What to Know About Cloud Infrastructure Entitlement Management (CIEM)

Oct 22, 2020
3 minutes

Effective cloud native security relies on properly administering identity and access management (IAM) policies to users, workloads and data (also called entitlements). As cloud adoption continues to grow rapidly (Gartner forecasts that worldwide public cloud revenue will grow 17% in 2020), and given that resources are often created and spun down in a matter of hours or even minutes, a challenging reality has emerged for security teams – cloud infrastructure entitlement management (CIEM) is complicated and difficult to get right. 

Further complicating effective entitlement management is the fact that most organizations utilize multiple cloud service providers, each with its own definitions and rules for entitlements. According to Gartner, "by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020."

To address these challenges and continue our commitment to bring our customers the most comprehensive cloud native security platform, Prisma Cloud supports a number of identity-focused capabilities for stronger entitlement management.


What is Cloud Infrastructure Entitlement Management?

CIEM addresses cloud native security challenges of managing IAM in cloud environments. These challenges are often too complex and dynamic to be managed effectively by the native tools provided by cloud service providers (CSPs). The emerging CIEM category defines technologies that provide identity lifecycle and access governance controls, which ultimately reduce excessive cloud infrastructure entitlements and streamline least-privilege access controls across dynamic, distributed cloud environments (the principle of least privilege refers to limiting permissions for users to the bare minimum they need).


Challenges to Entitlement Management

In addition to dealing with the complex and dynamic environment in which cloud native technologies operate, a CIEM solution should also address privileged access management and identity governance and administration

Key Challenges in Cloud Infrastructure Entitlement Management, marked dark blue for Privileged Access Management and light blue for Identity Governance and Administration.
The challenges addressed by a CIEM solution. 
Source: Gartner: “Managing Privileged Access in Cloud Infrastructure” June 9, 2020.


For privileged access management, a CIEM should:

  • Monitor and prevent entitlement misuse.
  • Assess the necessary duration of entitlements.
  • Address the prolific nature of cloud entitlements.

For identity governance and administration, a solution should cover:

  • Visibility, governance and compliance oversight.
  • Monitoring excessive and risky entitlements.
  • Rightsizing automation.


CIEM and the Cloud Native Security Platform

CIEM represents an essential pillar of the Cloud Native Security Platform (CNSP), one which specifically addresses organizations’ need to ensure that privileged accounts and entitlements across their cloud infrastructure are consistently managed and assigned following the principle of least  privilege. Because the CNSP combines CIEM with the functionality of cloud security posture management (CSPM), Prisma Cloud can correlate identity information with configuration data. 

This powerful depth of visibility and control enables unparalleled protection. Take, for example, the AWS S3 storage service – the Prisma Cloud Data Security module can discover and identify sensitive data, the CSPM capability can calculate true internet exposure, and the CIEM capability can provide granular insights into exactly who has access to the data and make appropriate recommendations to enforce least-privilege access.  

The four pillars of the Cloud Native Security Platform include Cloud Security Posture Management, Cloud Workload Protection, Cloud Network Security and Cloud Infrastructure Entitlement Management
The four pillars of the Cloud Native Security Platform


How to Implement CIEM Functionality

The Identity and Access Management (IAM) module for Prisma Cloud will become generally available (GA) toward the end of 2020. This new feature set helps customers build a more identity-centric view of their cloud infrastructure entitlements, understand appropriate access and efficiently remove and adjust unneeded entitlements in line with CIEM challenges. 

To learn more about the capabilities in the upcoming Prisma Cloud IAM module, read “IAM Security Controls to Protect Cloud Entitlements.”

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.