In the past, all corporate services used to be located on-premises, behind well-guarded walls. With the rise of mobile devices and the need to access all services, from anywhere, on any type of device, organizations have been leveraging cloud providers to host more and more services, seeking to optimize both cost and availability.
As more organizations are leveraging multiple cloud service providers (e.g.,
Microsoft, Google, and Amazon), managing multiple identities and permissions on multiple, independent systems can quickly become very complexed, even leading to real, potential security risks.
According to Microsoft Security department, only over 5% of granted permissions are used while the other 95% are not, thus posing a potential security risk.
So, a central solution, able to provide visibility and control over who has access to what, and with which permissions, becomes critical to remain in control. And this is where CIEM solutions come into play.
What is CIEM?
Cloud Infrastructure Entitlement Management (CIEM) are identity-centric, cloud-based solutions that allow the management of identities and permissions (also referred to as access privileges) in a multi-cloud environment – from a single pane of glass – by monitoring and detecting permissions that might represent a potential risk for said environment and take mitigation actions.
How does Permission Management help?
key feature is permissions discovery, which provides a global, high-level overview of the actions by any identity across all the cloud providers used by an organization to host corporate
services. Then it performs permission risk evaluation to help determine which permissions are used and how often, detecting the gap between granted permissions and used permission to remedy it
(e.g., lower privilege or completely remove if unused or employee has left).
Permission management allows users to grant permissions consistently across all cloud providers, mapping all cloud providers’ pre-defined roles and permissions to a unique set of roles and permissions defined by the organization. It can also help grant privileges on-demand, using a specific, pre-defined workflow; for example, a request for a higher privilege is first submitted, then reviewed, and eventually approved (if justified). It also provides Just-in-Time on-demand access for a limited period, to minimize the risk of standing privileges that attackers or malicious insiders can readily exploit.
Finally, permission monitoring allows users to detect and report any anomalous or suspicious activities using the computational power of Artificial Intelligence (AI), for example, a user receiving a suspicious privilege elevation.
CIEM difference with Zero Trust Network Access (ZTNA)?
clarify the difference between Zero Trust (ZT) and Zero Trust Network Access (ZTNA).
Zero Trust (ZT)
is a new
cybersecurity approach often referred to as “never trust, always verify”, where everyone and everything is potentially malicious until proven otherwise using authentication challenges. Zero Trust
Network Access (ZTNA) is a discrete product that can be implemented within a Zero Trust architecture to provide transparent but secure, monitored, and segmented access to corporate resources,
either on-premises or on the cloud.
CIEM solutions help enforce least privileged access, a security practice where entities (users, endpoints, apps, workloads, etc.) must be able to access only the information and resources that are necessary for its legitimate purpose, nothing more.
about ZTNA – aren’t they both doing similar things? Well, although both approaches aim to control access, protect access points, and minimize risks by removing implicit trust and limiting access
to managed resources, each concept focuses on a different part of access.
On one hand, the Zero Trust approach to privileged access is to remove any implicit trust, regardless of who is accessing and what is being accessed. Since no one is trusted, both internal or external accesses need to be verified and authenticated through challenges, typically leveraging Identity and Access Management (IAM) capabilities like single sign-on (SSO) and Multi-Factor Authentication (MFA) security mechanisms, any time an employee tries to log onto a system or access a resource.
On the other hand, the least-privileged access approach restricts access rights and permissions to only whose who need them, to perform a specific task. It is usually combined with Role-based Access Control (RBC), so such rights and privileges are only granted to users based on their role and responsibilities within the organization.
So now the question is, which is the best to use? Well, this ultimately depends on your deployment and inner challenges.
CIEM in Practice
CIEM allows granting the right level of permissions or privileges to IT personnel, based on the Zero Trust principle of least privilege. CIEM helps automatize access granting and ensure the level of permissions granted across cloud-based infrastructures is consistent and as required to their roles, which are Help Desk (L1), System Administrator (L2), or System Owner (L3).
Also, when IT personnel temporarily need higher privilege to perform a specific task, such permission is granted temporarily, on-demand, per-approval, so they can perform that one task, then go back to their regular permissions. For example, an urgent maintenance task arose off-hours, and the IT employee with higher privileges was not on-call to attend to it but was still able to validate that request from his phone, to allow his colleague to perform the task instead.
only helps organizations from a practical IT perspective, but also from a liability one, especially in sectors with significant regulatory compliance requirements; the automated auditing features
in CIEM solutions provide detailed reports about all the security controls put in place, especially the ones related to data privacy and safety protection.
As you consider more Zero Touch concepts into your organization’s ecosystem and understanding how Cloud Infrastructure Entitlement Management (CIEM) and Zero Trust (ZT) can work together to deliver strong permission-based security, do not hesitate to contact the team at ISEC7. ISEC7 has worked extensively with organizations large and small in both the private and public sector to enhance their security posture and fortify their ecosystems through the industry best practices, a curated product suite, and most importantly training. Please reach out to the team at ISEC7, and we can complete a security assessment and help you navigate the options available to you to help strengthen and protect your infrastructure.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group