PAM vs. CIEM: Cloud Shift Offers an Opportunity to Rethink Access Management

Managing privileged accounts and entitlements in cloud infrastructures is even more challenging than before.  Arick Goomanovsky, co-founder of Ermetic, details how traditional privileged account management (PAM) technologies were designed for human administrators, not machine identities. With IT teams working in distributed work environments, he outlines the near-term opportunities for Cloud Infrastructure Entitlements Management (CIEM) — a new cloud-native approach that is finding an edge in the growing cloud ecosystem.

Privileged Account Management (PAM) tools were designed to manage the operating system, database and application accounts, and entitlements within data center infrastructures. Here is a sample of PAM capabilities, none of which are currently all available in one encompassing technology platform:

• Discover, manage and govern privileged accounts, i.e., those with superuser/administrator rights on multiple systems and applications.
• Control access to privileged accounts, including shared and emergency access.
• Randomize, manage and vault credentials such as passwords, keys, etc. for

administrative, service, and application accounts.

• Provide single sign-on (SSO) for privileged access to prevent credentials from being exposed
• Control, filter, and orchestrate privileged commands, actions, and tasks
• Manage and broker credentials to applications, services, and devices to avoid exposure
• Monitor, record, audit and analyze privileged access, sessions, and actions.

Where PAM Fails 

Although some of these legacy solutions have been modernized to manage cloud identities and coarse-grained access entitlements through groups and roles, they do not have insight into the complex, granular entitlements that are commonplace in cloud infrastructure. PAM lacks the ability to understand and analyze a large number of policies and configurations that interact with each other in the cloud and assess “effective access.”

Further, PAM solutions are typically limited to managing privileged identities. However, in cloud infrastructure, privileged entitlements are frequently assigned to regular identities, and those often belong to services rather than people.

PAM cannot provide the capabilities needed to manage cloud infrastructure entitlements at scale and enforce least privilege. These include the ability to obtain an accurate inventory of all entities, policies, and identities; identify permission gaps; visualize and untangle the complex, overprivileged relationships between identities and roles; generate policy changes to eliminate cloud access risks; and detect privilege escalation, suspicious access, and data deletion associated with credential theft or abuse.

Learn More: Why CISOs Should Prioritize Securing Privileged Access

Enter Cloud Infrastructure Entitlements Management (CIEM) — Designed for a Cloud-Era 

Unlike PAM, cloud-native technologies for managing privileged access permissions and entitlements have emerged, which research firm Gartner has labeled cloud infrastructure entitlements management or CIEMOpens a new window . Specifically, CIEM addresses the following areas that are outside the purview of PAM.

• Visibility, governance, compliance, and oversight of cloud entitlements both inside and outside privileged accounts
• Discovery and monitoring of excessive and broad-reaching access entitlements
• Detecting and preventing access/entitlements misuse 
• Monitoring and enforcing consistent entitlements and access privileges across multiple cloud environments
• Managing ephemeral or short-lived entitlements
• Governance of third party access to the cloud (e.g., SaaS applications)
• Governance of machine identities and reduction of privileges to prevent lateral movement
• Protecting sensitive data resources by analyzing all potential access paths
• Automated mitigation through the deployment of new, least privilege policies and integration with CI/CD pipelines through Infrastructure as Code.

Learn More: How to Get Identity & Access Management (IAM) Right, Finally

Cloud Infrastructure Entitlement Management: Not Another Tech Buzzword 

Meanwhile, in the cloud, developers and DevOps require and use elevated privileges every day. Their usage patterns are different from traditional IT administrators due to the dynamic nature of IaaS/PaaS. They are much more varied and change often. It can also be difficult for security teams to understand the access entitlements that developers need and evaluate their risk since many app dev concepts are often foreign to them. Finally, the “effective or actual” entitlements available to an individual can be very hard to deduce. There are many policies and configurations that can affect individual entitlements depending on where they are controlled in the cloud. Also, each cloud provider uses its own proprietary model for entitlements.

Machine identities pose another unique challenge. PAM was developed with human administrators in mind, but in the cloud, every compute resource has a unique identity that can be assigned access entitlements. With tens of thousands of machine identities, it’s no simple task for a security team to know whether they are overprivileged and possess risky entitlements.

As mentioned earlier, when developers are spinning up new infrastructure, they typically grant broad privileges to ensure that everything can run properly. Once these entitlements are released into production, they are very difficult to clean up. Using automation CIEM can determine all of the access entitlements and how they interact to create the “actual, effective access” available to any human or machine identity. They can also compare policy to actual usage and reveal excess permissions and determine whether they pose a risk and need to be remediated. 

According to a Gartner reportOpens a new window , organizations already using PAM to support their cloud deployments should continue to use it while supplementing it with CIEM to address excessive entitlement risks and manage machine identities.

Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!