Understanding CIEM: Managing Cloud Entitlements and Infrastructure
Jeff Carpenter explains the importance of Cloud Infrastructure Entitlement Management (CIEM) in managing access and privileges within multi-cloud environments. This ensures security and proper administration of critical infrastructure components such as virtual servers, containers, and databases.
Hello, I'm Jeff Carpenter with Delinea, and today I'm going to be talking about something called C.I.E.M., or Cloud Infrastructure Entitlement Management. Let's go ahead and get started. Now, the term C.I.E.M. is sometimes referred to as CIEM by those in the identity space that are very close to this, but whether you call it C.I.E.M. or CIEM, it has a very important function.
And that is, many organizations are building in the cloud, building aggressively their development platforms. Some organizations are actually starting or born in the cloud. And when they do that, they don't follow the traditional rules of identity management, in terms of having centralized a single source of truth for their identities.
And many times, what happens in cloud environments, it's is you have not just one cloud, but many clouds. In fact, 62 percent of organizations are now running more than one cloud. So, all the rules, traditional rules, are out the window. But yet, the security situation of having some of your most critical assets and infrastructure in your cloud and really not knowing what they are, or who they are, or what users have access to what, is, is kind of a gap.
So, CIEM, it's been around for about two years. And it seeks to help to, um, understand what you have in the cloud and help to manage that. So, let's go ahead and dive right in and understand what these are. So, the first thing to note about CIEM is it's cloud, right? And when we say cloud, we mean, So, we mean your GCP, your Google Cloud, your AWS, your Azure, and it could be many others.
Maybe you have an Oracle Cloud or Alibaba, whatever. You know, but it's the cloud that you're building your infrastructure. You're putting your company into. You're running your applications off of, the ones that are customer facing. So, it's very critical to understand what's going on in these clouds. And as we mentioned, many organizations have multiple clouds, which means they have somebody who's responsible in their organization for being the admin for GCP, AWS. and Azure and many applications and responsibilities cross over between clouds. So, understanding the cloud, um, your public cloud infrastructure very important here. And that's what we mean by cloud. So, we're not talking about sass apps. In other words, we're talking about the cloud that you have in your organization You're putting your development platform into.
Next up here is infrastructure. And within these clouds now, you're putting things like virtual servers, containers, your development platform, your DevOps, and that is the infrastructure. So, it mirrors what you have in your physical infrastructure in terms of your servers and your databases and things like that.
All of this is, is going into your cloud and All of this, your database, your servers, your containers, they have administrators and many times they have multiple administrators that are accessing this. So, that's what is meant by infrastructure in CIEM is the access to these really critical things that if they were compromised, Uh, somebody were able to hack your database, for example, they would get access, potentially read write access, to some very sensitive information.
Or they were able to compromise a virtual server and get access to your DevOps environment, your development platform. Um, that's a really bad situation. So, that's what we mean by infrastructure here in CIEM. And next up, is where it starts to get fun. Entitlement. Now what we mean by entitlement is the situation where you're now looking in your cloud at this infrastructure here, and you're asking yourself who has access to what?
Now in cloud environments by the way, the number of users, the number of machines now outnumbers users. The actual number of humans, sometimes a ratio of 10 to one. Yeah, is there's so that means you're not only looking for humans with the title of admin humans that are running this infrastructure have access to can create new counts can escalate privileges on these things in your cloud environment, but you're actually looking for machines as well.
So, you can have virtual machines that can create other virtual machines. and propagate themselves in this environment. So, you need to know both human and machines in this environment here, machine identities, and [00:05:00] understand what the, what they have access to and be able to properly scope them. And finally, the M stands for management, and again, following on with entitlement is finding those users, discovering them, human and non-human, and then managing them.
And what do we mean by management? Well, we mean, first of all, that You're able to find these users and make sure that they have the right amount of entitlement. So, in other words, maybe somebody needed access to a virtual server farm six months ago, but now they no longer need it. You find that administrator and you're able to take those, those rights away because they no longer need them.
And at the same time, you're able to find misconfigurations. Misconfigurations are, hey, is, uh, does this user have multi factor authentication? Have the keys on this server been rotated recently? Are they properly vaulted, you know, and secured? So, you're able to find those misconfigurations and lower the, the attack surface that you have in your cloud.
And then finally, you know, the ability to continuously discover in this environment. The cloud is a, a place of um, Great change. Entitlements are thrown up. Virtual servers are thrown up. Containers are, are born and then, and then used and torn down. Um, things, uh, it's a very ephemeral environment. Uh, and you need to be able to, on a constant basis, understand what's going on in that cloud, so that you can find those in, within your infrastructure, so you can find those administrators and do the proper management.
And one. Continuous cycle. That means you're able to do this on a constant basis to lower the security threat in your [00:07:00] organization, properly discover your administrators, and make sure that you're managing them. That is the essence of CIEM. I hope you enjoyed this presentation. For more information, go out to Delinea.com.
