Sysdig
Cloud Native Learning Hub

Sign up to receive our newsletter

What Is Cloud Infrastructure Entitlements Management (CIEM)?

It’s not unusual for a modern cloud environment to include thousands of human users, applications, services, and other assets, each with a unique set of permission and access requirements to do its job.

How do you keep track of the access rights assigned to all of these human and machine users? In particular, how do you ensure that each user has only the level of access privileges necessary and avoid excessive privileges that could lead to security risks?

The answer is Cloud Infrastructure and Entitlements Management, or CIEM. Cloud Infrastructure Entitlements Management is a systematic approach to managing access rights and permissions – otherwise known as entitlements – in cloud environments.

Keep reading for an overview of how CIEM works and why it’s important in the context of modern cloud security.

What Are Cloud Entitlements?

To understand Cloud Infrastructure Entitlements Management, you must first understand cloud entitlements.

A cloud entitlement is an access privilege that is assigned to a specific human or machine user in a cloud environment. For example, a cloud entitlement in the Amazon cloud could be defined via an AWS Identity and Access Management (IAM) policy such as the following, which grants the ability to add objects to an S3 storage bucket to AWS accounts:

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AddCannedAcl", "Effect":"Allow", "Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]}, "Action":["s3:PutObject"], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "Condition":{"StringEquals":{"s3:x-amz-acl":["public-read"]}} } ] }
Code language: JSON / JSON with Comments (json)

As a second example, here is a JSON file that lets users on Azure start and stop virtual machines via a custom role definition:

{ "Name": "Virtual Machine Operator", "IsCustom": true, "Description": "Can deallocate, start and restart virtual machines.", "Actions": [ "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/deallocate/action" ], "NotActions": [ ], "AssignableScopes": [ "/subscriptions/11111111-1111-1111-1111-111111111111" ] }
Code language: JSON / JSON with Comments (json)

A third example is a container that has specific access rights and operational abilities assigned via a Kubernetes security context field like this one:

apiVersion: v1 kind: Pod metadata: name: security-context-demo-2 spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-demo-2 image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 2000 allowPrivilegeEscalation: false
Code language: JavaScript (javascript)

In all of these examples, the policy files assign specific rights or permissions to human or machine users within cloud environments.

Cloud Entitlements vs. Permissions vs. Privileges

You may be wondering why we use the term “entitlement” in the context of CIEM instead of “permission” or “privilege.” That’s a fair question, given that the latter terms have traditionally been used to refer to the actions that resources can perform within a cloud environment.

The reason the term “cloud entitlement” has come into vogue in recent years as an alternative to words like “permissions” and “privileges” is that “entitlement” encompasses all types of operations that can be enabled for both machine and human users.

In other words, older terminology is more restrictive, or it may be interpreted to apply only within certain domains or certain access control systems. In contrast, cloud entitlements refer to virtually any type of permission or privilege that can be assigned in a cloud environment using any type of system.

CIEM Is about More than Just Cloud Infrastructure Entitlements

Note, too, that despite the term “Cloud Infrastructure Entitlements Management,” CIEM doesn’t apply solely to entitlements associated with cloud infrastructure. Applications, services, and any other type of entity that runs in the cloud can be governed by entitlements.

The CIEM terminology is perhaps a little misleading from this perspective, but it is the term that has stuck.

Managing Identity Permissions in the Cloud

The cloud entitlement examples above define entitlements using code and the identity and access management tooling built into different clouds (or Kubernetes, in the case of the third example).

Code is one way to manage entitlements. But you can also manage them through cloud consoles or other administrative interfaces that allow you to define which users can do what.

In addition to providing tooling for defining permissions, most clouds (and platforms that can run in the cloud, like Kubernetes) include tools to help keep track of which entitlements are assigned where. Some tools also provide auditing functionality designed to alert you to entitlement configurations that violate security policies you’ve set (or ones associated with certain compliance frameworks).

The tools that cloud vendors provide for these purposes are useful to a point, but they are subject to two main limitations:

  1. They usually use cloud providers’ IAM frameworks to track entitlements. As a result, they may miss entitlements assigned using other tools or frameworks, like Kubernetes security contexts, that are not native to a particular public cloud platform.
  2. They usually work only within a single cloud platform. If you use multiple clouds, then, you’ll need to track entitlements using separate tools, which is burdensome and increases the risk of overlooking entitlement issues.

The Role of CIEM in Modern Cloud Security

If you know much about cloud security, you know that the idea of systematically vetting permission configurations to identify security problems is nothing new. That’s the task that Cloud Security Posture Management, or CSPM, tools have been handling for years. CSPM tools are widely deployed as part of modern cloud security strategies to check for misconfigurations, such as publicly accessible object storage bucket data, that could invite a breach.

However, given the increasing complexity of cloud environments, CSPM on its own often falls short of delivering full visibility into cloud security risks. CSPM tools are designed primarily to check for configurations that are known to be insecure, as opposed to assessing the entitlement granted to each user and determining whether it exceeds the necessary level of entitlement that the user should have.

CIEM fills in the gaps in CSPM in several ways.

Granular Entitlement Assessment

By validating entitlements in a highly granular, user-by-user manner, CIEM tools go much further than merely finding configuration issues. They allow you to determine on a proactive basis whether entitlements violate the principle of least privilege.

Continuous Assessment

The fact that CIEM tools validate entitlements on a continuous basis means that they can detect excess entitlement configurations in real time, even as entitlement policies change.

For example, a CIEM tool might flag a cloud account that in the past was only able to run virtual machines, but has gained the ability to delete them as well. That could be a legitimate change, but it could also be an example of an unnecessary entitlement that should be rolled back.

Automated Remediation

Some CIEM tools can automatically make changes to entitlement policies to address risks, especially in cases where modifying the policies is straightforward. In other situations, however, human admins have to intervene manually to address entitlement issues.

Massive Scale

CIEM allows you to automate entitlement management even if you have hundreds of thousands of entitlements to manage – as you may in a modern cloud environment that includes dozens of accounts and hundreds of applications, services, and infrastructure resources operating in each one.

Multi-Cloud Support

As we’ve seen, the ways in which cloud entitlements are defined and managed can vary widely depending on which clouds you use and which services you run in them. Each public cloud has its own native IAM framework. On top of this, you might run other platforms or services in the cloud, such as Kubernetes, that use separate frameworks to define entitlements.

An advantage of CIEM is that it enables automated entitlement management across all services and platforms within a complex, multi-cloud environment. You don’t need to juggle multiple tools or learn the ins and outs of different access control frameworks to keep track of entitlements. CIEM tools automatically assess entitlement configurations for you and alert you when something is wrong.

Do You Need CIEM?

Not every business or cloud environment requires CIEM. If you have a relatively simple cloud environment – one that includes just one cloud platform, one cloud account, and a handful of cloud services running in it – you may be able to get by using CSPM alone, combined with manual analysis of your cloud entitlement configurations.

But if you use multiple clouds or multiple access control frameworks, CIEM is essential for keeping track of entitlements and identifying excess entitlement issues across all of them. Indeed, even if you use just one cloud platform and one access control framework, but you have hundreds or thousands of entitlements configured on it, you’ll benefit from CIEM as an efficient and automated means of ensuring that each entitlement is properly defined.

Conclusion

As cloud environments grow larger and more complex, Cloud Infrastructure Entitlement Management will become part and parcel of the cloud security strategies of more and more organizations. Traditional cloud security practices that focus on misconfigurations alone don’t cut it when you have a large number of entitlements to track, and when those entitlements are defined in varying ways. CIEM automates complex entitlement management operations so you can have confidence that each cloud entitlement allows your users to do what they need to do, but no more than that.