RSAC insights: How the ‘CIEM’ framework is helping companies manage permissions glut

By Byron V. Acohido

A permissions glut is giving rise to an explosion of new exposures in modern business networks.

Related: Securing digital identities

Companies are adopting multi-cloud and hybrid cloud infrastructures and relying on wide-open app development like never before. In doing so, permissions to make myriad software connections are proliferating. Taken together these man-to-machine and machine-to-machine connections result in cool new digital services. But they’ve also dramatically expanded the attack surface and left it wide open to threat actors.

Now comes an emerging security discipline to help companies get a grip on all of these permissions. It’s called “cloud infrastructure entitlement management,” or CIEM, not to be confused with security information and event management, or SIEM, which is something else altogether.

Last Watchdog visited with Raj Mallempati, chief operating officer of CloudKnox Security, aSunnyvale, Calif.-based cybersecurity firm, to get a better understanding of emergent CIEM systems. For a full drill down on our discussion please give a listen to the accompanying podcast. Here are key takeaways:

The permissions glut

Managing permissions in a way that doesn’t unduly tax agility has become a Gordian Knot security challenge. To start, the raw volume of permissions continues to rise exponentially. Consider that global spending on cloud infrastructure services jumped 32 percent to nearly $40 billion in the last quarter of 2020. This reflects the rise in remote work and schooling, as well as spikes in online shopping, gaming and media streaming over the past 12 to 18 months.

Even before Covid-19, companies were on a digitizing binge. To deliver on all of these rich digital services, hundreds of billions of human-to-machine and machine-to-machine identities, each represented by an account, must be connected on the fly. And each new connection represents another access point that can potentially be maliciously manipulated by an unauthorized party.

In the chase for agility, companies have been provisioning account access and granting privileged access —  to both human and machine identities – far too loosely, Mallempati told me.

For instance, a typical large organization might have something on the order of 40,000 permissions associated with the Amazon Web Services or Microsoft Azure systems it now uses. What’s more, upwards of 90 percent of these permissions are going mostly unused and are not at all closely monitored, he says.


Mallempati observes:  “There’s been a massive increase in the number of human and machine identities accessing cloud infrastructure over the past 12 months. Almost every company has some form of a work from home initiative, and this has just accelerated adoption of these public cloud services . . . A second reason we’re seeing so many over-provisioned identities is just the fact that they are being introduced by AWS,  by Azure and by Google Cloud Platform;  pretty much every quarter you’ll see a couple of new services, and each new service has 50 to 100 more permissions associated with it.”

Granular visibility

Large enterprises are becoming more cognizant of this growing permissions gap. The ones with strong security postures are shoring up their SIEM systems with updated orchestration and automated response tools. SIEMs have been around for 15 years; they gather event log data from Internet traffic, corporate hardware, and software assets, and then generate meaningful security intelligence from masses of potential security events. And they are also turning to advanced identity and access management  (IAM) technologies and adopting concepts like zero trust network access (ZTNA) to try to close this gap.

And now along comes CIEM, a complementary security framework defined and coined by Gartner in July 2020. CIEM tools complement IAM services by going to a deeper level of monitoring and policy enforcement, Mallempati told me. CloudKnox, for instance, helps companies gain granular visibility and control specifically over cloud infrastructure accounts, drilling down on any activity having to do with the issuing, maintaining and use of permissions and entitlements. This all happens at the level where permissions and connections are being conjured dynamically, on the fly.

CloudKnox’s platform takes stock of who has what permissions, and then builds a baseline of actual usage patterns of permissions. It then applies data analytics to continually cull permissions back closer to the baseline. For example, it will over time build a usage profile for an employee who has been granted 9,000 permissions, but really only needs to use 200 to do her job.

“Step one is giving visibility, but it’s not good enough to just give granular visibility,” Mallempati says. “So, there’s also an automated remediation component. Let’s go and make sure that we can fix these over-provisioned identities.”

Tightening down permissions for an IT staffer with straight-forward duties is all fine and well. But what about software developers engaging in wide-open DevOps collaborations? Mallempati explained that developers can be assigned highly-privileged permissions on an as-needed basis; and these access rights can be set to expire, once they are no longer needed.

“Additional permission can be granted on-demand, based on some cool workflow, to get the job done,” he says. “Granular visibility allows you to remediate and right-size the over-provisioning of identities and also deliver permissions on demand. This is how you can manage entitlements in a cloud environment.”

Cybersecurity overlap

Streamlining permissions and optimizing the use of permissions makes a lot of sense from an operational perspective. But the benefits of CIEM tools don’t stop there. It turns out the proactive management of both the distribution and usage of permissions in a modern network overlaps the direction cybersecurity is heading.

Consider how businesses of all sizes and in all sectors are increasingly relying on AWS for cloud-supplied processing power and storage and Office 365 for cloud-issued productivity tools and email. CIEM systems can complement and supplement access policy enforcement getting done in advanced IAM systems. At the same time, CIEM systems also reinforce the core tenets of ZTNA, like least privilege access and micro-segmentation.

Meanwhile, by deriving and continually updating a clear, baseline view of the usage patterns of permissions, CIEM tools will also naturally flush out anomalous activity.

“Once you’ve right-sized permissions granted to an identity, then the next big business problem is to detect anomalous behavior that might be executed by an identity,” Mallempati says. “An algorithm can look at historical activity of any given identity and match patterns to normal, baseline behaviors, and if there is any deviation we can identify it, send out an alert and also stop the access.

CIEM systems essentially give companies that are caught up in cloud migration a proven methodology to more effectively – and securely – manage the deluge of permissions they’re granting day-to-day.  I say ‘proven’ because this is very much how VISA and MasterCard are able to detect and deter fraudulent use of credit and debit cards, on a huge scale and in real time. Companies simply must narrow the permission gap. And borrowing transactional data analytics methodologies from the payment card industry is one way to do it. We’re on a good path. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)





Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone