Cloud Identity Entitlement Management

What is CIEM and do I need it?

By now, you’ve probably heard of “CIEM” and have been told your team needs “it”. But instead of starting by telling you what CIEM is, I want to take a moment to dispel a myth and tell you what CIEM is not:

  1. CIEM is not merely a product nor a ‘software solution’
  2. It’s definitely not ‘the’ solution that will magically fix all of your IAM security problems

So… what is CIEM?

Cloud Identity Entitlement Management (CIEM) is the process for managing the identities of people and applications and those identities’ permissions to access cloud APIs and data. CIEM is used to enable secure application operations and manage information security risks.

And your access management process will only succeed if the process scales – no matter which products you use.

In today’s cloud environments, security, application, and infrastructure engineers often don’t have the context to make crucial IAM decisions. Many times, security people aren’t even integrated into the delivery process for applications and infrastructure. Or they are busy with higher priorities. In reality, security decisions are more often in the hands of the engineers working directly with the applications and data.

Because for teams using continuous delivery, there are far too many resources and changes for one centralized security team to get up to speed on and review… and filing tickets after the fact doesn’t actually improve policies.

 

But don’t worry, the point of this article is not to highlight all of the ways CIEM can fall short in your organization without providing relevant solutions. That would be unhelpful. Rather, let’s look at exactly how your cloud team can scale access entitlement management using something called a cloud access management toolkit (CAMT). We’ll use that toolkit to integrate security into the delivery process and scale a simple security program. So security can be everyone’s job and cloud entitlements can be managed at the speed of continuous delivery. Really!

In fact, k9 has already helped cloud teams fix IAM in their AWS accounts and scale security across their organizations by enabling better security decisions and outcomes by the engineers working directly with the applications and data.

 

If we want to make security everyone’s job, then security needs to be integrated into everyone’s primary workflows and tools. And it’s much easier to compose security into people’s existing workflows than force everyone to change their workflows to use a security-specific tool.

The idea is that if you like your operational dashboard, you can keep it and compose cloud access management into it.

A cloud access management toolkit makes this possible by giving you everything your team needs to start scaling entitlement management today by integrating with the infrastructure code, dashboards, and monitoring systems you already use.

Remember, CIEM is more than just software, it’s a process. There is a reason that ‘management’ is in the name! Software doesn’t know who should have access to APIs and data. Only your people know that and those people are often not on your security team.

The cloud access management toolkit is an integrated set of concepts, tools, and processes you can adopt to simplify AWS security and scale access management out to all application teams.

Instead of overloading one or two security experts, purposefully integrating security into everyone’s job makes it a regular activity like adding features or improving reliability.

Let’s look at three secrets about the concepts, tools, and processes that make up the cloud access management toolkit and how you can use it to secure AWS and lower your risks — all without hiring more experts.

We’ll give you free access to the k9 Security cloud access management toolkit so you can see firsthand how it works in your organization.

And I know what you’re probably thinking: we’ve tried integrating security into our delivery process before and failed.

But again, I’m going to show you a great way you can simplify AWS security so you can scale it across your organization and stop needing so many experts.

k9’s goal is to help you see that simplifying IAM is the key to unlock scalable security by making it self-service, standardized, and repeatable so your whole team can play – and win.

Secret #1 – Simple scales

The first secret is that simple scales. The big idea here is that you need to productize & operationalize security the same ways that you do that for reliability: libraries, monitoring control loops, training, support.

This is important because there’s no magic bullet. You’re never going to make everyone into AWS IAM experts, and that wouldn’t even work because experts get IAM wrong frequently. IAM is too hard at scale.

Instead, you need the whole organization to be able to operate at a higher level the vast majority of the time.

How?

First, simplify the tens of thousands of cloud IAM permissions into a set of access capabilities everyone can understand:

  • Control Plane: administer-resource, read-config
  • Data Plane: read-data, write-data, delete-data, use-resource

Then, enable engineers and analysts to read and write permissions in that higher level language. They can do that with a collection of trusted infrastructure libraries, observability components, and processes that make securing data, reviewing access, and executing access control loops quick and reliable.

You’ll need a component that simplifies access management at each software delivery and operations touchpoint, principally:

 

  • Where permissions are defined in infrastructure and application code
  • Where permissions are reviewed in dashboards and analysis workflows

When you simplify AWS IAM security into something everyone can use and many people can support, you unburden experts and unblock delivery pipelines. Your cloud access management toolkit is the key to scaling entitlement management across your organization.

 

Secret #2 – You can build a simple security program (with help)

The second secret is that you can build a simple security program with your cloud access management toolkit. Your CAMT provides a simple interface to strong cloud security so your whole organization can:

 

  • Declare the access they intend in terms of simple access capabilities
  • Review the actual access entitlements of identities and resources they own, reported in those same access capabilities using simple, repeatable processes

The main thing to understand here is that you can adopt prebuilt solutions and plug them into your program. You don’t have to build them all yourself.

k9 Security built the reusable components, dashboards, integrations, processes, and training you need. And we applied usability science to make them easy to use correctly.

Now app engineers can declare their intended access to application data directly in infrastructure code.

For example, application Team A might declare access to an S3 bucket like:

# Define which principals may access the bucket and what capabilities they should have
# k9 access capabilities are defined at https://www.k9security.io/docs/k9-access-capability-model/

module "least_privilege_bucket_policy" {
  source        = "[email protected]:k9securityio/terraform-aws-s3-bucket.git//k9policy"
  s3_bucket_arn = "${module.s3_bucket.bucket_arn}"

  allow_administer_resource_arns = [
    "arn:aws:iam::12345678910:role/ci"
    , "arn:aws:iam::12345678910:role/app-admin"
  ]

  allow_read_config_arns         = [
    "arn:aws:iam::12345678910:role/ci"
    , "arn:aws:iam::12345678910:role/app-admin"
    , "arn:aws:iam::12345678910:role/auditor"
  ]

  allow_read_data_arns           = [
    "arn:aws:iam::12345678910:role/app-admin"
    , "arn:aws:iam::12345678910:role/appA"
  ]

  allow_write_data_arns          = [
    "arn:aws:iam::12345678910:role/appA"
  ]
}

Then they should be able to verify that their intended access has been applied correctly by reviewing the effective access (i.e. what if someone changed the policy manually?) to the bucket:

Principal Access Capabilities
app-admin administer-resource, read-config, read-data
ci administer-resource, read-config
auditor read-config
appA read-data, write-data

Engineers and analysts should be able to perform this access review in a tool they’re already using: Datadog, Splunk, or even internal monitoring tools. Take security operations data to the places app and cloud teams already perform operations. If security is really everyone’s job, then security belongs in the tools people are already using, just like availability and performance.

Now you can standardize access review with simple review processes like the k9 Security Katas, and quickly & reliably answer questions like:

  • Who are the privileged users that can administer IAM?
  • Who has (excessive) access to APIs and data?
  • Who has access to our critical data sources?

Since these are simple questions to answer if you have the context, you can scale security review out to the app teams. Application teams can verify access to critical application data is correct weekly or whatever frequency makes sense for your organization. Now security specialists can govern and support the execution of that scalable access management process rather than trying to do all the work.

That’s how you enable a simple security program for the modern SDLC. Now let’s add motivation to your toolkit.

Secret #3 – You can scale security culture

The third secret is that you can scale security culture.

The main thing to understand here is that now that you’ve enabled your organization to do security with simplified and standardized workflows, you can motivate them to apply that knowledge by expecting security to be done in their daily work, providing encouragement, and changing your internal economy to value security.

Motivation is key because motivation techniques provide the energy that powers culture change to integrate security into your organization’s daily work.

First, motivate delivery teams to integrate security work by helping them love security. Provide delivery teams the autonomy to prioritize security work in their backlog accordion to clear rules and let them manage execution. You can also execute Game Days to build empathy for when security isn’t addressed.

Second, use blameless postmortems to encourage learning and continuous improvement within the organization for security issues.

Finally, reward teams for doing the right thing and operating safely in their daily work. But don’t over-justify security work with special bonuses. Instead, use your CAMT to integrate security metrics into your organization’s ‘Ops Reviews’ alongside other key metrics and recognize achievement and gaps. This creates accountability for managers and leadership. Consider gamifying least privilege at the team or application level.

That’s how you motivate adoption of your simple security program.

Adopt a Scalable CIEM process

Now, I know what you’re thinking. That all sounds correct, but there’s a lot of details to plan for a simple security program.

It’s true you have a lot of options in how to put together a simple security program. But we’ve identified the four tactics most organizations should start with to succeed with scaling security.

And so we’ve created this roadmap for you to simplify cloud security throughout your organization:

 

Ability Motivation
Personal ✅ Help them do what they can’t with usable infra code and access reporting ✅ Help them love what they hate with authority to prioritize security in backlog, empathy from Game Day events
Social ✅ Provide assistance with a guild Provide encouragement with blameless post mortems
Structure ✅ Change their space by integrating security into their delivery & operations tools Change their economy with accountability in Operations Reviews

You can learn the details of how to apply these influence methods in Effective IAM for AWS, Ch7 Secure AWS IAM Continuously (free, on the web).

And if you want help implementing your simple security program, we’re happy to do that.

We created the free Starter plan so you can start simplifying security, find and fix critical IAM issues, and (most importantly) experience what scaling security really feels like. We will also give you the Effective IAM for AWS book and expert advice on how to build a scalable security program. Then we’ll build your action plan with you, if you want.

  • Operationalize IAM access review in one AWS account with the k9 Security Katas
  • Scale IAM access monitoring with daily reports your whole team understands
  • Support using k9 security infrastructure code libraries
  • Access management review dashboards for Splunk and Datadog
  • Single-session Master IAM class that shows the whole team how to secure IAM continuously

And of course if this approach makes sense for you, we’ll help you scale it out to the whole organization.

Start by signing up for the k9 Starter Plan and we’ll email you the steps to monitor your AWS account and the Effective IAM for AWS eBook.

Let’s go fast, safely.

Stephen Kuenzli
Founder, k9 Security

 

Watch a walkthrough!