Identity Defined Security Alliance Introduces New CIEM Best Practices

Posted on by Lior Zatlavi

As businesses face a greater volume of increasingly sophisticated cyberthreats, it’s vital to have the right technologies and processes in place to protect their data and people. This issue is increasingly pressing as businesses pursue dynamic working policies that enable their employees to work from anywhere at any time.

The need for robust cybersecurity is particularly pressing in the cloud, considering 45% of data breaches occur in cloud environments, according to IBM’s latest Cost of a Data Breach Report. The scale of cloud growth means the threat is only likely to increase. The global cloud computing market grew from $405 billion in 2021 to $480 billion in 2022, but it’s projected to increase significantly to $1.7 trillion by 2029, according to Fortune Business Insights.

The cloud’s highly dynamic nature means traditional solutions and practices—designed to control and protect static applications and infrastructure—aren’t suited to cloud security. Most cloud providers have created native tools to help businesses authorize identities and access resources in their cloud environments. But these are rarely enough to meet the needs of identity security. Indeed, Cloud Security Alliance recently named “insufficient identity, credential, access, and key management” as the number one cloud computing threat in June 2022.

As a result, there’s been a swift increase in the importance of Cloud Infrastructure Entitlements Management (CIEM) solutions, which help businesses manage the access privileges of their human and service (also called machine) identities in the cloud. CIEM solutions are vital to enhancing visibility across cloud infrastructure, detecting and remediating identity misconfigurations, and establishing the principle of least privilege, which helps prevent data breaches and minimizes risk.

The growing importance of protecting cloud entitlements is highlighted by the solutions being introduced into Gartner’s Hype Cycle. Most organizations have adopted hybrid or multicloud environments, and CIEM has become crucial to securing access and permissions across cloud infrastructure.

Why are CIEM best practices important?

Achieving visibility while securing data and people can be challenging for IT professionals. So, guidelines like the latest CIEM best practices from the Identity Defined Security Alliance, which are part of the overarching Identity and Access Management best practices, help to avoid confusion and complexity. They’re also vital to preventing people and services from being provided with excessive privileges.

The latest cloud entitlements best practices outline how enterprises should manage their identities and privileges in cloud environments. Enterprises increasingly rely on cloud infrastructure, so the permissions granted to human and service identities are vital to securely managing cloud-based resources.

To manage entitlements, organizations need access to an inventory of their cloud identities and resources to maintain an updated catalog of identities and permissions across their cloud infrastructure. This will ensure organizations constantly have visibility of all their identities, connections between their identities, the actions that human users and service identities can perform, and the resources they can access.

What are the latest CIEM best practices?

CIEM best practices apply to all organizations regardless of their level of IAM maturity, categorized as Newbie, Advanced, and Established. The latest CIEM best practices cover:

Listing and tracking all identity relationships: Ensuring complete visibility of users, devices, and more is a critical first step in the CIEM process. This involves creating lists of inventory resources and human and service identities, classifying privileged permissions, and discovering admins and privileged identities. As a result, businesses can effectively manage user entitlements, reduce their cloud infrastructure risk, and ensure people have access to only the resources they need to do their job effectively.

Monitoring access events and permissions: With cloud infrastructure permissions listed and tracked, it’s vital to continuously monitor, review, and analyze activity logs for all identities. This best practice ensures users have the necessary permissions and detect potential over-privileged identities. Businesses can also discover identities that are no longer in use or have been retired and could pose a security risk.

Processing logs to profile identities and detect anomalous behavior: Tracking the activity of identities helps businesses to establish a baseline for every user across their cloud infrastructure. This is a vital identity security process as it helps to quickly detect unusual or malicious behavior that deviates from the established norm. It also limits an attacker’s ability to launch attacks using an organization’s cloud environment privileges.

Generating least-privilege permission configurations: Businesses can use information from their cloud environment to understand permissions that have been granted and those that are needed. They can then establish the gap between them to understand their least-privileged configuration. This process will also help organizations create policy documents that can be used manually or applied through their cloud infrastructure as code utilities.

Integrating the remediation of excessive permissions into existing workflows: Remediation of excessive permissions needs to be integrated into organizations’ workflows. This ensures appropriate stakeholders are informed of over-privileged identities, and tickets are assigned to approve or apply the remediation of excessive permissions and automate remediation on organizations’ policy documents.

Generating least-privilege policies on demand: It’s crucial to review workload activity in the early stages of establishing testing or staging. This enables ongoing assessment of permissions and enforcement of minimum permissions as quickly as possible, a process known as “shifting left.” Enforcement can also be embedded into organizations’ CI/CD pipelines, which help them automate their software delivery process.

Managing just-in-time access: Time is critical to achieving least-privilege access. CIEM implementations should allow organizations to provide developers with just-in-time access, based on justification and authorized approval, to ensure privileged permission only when required and at the time required.

Securing identity postures: This step is vital to reducing an organization’s chance of surviving a data breach. CIEM solutions should help businesses detect and remediate vulnerable identities as quickly as possible before a malicious actor can compromise them. The detection process includes finding static credentials that haven’t been recently used or rotated, keys or passwords that haven’t been used in a while, a lack of multi-factor authentication (MFA) enforcement, and the use of passwords that aren’t complex enough.

Managing permission versioning: Organizations must keep track of previous versions of permissions in case they need to revert to them on demand. Changing permissions can lead to users or identities losing access to a service they require.

As organizations accelerate the adoption of the cloud, the complexity associated with managing identities and privileges will become more challenging and create greater risk. Discover how to keep your data and identities secure in the cloud by following our CIEM Best Practices and our IAM Best Practices overall.

Lior Zatlavi

Senior Cloud Security Architect, Ermetic


identity management & governance cloud security access control log management policy management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community