Identity and access governance in the CIEM era


“Do you mean SIEM? ” This could be the first reaction to this article, because the subject is still relatively new. And yet no, CIEM stands for “Cloud Infrastructure Entitlement Management”. It is therefore, as its name suggests, an approach to managing access in the cloud, and especially privileged access on cloud infrastructures.

Why such a particular approach to access management in the cloud? 

More and more, companies are deploying their business applications in the cloud. To deploy these applications, ensuring the runtime and maintain them, multiple privileged accesses are created to the following persons or purpose:

  • Administrators who build the environments
  • DevOps engineers who script automatic deployment routines
  • Service or application accounts (“app registration” for example) to which access is given to the resources that are required to operate the business application.

Granularity of access is very fine. The most sensitive privileges can be given through custom roles. In addition, most organizations are committed to a “multi-cloud” approach, implying the permissions to be managed in multiple cloud platforms, such as Azure, AWS or GCP for the most important.

Some figures that explain the growing complexity of managing cloud resources:

  • AWS features and resources grew from 1,400 in 2017 to 2,400 in 2019
  • Unit permissions increased from 2,500 to 7,100 over the same period at AWS
  • On Azure, there are more than 5,000 unit permissions
  • And on GCP, there are over 3,200 permissions. 

By considering this multiplicity of resources, features and permissions on which accesses are granted: it becomes impossible to get a goof insight over the most sensitive accesses, and to analyze the risk, without adequate tools. 

Best Practices 

One of the goal of IAM in the cloud is to give the finest possible rights so that the user can carry out his tasks without having superfluous rights. This is the principle of least privilege. 

To live up this saying, here are some good practices to follow:

  • Set up monitoring of activity on groups, profiles, permissions, rights.
  • Remove profiles or rights that have not been used for more than 90 days.
  • Remove user from groups that grant unused rights.
  • Encourage administrators to create custom profile that own only the required rights. (Built-in profiles are often too permissive)
  • Secure administrator or “Shadow Admin” accounts with a strong authentication method (MFA)
  • Secure administrator or “Shadow Admin” accounts with a PAM (Privileged Access Management) solution

“Shadow Admins” are users with permissions allowing them to perform an elevation of privileges on their account and thus assign themselves administrator rights.


Implementing good privileged access management in a multi-cloud environment involves leveraging PAM and IAG solutions:

Kleverware - CIEM Schema

IAG (Identity and Access Governance) makes it possible to mitigate risk with an approach based on identity, mapping of access rights and detection of risky or suspicious permissions, while ensuring an assessment regarding the least privilege principle.

PAM (Privileged Access Management) completes this approach by managing privileged access to company resources. Combined with identity and access governance, we can check that there is no backdoor and possible avoidance of the connection monitored by the PAM.

PAM and IAG help CISOs strengthen security based on robust identity and access governance.

Did you like this post ?

Share on twitter
Share on linkedin