properly configured in accordance with least-privilege principles.
Consider, too, the fact that in a multicloud architecture, a business will likely use multiple access control frameworks at once, because each cloud has its own system for defining privileges and access rights. The exact meaning of various access policies and terms may also vary between clouds; for instance, what Azure calls a group is different from what AWS defines as a group. An advantage of CIEM tools in this context is that they provide a central platform for assessing privileges across clouds, no matter the specifics of how policies are configured or managed.
So, Who Needs CIEM? And Where Can You Get It?
In general, any business with a large-scale cloud environment can benefit from CIEM. And the more clouds and cloud services you use, the more helpful CIEM will be in helping to mitigate security risks across them.