Evolving identity and permissions management for the multicloud world

By Microsoft Security

Managing identities and their access permissions is becoming more complicated. Digital sprawl has led to an explosion in permissions across multicloud environments, and consistent oversight is lacking. As many as 99% of cloud permissions are going unused, and this represents a significant risk for enterprise businesses.

As more organizations transition to Zero Trust security models, traditional identity and access management (IAM) models must evolve in kind. These new models should deliver comprehensive identity and permissions management for any cloud deployment while ensuring security and maintaining end-user productivity. It’s also important to include existing IAM best practices, such as single sign-on (SSO) and multifactor authentication (MFA), while also introducing new solutions, including an identity governance and permissions management solutions. This is more commonly referred to as cloud infrastructure entitlement management (CIEM).

Follow along to understand how you can implement emerging CIEM technologies in your own operations.

What is CIEM?

 Analyst firm Gartner first coined the category CIEM because the growth in cloud technology presented a novel identity and permissions challenge. Historically, enforcing least privilege in on-premises environments was a simple matter because server admins weren’t authorized to perform actions on a network device and vice-versa. By contrast, permissions today are often granted based on assumptions. This can lead to organizations provisioning more than what is actually needed.

In fact, 50% of permissions are considered high-risk and current identities are only using 1% of the permissions they have been granted. This gap between permissions granted and used is called the permissions gap. The bigger it gets, the larger the potential attack surface a company faces. When identities don’t require 99% of the permissions they have, that permissions gap leaves an organization vulnerable to cyber threats. 

Organizations must move from a static, assumption-based model to a continuous, activity-based model to keep up with the rapid growth in the cloud and effectively scale their security infrastructure. That’s where CIEM comes in.

CIEM represents a cloud-native, scalable, and extensible way to automate the continuous management of permissions in the cloud. According to Gartner, it’s comprised of the following pillars:

• Account and entitlements discovery: Establishing an inventory of identities and entitlements across an enterprise’s cloud infrastructure.
• Cross-cloud entitlements correlation: Correlating and normalizing accounts and entitlements across clouds into a unified access model.
• Entitlements visualization: Evolving traditional table-driven methods for viewing and analyzing information.
• Entitlements optimization: Combining usage and entitlement data to determine least-privileged entitlement assignments.
• Entitlements protection: The ability to detect changes within managed cloud infrastructure environments and remediate those that violate company policy.
• Entitlements detection: Identifying entitlement changes made outside of sanctioned processes and those considered atypical, anomalous, or high-risk.
• Entitlements remediation: The ability to trigger a change event to optimize entitlements or to address a recommendation from a change analysis process.

 CIEM in practice: a life-cycle approach

While the many pillars of CIEM might make it seem daunting, adopting a life-cycle approach lets an organization continuously discover, remediate, and monitor the activity of every unique user and workload identity operating in the cloud. This strategy is particularly effective because it fits the reality of today’s operations. As organizations continue moving workloads to the cloud, cloud providers add new capabilities and services—generating tens of thousands of permissions. This means that the number of identities, specifically for workloads, will grow exponentially.

A life-cycle approach alerts security and infrastructure teams to unexpected or excessive risks in cloud environments so that they can act accordingly. It is made up of three main steps:

• Discover: The initial discover phase involves creating a usage profile for each identity, be it a person or workload, to understand which actions they typically perform.

Permissions are rarely time-bound. Looping back to see whether permissions granted months ago are still needed can present risks when circumstances change. CIEM enables companies to build activity profiles for each human and workload identity based on permissions granted and permissions used over a specific time period. These profiles then serve as a baseline for a state of least privilege and to detect anomalous or suspicious behavior.

• Remediate: Once deployed, CIEM enables companies to look at usage data to see which permissions each identity is actually using. If some engineers are only using 50% of their permissions, the rest can be removed. If they need short-term access to a specific resource, that request can be granted and automatically revoked when the allotted time is up. A CIEM solution should also give organizations the option to create custom least-privilege roles based on the historical activity of one or more identities and to remove unused or questionable permissions from a high-risk identity profile. The idea is to consistently enforce the principle of least privilege by ensuring identities have the lowest number of permissions they need to be productive. In short, you’re using historical data and activity to right-size permissions.

• Monitor: Finally, there is the monitor phase. Given the thousands of identities that may be active across cloud environments at any given time, CIEM solutions must provide robust monitoring and alerting capabilities. Ideally, organizations should have the ability to monitor their cloud environments from multiple dimensions, such as by identity or activity. An “identity” view would enable teams to monitor which permissions an identity used, thus revealing any changes in an activity profile that may indicate anomalous behavior. Similarly, the “activity” lens would provide the ability to identify high-risk behavior, such as an identity that suddenly uses a high-risk permission or tries to access a sensitive resource for the first time. When anomalous behavior is detected, the CIEM solution should include an option to initiate an automated response or notify an appropriate team. The CIEM tool should also prioritize any alerts it generates and provide context behind the threats, given the overwhelming number of alerts security teams already receive.

As cyber threats continue to evolve, it’s up to us to keep pace with the rate of change by constantly evaluating our current security offerings. Microsoft is dedicated to providing comprehensive education and best practices to empower organizations to defend operations.

Learn more about CIEM by downloading our ebook, Evolving Identity and Access Management for the Multicloud World.