What is Cloud Infrastructure Entitlement Management (CIEM)?

Cloud infrastructure entitlement management (CIEM) is a security process that helps security teams analyze and manage identities, access rights, privileges, and permissions in cloud environments. Its main goal is to mitigate the risk that comes from the unintentional and unchecked granting of excessive permissions to cloud resources.

CIEM offerings are specialized, identity-centric software as a service (SaaS) solutions focused on managing cloud access risk via administration time controls for the governance of entitlements in hybrid and multi-cloud infrastructure as a service (IaaS). Integrating CIEM into a holistic cloud-native application protection platform (CNAPP) helps prevent security silos for comprehensive security in cloud-native applications.

With CIEM security solutions, security teams can manage cloud identities, entitlements, and enforce the principle of least privilege (POLP) to cloud resources and infrastructure. This helps companies reduce their cloud attack surface and mitigate access risks posed by excessive permissions.

What are cloud infrastructure entitlements?

Cloud infrastructure entitlements comprise the various permissions granted to entities to access cloud resources. In a multi-cloud environment operating at the scale of thousands of resources, managing and keeping track of an enterprise’s cloud infrastructure entitlements is an incredibly complex task.

Cloud providers operate with a shared responsibility model. With IaaS offerings, the cloud provider makes available services and storage and guarantees the physical security of its data centers. However, the user of the IaaS offering is responsible for security, establishing who (or what) can and cannot access those infrastructure resources.

Why is CIEM important for cloud security?

In an environment with static resources, cloud providers use identity and access management (IAM) rules to govern access. For example, any user with the deployments-manager role could have permission to reboot a certain compute instance (e.g., Amazon EC2). Meanwhile, a continuous integration/continuous delivery (CI/CD) pipeline with the automated-test-runner role might have permission to SSH into that instance to execute a test.

In today’s cloud environments, however, resources are ever-changing. Many resources are ephemeral, provisioned or deprovisioned based on the scaling needs of any given moment. Although cloud providers have solutions in place for granting permissions to ephemeral resources, each cloud provider has a unique way of doing so. This leaves enterprises with the challenge of managing and understanding permissions across multiple clouds.

As today’s enterprises transition more of their systems and business processes to the cloud, the challenge of governing and monitoring access to those resources grows increasingly complex. Cloud resources are no longer static and predictable. In addition, enterprises no longer operate in just one cloud — instead, they are adopting multi-cloud approaches to their infrastructure. Therefore, establishing proper permissions for accessing those resources is no longer straightforward. A solution that manages your cloud infrastructure entitlements does just that.

How does CIEM work?

CIEM allows security teams and organizations to use advanced techniques, including machine learning, to analyze effective access in cloud environments, monitor and right-size permissions, help detect accidental exposure and generate remediation recommendations.

This is done by applying the principle of least privilege, granting a user (or any entity) the minimum amount of permissions necessary to perform their role. With this approach, CIEM solutions start from a posture that avoids the dangers of excessive permissions.

CIEM also unifies security terminology and usage across all clouds, which reduces the need for teams to switch context on multiple cloud providers. Lastly, many CIEM solutions use machine learning to analyze access records and configurations to determine an enterprise’s potential access risks. Through this, a CIEM solution can help identify excessive entitlements and mitigate the risk of a security breach.