Page 53 - Cyber Defense Magazine RSA Edition for 2021
P. 53

CIEM? Looks a lot like SIEM.


            CIEM may look like and even sound like SIEM (security information and event management), but the two
            security solutions are not the same. While there may be some overlapping capabilities for cloud-first and
            hybrid  environments  with  cloud-native  SIEM  vendors,  none  of  them  have  the  ability  to  extend  their
            platform  to  manage  and  enforce  entitlements  and  permissions  for  the  multi-cloud  and  hybrid  cloud
            enterprises. This management and enforcement of entitlements and permissions is a core competency
            of a comprehensive CIEM platform, and it enables organizations to design and implement Zero Trust
            architectures in multi-cloud and hybrid cloud environments. As multi-cloud adoption continues to increase
            across the industry, the movement of workloads to such environments requires in-depth visibility and
            analysis of cloud infrastructure accounts, permissions, entitlements and activity, and granular controls.



            Why is CIEM vital for organizations? The Cloud Permissions Gap.


            A new attack surface has emerged in response to mass digital transformation: the Cloud Permissions
            Gap.  CloudKnox  threat  research  has  uncovered  that  more  than  90%  of  privileged  identities  within
            organizations’  cloud  infrastructures  (both  human  and  machine)  are  using  less  than  5%  of  their
            permissions granted. This delta is known as the Cloud Permissions Gap, and it is a contributing factor to
            the rise of both accidental and malicious insider threats impacting enterprises of all sizes, as attackers
            are able to exploit an identity with misconfigured permissions and access across the organization’s critical
            cloud infrastructure.



            Specific risks and challenges associated with the Cloud Permissions Gap
            include:




               ●  Inactive identities and super identities. Every company has at least few inactive identities—
                   former employees, testing, POCs, etc.—just hanging out there. Even more dire, there are other
                   identities  known  as  “break-glass  accounts”  or  super  identities  that  are  floating  around  with
                   unlimited  permissions  and  unrestricted  access  to  all  cloud  resources  offered  across  the
                   organization.
               ●  Over-permissioned active identities. Continuously tracking and monitoring the proliferation of
                   new services, roles and permissions in the cloud is almost impossible to do manually.
               ●  Cross-account access. Organizations leverage cross-account roles to allow identities to access
                   different  environments—development,  test,  production,  etc.—and  allow  third-party  entities  to
                   access their accounts. This is both convenient and a potential vulnerability for the organization.
                   The inherent danger is when an identity access management (IAM) role in these instances is
                   over-provisioned. Since these roles grant permissions to an entire account, the misconfigured
                   permissions tied to the role can cause significant—and costly—ripple effects.
               ●  Anomalous behavior among machine identities. Machine or non-human identities consist of
                   scrips, bots, access keys and others, and they typically perform the same repetitive actions. If a





                                                                                                              53
   48   49   50   51   52   53   54   55   56   57   58