When I talk to customers and partners, I often get questions about the plethora of point solutions related to identity security and how they differ from one another. The growing alphabet soup of industry acronyms has made it increasingly difficult for overloaded security practitioners to differentiate technologies. In this blog, we’ll take a close look at SaaS Software Posture Management (SSPM) and Cloud Infrastructure Entitlement Management (CIEM) and the actual identity security capabilities they provide.
Today, the “cloud” is a term that encompasses a wide variety of digital services provided by SaaS applications like Salesforce, infrastructure platforms like Amazon Web Services (AWS), and homegrown cloud-native applications.
As organizations adopt more cloud services, managing the security posture of these services has become critically important. Practitioners face a huge challenge trying to keep pace with the sheer scale of the cloud and volatility of cloud resources. When it comes to detecting misconfigured permissions and settings, and remediating vulnerabilities, the task is daunting.
As I look across the industry, there’s no dearth of security vendors plugging the virtues of their own agendas to security posture management. The market has become highly fragmented when it comes to new security approaches and product categories. If you are struggling to understand what SSPM, CIEM, CASB, CSPM, CWPP, DSPM, and ITDR solutions can do for you, you are not alone!
I find it helpful to take a step back to consider the fundamentals of security responsibilities in the cloud. The widely recognized shared responsibility model, defined by Amazon Web Services (AWS) serves as an excellent guide in thinking about what’s needed, how various solutions can add value to a cloud security practice, and which ones represent strategically sound directions.
It’s clear from the responsibility model that cloud service providers now share much of the overall security burden with cloud customers. However, the customer responsibilities raise interesting questions.
How do you combine technology, people, and processes to cover each customer responsibility and put together an effective and consistent cloud security practice? Which responsibility box in a row or column deserves its own security solution? When is it best to support an entire row with one solution? Do on-prem and cloud requirements justify independent solutions? Are IaaS and SaaS sufficiently different in each row to warrant their own solutions?
For example, SSPM focuses on:
- Managing SaaS app permissions for both users and SaaS-to-SaaS API integrations
- Managing SaaS app security configuration settings such as settings for authentication, authorization, and auditing.
While CIEM focuses on:
- Managing people and machine identities and permissions in key IaaS and PaaS platforms: AWS, Microsoft Azure, and Google Cloud.
- Resolving the complexity of IaaS and PaaS identity and resource policies to provide visibility into effective access.
Both SSPM and CIEM support customer responsibilities that relate to the Identity & Access Controls row in the matrix above and deliver valuable features. Both help manage identity and access risks and provide automated remediation. And yet, both deliver coverage silos. Neither has the broader context of employee and third-party identities and permissions.
There are also obvious gaps. Neither solution can help you rightsize permissions or even provide visibility into permissions across your DevOps stack. Additionally, neither solution can highlight all the service accounts or third-party privileged accounts and permissions across your DevOps stack. CIEM can integrate with and rightsize access to AWS, Azure, and GCP, but not to the SaaS apps in your DevOps stack like GitHub, Jira, Bitbucket, and Jenkins. SSPM can help you out with the SaaS apps but not with AWS, Azure, or GCP.
Moreover, neither solution can tell you what John in Finance or Jane in DevOps has access to across all the infrastructure and applications in your organization. Neither solution can automate an access review for your DevOps or Finance stack or tell you when John’s permissions in NetSuite were last reviewed by his supervisor or alert you when a group membership change in Azure AD suddenly results in a thousand additional employees getting access to sensitive data in Snowflake.
And when it comes to custom cloud-native apps, the gaps are even greater. For example, neither SSPM nor CEIM can help you manage permissions and security settings for the home-grown cloud applications you’ve built using AWS, Azure, and Google Cloud, applications that are mushrooming thanks to digital transformation trends.
Furthermore, I find that neither solution can help you proactively ensure that employees across the business get only job-appropriate access to your apps and infrastructure, no matter how or when they request permissions. There are no mechanisms to assign the “right” permissions to joiners and movers in a timely fashion and to automate and audit offboarding permissions. And if you still have on-prem applications, like most enterprises do, neither solution is of any help at all in that context.
So, while SSPM and CIEM provide valuable features, ask yourself if deploying point solutions for identity and access controls is a good long-term strategy. Does it make sense to solve the problem of overly scoped permissions and misconfigured security settings with separate silos for IaaS, PaaS, and SaaS and still end up with coverage gaps? Or is it better to take a single-solution approach? Since identity is the new perimeter in the cloud and the only common thread for human and machine interactions across the organization, why not address identity controls completely and holistically across the entire row in the responsibility model?
Note that, in contrast, solutions like CrowdStrike and SentinelOne are excellent at addressing the entire Endpoint Protection row in the responsibility matrix. Similarly, a combination of CSPM tools like Wiz and AppSec tools like Snyk can work well to tackle the Host Infrastructure, Network Controls, and Application Controls boxes across IaaS and PaaS. There is no reason for Infosec practitioners to deploy multiple solutions with partial coverage for the Identity and Access Controls row.
Next week, I will take a deep dive into CSPM and how a holistic approach to identity security complements CSPM solutions.
To learn more about how to combine an Identity and SSO provider, such as Okta or Azure AD, with an Identity Security solution that targets on-prem, IaaS, PaaS, and SaaS environments comprehensively (including SaaS apps that don’t support security APIs), contact Zilla Security.