Sure, cloud infrastructure is complex. But keeping track of identities (human and machine) and permissions across multiple cloud environments, and making sure all of these entitlements aren't abused to break into cloud environments - well, that's truly a Herculean task.

On-premises datacenters can be complex too, but at least they are more predictable than cloud, according to Gartner analyst Henrique Teixeira. 

"Imagine organizations running SAP or other large enterprise applications - they don't grow by themselves," Teixeira told The Register. "Once you install it, they stay more or less stable."

Cloud infrastructure, on the other hand, is an unruly, ever-expanding mess.

Wow, thanks AWS, a new service...

"If AWS tomorrow launches a new product or a new service, that's on their own accord," Teixeira said. 

However, while the sudden appearance of fresh functionality is not the customers' choice, they are the ones who have to manage the privileges for all of these new services, "and that growing pattern is not slowing," Teixeira added. "So - more entitlements, more permissions for you to manage."

A case in point: AWS alone provides some 12,800 cloud services with 13,800 permissions attached as of June, according to Cloud Security Alliance (CSA).

Then there's also the proliferation of machine identities, which, according to Gartner, are now 10 times more numerous than human identities in cloud infrastructure. Microsoft says the vast majority of these machine identities (80 percent) are inactive - double the amount it measured in 2021.

"And that's why shadow access was so important," CSA Global VP of Research John Yeoh told The Register. "Do we have the right identities, human and non-human, accessing the right things, the right data, the right systems?"

Shadow access in the cloud

CSA just published research on the challenge of managing identities and access in cloud infrastructure - it calls this "shadow access," referring to unseen or unwanted access to resources, which has skyrocketed alongside the growth of cloud computing.

Think of it as the next phase in understanding "shadow IT."

"Shadow access really brings more context and awareness to shadow IT," Yeoh said. "It's not just services in the clouds or the systems that are connected to your organization, it's the access, the privileges that are given to those systems."

As CSA explains in the report, new identities and access are often spun up automatically, without any governance, and created by developers, using infrastructure-as-code. 

Meanwhile, the applications that these identities have access to is also constantly changing, likely without full security reviews, and application components are often copied or reused for efficiency and speed.

So unless organizations are constantly scanning for new and unused cloud services accounts, and continually reviewing cloud identities, this shadow access can lead to "a series of potentially massive exposures for an organization," the CSA research says, citing Verizon's Data Breach Investigations Report (DBIR).

It found that 80 percent of breaches were related to identity and access.

What is CIEM?

One possible solution to this problem, according to Gartner and some cloud security vendors, is a new-ish approach to identity and access management called Cloud Infrastructure Entitlement Management or CIEM.

It's pronounced "Kiem," and and not to be confused with SIEM (aka Security Event and Incident Management) - or any of the other myriad security acronyms.

Gartner, of course, coined the term. So we went right to the source to ask if infosec really needs yet another set of letters to add to the alphabet soup cauldron, which is already overflowing.

"You might have to blame me," Teixeira said, adding that CIEM wasn't his first choice, but he got outvoted.

He wanted Cloud Access Governance of Entitlements, or CAGE, as in Nicolas.

"But it's not all clouds, it's infrastructure as a service, so Cloud Infrastructure Entitlement Management is what we went," Teixeira said.

Gartner used CIEM in its 2020 Cool Vendors report to describe CloudKnox, which was gobbled up by Microsoft a year later.

Just last week, one of the other CIEM pioneers, Emertic, was acquired by Tenable for about $265 million in cash and stock.

Infosec alphabet soup

"The prediction here, is that CIEM will become a feature or a capability in larger market segments, like CSPM or CNAPP or PAM and IGA," Teixeira said.

For the uninitiated, he's referring to cloud security posture management (CSPM), converged cloud-native application protection platforms (CNAPP), privileged access management (PAM), and identity governance and administration (IGA).

"These are well established, and multibillion-dollar markets today," Teixeira said. "So it's adding features to those markets instead of becoming a standalone thing."

There are four specific things that a CIEM product must be able to do, according to Gartner.

The number one capability includes providing visibility of entitlements through the discovery of access paths.

"What we call the right-sizing of permissions," Teixeira explained. "You're carrying around all these permissions. But in reality you're only using 5 percent of them, so you can easily remove that 95 percent without disruption. It's the approach of: if you don't use it, lose it. The principle of least privilege."

Second and third: CIEM products should be able to discover and remove inactive entitlements, and then also do other types of anomaly discovery and detection.

And finally, CIEM can automate compliance to ensure that organizations don't have any gaps in their identity and access management policies. If the product discovers any such misconfigurations, it should automatically enforce the correct identity controls.

"They are very specific," Teixeira said. "They're supposed to do a very simple job. It's a very utilitarian type of importance, but so very helpful. They are doing things that you can't do manually."

The $265 million challenge

And these types of tools are helping organizations solve a pressing challenge, according to Tenable execs, who recently signed off on a major acquisition to bring CIEM capabilities in house.

"One of the biggest challenges in cloud is identity, access, and entitlements," Tenable CEO Amit Yoran told The Register about why his security firm agreed to pay almost $265 million to acquire Ermetic. "Tackling who has access to what, while seemingly very simple to describe, is really, really difficult to do in cloud."

Ermetic provides multi-cloud CNAPP and CIEM, and this is important because most organizations use multiple cloud infrastructure providers, Yoran added.

And all of this points back to the larger problem facing companies that are trying to protect their data and assets: "It's the disjointedness of it all," he said. 

"If you go to AWS, you would have to go to 1,000 different places to understand all of the security settings, let alone how all the security settings relate and connect to one another so that you can have some degree of confidence that you've done it correctly," Yoran said. "And when you go to Azure, it's going to be a totally different set of 1,000 places that you go to, and the inconsistency between those" two cloud providers.

"Complexity of the cloud is what's killing people," added Glen Pendley, Tenable's chief technology officer.

"What people want - and this isn't just cloud security, this is all parts of security - is guided instructions, and information, and intelligence on what they can do in order to legitimately reduce risk," he told The Register. "Really what it comes down to is: help me understand where I am at risk, and what do I need to do about it?" ®

https://www.theregister.com//2023/09/13/ciem_cloud_infrastructure_security/