Manage the Cloud Permissions Gap to Achieve Zero Trust

The Cloud Permissions Gap exposes organizations to highly exploitable risk, combined with the inability to implement and manage Zero-Trust policies.

Dark Reading Staff, Dark Reading

February 8, 2021

5 Min Read

In 2020, when organizations were prioritizing digital transformation so they could pivot to remote work on an unprecedented scale, Gartner added a new category to its 2020 Hype Cycle for Identity and Access Management Technologies called Cloud Infrastructure Entitlement Management (CIEM).

CIEM? Looks a lot like SIEM.

CIEM may look like and even sound like SIEM (security information and event management), but the two security solutions are not the same.

While there may be some overlapping capabilities for cloud-first and hybrid environments with cloud-native SIEM vendors, none of them have the ability to extend their platform to manage and enforce entitlements and permissions for the multi-cloud and hybrid cloud enterprises. This management and enforcement of entitlements and permissions is a core competency of a comprehensive CIEM platform, and it enables organizations to design and implement zero-trust architectures in multi-cloud and hybrid cloud environments.

As multi-cloud adoption continues to increase across the industry, the movement of workloads to such environments requires in-depth visibility and analysis of cloud infrastructure accounts, permissions, entitlements and activity, and granular controls.

Why is CIEM vital for organizations? The Cloud Permissions Gap.

A new attack surface has emerged in response to mass digital transformation: the Cloud Permissions Gap.

CloudKnox threat research has uncovered that more than 95% of privileged identities (both human and machine) within organizations' cloud infrastructures are using less than 2% of their permissions granted. This delta is known as the Cloud Permissions Gap, and it is a contributing factor to the rise of both accidental and malicious insider threats impacting enterprises of all sizes, as attackers are able to exploit an identity with misconfigured permissions and access across the organization's critical cloud infrastructure.

Specific risks and challenges associated with the Cloud Permissions Gap include:

Inactive identities and super identities. Every company has at least few inactive identities—former employees, testing, POCs, etc.—just hanging out there. Even more dire, there are other identities known as "break-glass accounts" or super identities that are floating around with unlimited permissions and unrestricted access to all cloud resources offered across the organization.

Over-permissioned active identities. Continuously tracking and monitoring the proliferation of new services, roles and permissions in the cloud is almost impossible to do manually.

Cross-account access. Organizations leverage cross-account roles to allow identities to access different environments—development, test, production, etc.—and allow third-party entities to access their accounts. This is both convenient and a potential vulnerability for the organization. The inherent danger is when an identity access management (IAM) role in these instances is over-provisioned. Since these roles grant permissions to an entire account, the misconfigured permissions tied to the role can cause significant—and costly—ripple effects.

Anomalous behavior among machine identities. Machine or non-human identities consist of scripts, bots, access keys and others, and they typically perform the same repetitive actions. If a machine identity executes an action it has never performed on a resource that it has never accessed, chances are someone is misusing the credentials.

The Cloud Permissions Gap exposes organizations to highly exploitable risk combined with the inability to implement and manage zero-trust policies. This is why enterprises adopting cloud-first strategies must leverage a multi-cloud entitlements and permissions management platform that provides comprehensive visibility, automated remediation, continuous monitoring and compliance.

How to close the Cloud Permissions Gap with CIEM

CIEM is the next generation of solutions for managing access and enforcing least privilege and zero-trust access in the cloud. With the benefit of a SaaS offering that deploys in minutes with full up-and-running capabilities in 24 hours or less, here are three ways CIEM can help organizations secure their cloud infrastructure right now:

  1. Leverage activity-based authorization to right-size permissions of identities.
    To accomplish this, the organization empowered by a CIEM solution would remove or scope down permissions for over-privileged users, service accounts and groups automatically. Then it would enable high-risk permissions on demand with controlled timed access using an integrated approval workflow, restricting broad access to critical cloud infrastructure resources.

  2. Identify, improve and monitor Identity and Access Management (IAM) hygiene continuously.
    A CIEM solution allows the organization to migrate from static, assumption-based permission grant processes to continuous, activity-based permissions management processes—helping the organization to monitor, get alerts, and remediate anomalous identity behavior, unauthorized identities and roles.

  3. Implement automated, continuous compliance and reporting.
    To remain compliant and secure, it is essential that organizations restrict access to virtual machines. CIEM can help by removing inbound Secure Shell (SSH) and remote desktop (RDP) access in security groups automatically. Organizations leveraging CIEM can also adopt best practices, such as enabling multi factor authentication (MFA) for all identities with console access; rotating credentials and manage keys regularly; and automating custom risk reports across all accounts using NIST 800-53, CIS Benchmarks and AWS Well-Architectured reporting to drive compliance.

The Cloud Permissions Gap across an organization's cloud infrastructure is exponentially getting more dangerous as bad actors exploit those identities to exfiltrate sensitive information from growing attack vectors. By instituting best practices for cloud permissions and entitlements management and leveraging automated technologies that reinforce those best practices—like CIEM—organizations will be better suited to protect critical cloud infrastructure resources and identities in their hybrid and multi-cloud environments.

Organizations continuing to prioritize digital transformation and cloud-first strategies are not complete without a robust, scalable CIEM platform, especially as they strive to implement a zero-trust architecture.

To learn more, please check out the following resources:


About the Author:

Raj Mallempati, CloudKnox COO: Raj Mallempati recently joined CloudKnox Security as Chief Operating Officer, where he is responsible for CloudKnox's overall business and go-to-market strategies. Prior to joining CloudKnox, Raj was most recently the SVP of Marketing at Malwarebytes. Raj has also held positions as the VP of Global Marketing at MobileIron, VP of Product Marketing at Riverbed Technology, and was the Director of Marketing and Business Strategy at VMware. He holds an MBA from The Wharton School, University of Pennsylvania, MS, Computer Science from the University of Texas, and a B.Tech from Indian Institute of Technology, Madras.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights