Best Practice: Enabling Visibility as Part of Cloud Infrastructure Entitlements Management (CIEM)

Today’s modern enterprises rely heavily on cloud infrastructure, and permissions are essentially the backbone of access to cloud based resources. To effectively manage entitlements – access to your organization’s resources such as sensitive data and mission critical assets – the core proficiencies you need are: access to an inventory of all your cloud identities and resources, and; the ability to maintain an up-to-date catalog of the permissions that any identity in your cloud infrastructure has to any resource.

Simply put: your strategic goal should be to list and constantly track ALL existing connections between identities, the actions they can perform and the resources on which they can perform them.

The task may sound simple yet reality makes it difficult. The dynamic nature of cloud environments and the complexity of the permissions structures makes the task hard and nearly impossible to execute without dedicated technology and/or expertise. Despite the difficulty, given their importance, managing access permissions properly can be an incredibly effective guide to managing your entire cloud security strategy – and, as such, well worth your while.

The purpose of the visibility best practice description we present here is to break down the components involved in achieving the ability to list and track all identity relationships. By looking at each component separately, you can ensure you are covering all the bases needed to gain full visibility.

Implement these steps; each is in increasing order of complexity and resolution:

1. Create a categorized list of inventory resources – Start by creating an up-to-date list of the resources in your environment. The inventory should categorize all the assets (included but not limited to computing, serverless, data and network resources) in your cloud infrastructure by type. This step is essential as different types of resources have different actions, with different sensitivity levels associated with them.

2. List human and service identities – Next, list the identities inventory in your environment – those used by humans and those used by machines, such as computing and serverless resources. Note that as part of this process you should also map identities federated from outside the cloud environment (e.g. from an identity provider) that have access to the cloud environment. When done in a multi cloud environment – an environment based on multiple cloud providers – be sure to standardize the identification of identities across providers. Doing so enables you to correlate between identities used with a given cloud provider (usually when they originate from an identity provider) so you can later have a clear way of viewing the access the identity has across the cloud providers (see step 5).

3. List third-party access – By nature, access granted to parties outside your organization is subject to fewer technical and legal controls. Therefore, to ensure proper access governance and delegation, be sure to identify which identities in your environment belong to a third party.

4. Classify privileged permissions – Next, define which permissions you determine to be sensitive so you know where to focus your efforts later. Permissions that should be considered as sensitive are:

  • Permissions that grant access to sensitive information
  • Permissions that could harm the information’s integrity or enable a malicious actor that gains access to them to manipulate or disrupt the activity of mission-critical resources
  • Permissions that can in some other way cause significant damage to your business operation (e.g. financial damage by spinning up their own instances)

Start by going over resource types; that is, you should have a manifest of the sensitive permissions for each kind of resource and then list the resources that are mission critical and/or hold sensitive data. You should also consider the potential of permissions to escalate privileges – that is, to grant more permissions to the identity that has access to the resource. It goes without saying that all permissions should be considered as sensitive as the total set of permissions that can be gained while using them.

Finally, you should also consider the cumulative impact of permissions. Some permissions might not be considered sensitive if they allow access to specific resources, however, the same permissions granted to a wide range of resources may then have a sensitive nature to them.

5. Create two-way full permissions mapping – Make a full mapping of the permissions in your environment. Do so per identity and per resource:

  • a. Per identity – Map the resources and permissions each identity has access to; for a multi cloud environment, the mapping should clearly indicate when an identity has access across cloud providers. Be sure to map at the permission level (i.e. specific allowed actions) and not just the policy level. This is important as cloud vendors often have built-in policies, intended for use with specific job functions, that are over-permissive by design. You may be tempted to limit your view granularity to just the access policy type attached to an identity, however, for true visibility, you must map at the permission level.
  • b. Per resource – Map all identities that can access each resource and what actions they can perform on it.

6. Discover admins – A key component of entitlements visibility is to keep tabs on all identities that have access to admin level privileges. Keep in mind that this may be for one of several reasons: they have the permissions directly; they can perform actions that will elevate their permissions to admin level; they can use a proxy identity that has such permissions or; they inherit the permissions due to membership in a group.

7. Discover privileged identities – Based on the permissions classification of privileged permissions (step 4) and the permissions map (step 5) that you have created, you now need to map the identities that have access to these permissions (keep in mind all the indirect ways that access can be granted to permissions as listed in step 6).

8. Monitor continuously – Finally, once you have solidified the data you query and how it’s organized, facilitate a mechanism that repeatedly, and at predetermined intervals, monitors the cloud environments for changes and updates your database.

Summary. One of the greatest challenges to reducing access risk in cloud infrastructure is having the visibility to know what is happening and what needs fixing. By implementing a visibility best practice as a strategic security goal, you will gain both the insight into the permissions that grant effective access and the control you seek to rein in unnecessary risk.

Please note that this best practice is part of a greater body of work being developed by IDSA’s CIEM technical working group. We plan on publishing additional best practices related to achieving proper CIEM, such as monitoring and analyzing identity behavior, and remediating over-privileged identities.

About the Author: The CIEM Technical Working Group subcommittee was formed in the summer of 2021. The team is led by Lior Zatlavi and Shawn Larsen, and includes Ravi ErukullaMorey HaberChristopher HillsJerry Chapman, Sri Palle and Saravanan Thiyagarajan.



Let's work together to help everyone become more secure.