CIEM – An Introduction to Cloud Infrastructure Entitlements Management

Post • 4 min read

Public cloud infrastructure is the new data center. It’s also become a lucrative hunting ground for cyber attacks. To protect your cloud environment, the attack surface and impact zone must be reduced. Doing so requires knowing exactly who can access the data. And, as companies are rapidly moving to cloud and multi-cloud, the thousands of services, configurations, identities and policies determining access make it difficult to see everything, let alone control it.

In this blog post, we'll introduce you to the world of CIEM - Cloud Infrastructure Entitlement Management (don't confuse it with SIEM, they’re very different). 

Learn why CIEM is so important for modern cloud-heavy infrastructures, and how we can help you improve your security setup with the help of a mature CIEM solution.

What exactly is CIEM and why would you need it?

Simply put, CIEM mitigates the cloud access risk by monitoring and administering cloud identities and their entitlements. 

Here's how Gartner explains it: "CIEM offerings are specialised identity-centric SaaS solutions focused on managing cloud risk via administration-time controls for the governance of entitlements in hybrid and multi-cloud IaaS." 

Contrary to what Gartner predicts, we believe that instead of 5 to 10 years, CIEM products will reach the plateau much sooner as the products have evolved rapidly and rely directly on the APIs from cloud providers.

cloud risk assessment

The goal of CIEM is to define the solutions that answer the basic questions that surround identity: what my identities are, what are my identities’ entitlements, and what are the end-to-end effective permissions of my identities. 

But here's the real catch: permissions for an identity are often much broader than what was originally meant. This happens because in the cloud, an identity’s permissions are constructed by groups they belong to, policies attached to them and possible roles that they assume. And, to make things worse, there’s often things like service policies, organisation policies and even 3rd party service access controls thrown in the mix.

Who needs it most?

Now this especially affects big companies using multiple hyperscalers or with those great usage of Azure. Sooner or later these companies will struggle to manage an expanding sea of permissions. It’s these that would most benefit from a CIEM solution.

To further emphasise the need for a clear view of identities and their entitlements, cloud service providers use Shared Responsibility Model to define responsibilities of the partners. These models vary by provider and identity management is mainly the customer's responsibility. In IaaS, customers are always responsible for managing identity. A CIEM solution will ease the burden of this responsibility significantly.

So, without the proper tools, it's impossible to monitor a complex environment with thousands of entitlements. This is where CIEM comes to the rescue and provides value. As identity and entitlements are at the heart of security in today's cloud-first world, having a CIEM solution in place is absolutely crucial.

How does a CIEM solution work?

To solve the permission overload problem, CIEM platforms provide a holistic solution from asset management through anomaly detection and compliance. It’s an effective way to understand and smartly secure AWS, Azure and GCP environments. 

It also enables security and DevOps teams to work together seamlessly. Toxic scenarios that put your data at risk can be clearly seen and mitigated to enforce least privilege - vastly improving cloud security.

With a CIEM solution you can easily address the biggest risk in any cloud infrastructure - identities - by detecting, prioritising and remediating risky entitlements and misconfigurations at scale. CIEM continuously monitors your entire multi-cloud asset inventory and applies full-stack analytics to identify risk accurately and in context.

To actually be able to understand and react to what's going on in your cloud, a simple and clear visualisation of the threats is needed. We’ve partnered with Ermetic as the CIEM platform of choice. Along with its mature CIEM engine, Ermetic provides an easy-to-use UI with clear visualisations of the security issues for investigation and response.

Ermetic’s dashboard
Ermetic’s dashboar offers a clear holistic view of current issues.
Ermetic’s GUI
Excessive permissions are clearly visualised in Ermetic’s GUI.

Find out more about Ermetic by watching a short introduction video here!

How can we help with CIEM?

We’ll help you with configuring, deploying and using the CIEM platform to analyse end results. Managed services are also part of our offering for CIEM solutions. 

To help the decision of whether or not to purchase a CIEM solution, we offer the option of a unique proof-of-concept (PoC). The PoC allows hands-on testing and evaluating a limited deployment of the CIEM platform, while leveraging the platform to assess your public cloud’s deployment exposure to cloud security risks. 

And, when it comes to the cost of using a CIEM platform, it’s quite affordable when considering the pros that a mature CIEM platform brings, and the risks of not having this kind of solution in place.

Here’s how it works:

  • We help you identify relevant use cases and support your security approach
  • You’ll easily connect the CIEM platform to your select cloud account(s)
  • These accounts are evaluated to address key cloud security use cases, according to the prioritisation provided by your team
  • Security findings will be created allowing you to easily understand your security risks

If you’re interested in a PoC or just want to know more about the CIEM solutions we offer, feel free to contact us. As a reseller and managed service provider of CIEM solutions we can - and will - find the right solution for you. And with our group of cloud native security ninjas we’ll deliver you the strongest security in cloud.

For Sales, please contact:
Janne Kuparinen, Digital Identity Lead @ Nordcloud

Lasse Nordgren
Lasse NordgrenDigital Identity Architect
Jarkko Vesalainen
Jarkko VesalainenDigital Identity Architect
Janne Kuparinen
Janne KuparinenDigital Identity Lead

Get in Touch.

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.

Ilja Summala
Ilja Summala LinkedIn
Ilja’s passion and tech knowledge help customers transform how they manage infrastructure and develop apps in cloud.