CIEM: Bridging the Gap Between IAM and Cloud Security

The cloud-first strategy is no longer in its infancy. This wave of change has impacted and continues to disrupt the entire traditional hosting paradigm, commonly referred to as on-premises IT services within the enterprise. There is no category in IT or networking systems that has escaped this seismic shift. In this article, we will focus on the impact of the cloud-first transformation strategy on the field of identity and access management (IAM).

Why CIEM Came into Existence

In the world of on-premises storage and computing, most accounts accessing enterprise systems are attached to human entities. Solutions have been developed to ensure good governance of these identities and their access privileges during their lifecycle in the enterprise. After a relatively short time, companies that have adopted IAM solutions have been able to control who has access to what and for what reason.

Then cloud hosting and computing arrived with promises of reducing the acquisition, operation, and maintenance costs of enterprise IT systems. Cloud hosting and computing also promised gains in operational agility and flexibility of IT tools. This promise, of course, is real and the gains are indeed achievable. However, the concepts of identity, entitlement, and privileges inherent in the cloud are no longer the same as they are for on-premises infrastructure.

In 2020, the term cloud infrastructure entitlement management (CIEM) appeared for the first time. CIEM, as a concept, has emerged to address all the new use cases specific to cloud computing. Some might consider CIEM as the natural extension of IAM into the cloud. But CIEM helps organizations to contend with the growing number of non-human identities, whether they are internet of things (IoT) object machines or software acting in the cloud, as well as ephemeral identities that require rights and access only for short periods. Additionally, CIEM solutions help reconcile the actions of these different types of identities across the various cloud platforms of the enterprise, as each cloud service provider (CSP) has its own vision of IAM in its platform.

Who Provides CIEM Solutions

There are three main categories of CIEM solution providers:

  1. Vendors focused on CIEM: These are CIEM native companies that develop a solution addressing the problems or blind spots of IAM in the cloud. Usually, they offer their CIEM solution as a component of cloud-native application protection platform (CNAPP) or a cloud identity security platform.
  2. Vendors focused on cloud security platforms: These are usually companies that already offer a set of cloud security components, such as cloud security posture management (CSPM), cloud workload protection platform (CWPP), and/or infrastructure as code (IaC), and want to add CIEM to their platform.
  3. Vendors focused on IAM: Usually, these IAM solution providers are well-established in the on-premises market. Their entry into CIEM, an extension of IAM into cloud computing, should, to a certain extent, be a natural and expected move.

The market is still young in terms of both CIEM solution providers and CIEM functionalities themselves. Regarding CIEM solution providers, consolidations are underway, notably precipitated by the move of CIEM-centric companies into the realm of larger and more diversified IT players.

Purchase Considerations

When considering a CIEM solution, several important factors should be kept in mind:

  • Scope and coverage: Look for solutions that cover all relevant cloud services and platforms your organization uses or plans to use to ensure visibility into identities and their access in multicloud environments. Additionally, look for solutions that can detect gaps and anomalies in cloud access and provide remediation of gaps.
  • Integration: The solution should integrate seamlessly with your existing cloud infrastructure, identity management systems, and other relevant tools.
  • Security and compliance: Ensure the solution meets your organization’s security and compliance requirements, including data encryption, access controls, and audit capabilities.
  • Ease of use: Look for a solution that is user-friendly and easy to deploy, manage, and maintain.
  • Scalability: Choose a solution that can scale with your organization’s growth and changing needs.
  • Cost: Consider the total cost of ownership, including initial setup costs, licensing fees, and ongoing maintenance costs.
  • Vendor reputation and support: Select a vendor with a strong reputation for customer support and a track record of delivering reliable solutions.
  • Future proofing: Look for a solution that can adapt to evolving cloud technologies and security threats.
  • User feedback and reviews: Consider feedback from other users and industry experts to gauge the solution’s effectiveness and reliability.
  • Customization and flexibility: Ensure the solution can be customized to meet your organization’s specific needs and workflows.

Next Steps

To learn more, take a look at GigaOm’s CIEM Key Criteria and Radar reports. These reports provide a comprehensive overview of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.

If you’re not yet a GigaOm subscriber, you can access the research using a free trial.

Leave a Reply

Your email address will not be published. Required fields are marked *