What is CIEM?

Cloud Infrastructure Entitlements Management (CIEM - pronounced “Kim”) is the process of discovering and managing permissions and entitlements in the cloud. CIEM solutions are identity-centric, cloud security management offerings that aim to streamline management of entitlements and least privilege enforcement across Cloud Service Providers (CSP) and multicloud environments.

While CIEM solutions provide greater value when leveraged across multicloud environments. Otherwise, organizations would be forced to rely on a patchwork of native tool sets from the various different cloud providers they use.

This blog will provide an overview of CIEM, including why it is needed, its benefits, and the BeyondTrust Cloud Privilege Broker solution.

Why CIEM is needed

CIEM is needed for a variety of reasons. First, the cloud provides a dynamic infrastructure for resources to be constructed and deprovisioned based on demand and workload. Identities created for these dynamic use cases are particularly susceptible to being over-provisioned with privilege, creating inordinate risk.

Second, while cloud providers offer some native identity management tools, these tools are not portable to the platforms of other cloud service providers. When organizations use multiple providers, instrumenting policies and runtime to manage them all becomes a burden due to the inherent dissimilarities from terminology to identities and entitlements.

Finally, mismanagement of identities in the cloud can lead to excessive cloud security risk. Without a proactive approach to managing cloud identities and their associated entitlements, a damaging incident is bound to happen. This is especially true if an identity is over-entitled.

Implementing centralized management and the concept of least privilege for these identities can lower risk for the entire environment. However, absent standardized controls, the complexity of administering access entitlements across multiple clouds is a proven recipe for visibility blind spots, cloud security gaps, compliance anomalies, and a potential breach.

How CIEM works

CIEM is a new solution class built entirely in and for the cloud. It allows organizations to discover, manage, and monitor entitlements in real time and then model the behavior for every identity across multiple cloud infrastructures, including hybrid environments.

CIEM technology flags and alerts when risks or inappropriate behavior is identified and enforces least privilege policies for any cloud infrastructure. CIEM products leverage automation to change policies and entitlements. This makes it simple for a solution owner to apply the same policies across traditionally incompatible cloud resources.

Complementing CIEM with other foundational Privileged Access Management solutions (PAM) unifies the management of secrets, passwords, least privilege, and remote access to ensure that any entitlement and privilege gaps are addressed. This goes a long way toward addressing the cloud security risk surface.

Benefits of using CIEM


One of the core capabilities of privileged access management is enforcing the principle of least privilege (PoLP). Applying a least privilege security model entails assigning only the minimum necessary permissions to a user (or machine identity) to perform a specific task and use an ephemeral, just-in-time (JIT) access model for these privileges for the time to complete the task. In other words, only assign privileged access as-needed, when the proper contextual triggers are met. This practice will effectively reduce an enterprise’s attack surface—whether on-premises or across the cloud. The integration of CIEM within a traditional PAM platform helps ensure no instance of privileged access is overlooked.

The benefits of CIEM are crucial for any digital transformation project and multicloud environment:

  • Provides a consolidated and standardized view for cloud identity and entitlement management
  • Allows the granular monitoring and configuration of permissions and entitlements and applies the concept of principals to track privilege models between different cloud service providers
  • Applies an automated process to ensure that all identities are appropriate, and appropriately provisioned for each workload
  • Enumerates the differences between dissimilar cloud infrastructure platforms and provides a single view with actionable guidance for resolution.

What are the main features of a CIEM solution?

Today, CIEM solutions are required as part of a next-generation PAM solution to address the challenges of identities in across cloud and multicloud environments. Cloud infrastructure entitlements managers should implement the following security best practices:

  • Account and Entitlements Discovery – Inventory all identities and entitlements and appropriately classify them, in real-time. This adjusts for the dynamic nature of cloud environments and the ephemeral properties of cloud resources.
  • Multicloud Entitlements Reconciliation – Reconciles accounts and entitlements and identifies which ones are unique per cloud and which ones are shared, using a uniform model to simply management.
  • Entitlements Enumeration – Based on discovery information, entitlements can be reported, queried, audited, and managed by the type of entitlement, permissions, and by user. This allows for the pivoting of information to meet objectives and the management identities and entitlements-based classification.
  • Entitlements Optimization – Based on the real-time discovery and operational usage of entitlements, the solution classifies over-provisioning and identities. Identities can then be optimized for least privileged access.
  • Entitlements Monitoring – Real-time discovery also affords the ability to identify any changes in identities and entitlements, thus providing alerting and detection of inappropriate changes that could be a liability for the environment, processes, and data.
  • Entitlements Remediation – Based on all the available data, recommends, and, in most cases, fully automates the removal of identities and associated entitlements that violate established policies, or requires remediation to enforce least privilege principles.

Standard CIEM deployment architecture

The primary architecture components of a standard CIEM solution includes:

  • API-based connectors to enumerate identities and entitlements per cloud provider and instance
  • Storage for modeling and analysis of current and historical identities, entitlements, and remediation policies
  • Policy engine for identifying threats, changes, and inappropriate identity and entitlement creation and assignments
  • User interface for managing the solution and aggregating multicloud information into a single view
Figure: Example of a standard CIEM architecture

The primary benefit of this security architecture over on-premise PAM and IAM solutions is predicated on the API-based connectors operating and discovering identities in real-time. With this architecture, the policy engine and automation are tailored to identify risks in cloud environments. The state of identities and entitlements can be continuously assessed. In addition, the user interface is attribute-based to display all relevant information regardless of cloud provider.

On-premise technology generally relies on batch-driven discovery over the network using agents, IP addresses, or asset lists that can be resolved using DNS. Conversely, cloud discovery provides nearly perfect results compared to the error-filled results of network scanning.

Cloud Privilege Broker – A CIEM Solution from a PAM Leader

BeyondTrust Cloud Privilege Broker is a CIEM solution that provides customers with a centralized view of permissions and entitlements across their multicloud footprint. Cloud Privilege Broker is a natural extension of what we have done for many years: apply the principle of least privilege across our customers’ infrastructure.

With organizations accelerating digital transformation projects and migrating resources and workloads to the cloud, BeyondTrust can help you mitigate cloud risk related to overly permissioned users and work towards a zero trust model through the implementation of least privilege policies. Cloud Privilege Broker helps our customers accomplish this with granular recommendations for right-sizing entitlements and guided remediation.

Cloud Privilege Broker’s dashboard makes it simple to view your overall risk score and risk-over-time related to entitlements. The dashboard also displays a summary of high-privilege items to address.

Figure: Cloud Privilege Broker Admin Console highlights risk score, risk-over-time, top 10 recommendations, high-privilege summary, and more.

Cloud Privilege Broker makes it much easier to understand and manage multicloud entitlements and permissions than the native IAM tools embedded in each separate cloud platform. Our solution helps you harmonize this view, manage policies across the multicloud estate, and enhance overall productivity.

Here are 7 benefits Cloud Privilege Broker provides to our customers:

  1. Gain immediate visibility over permissions and entitlements across multicloud infrastructure
  2. Rapidly identify over-privileged users
  3. Simplify management of entitlements by providing granular recommendations for implementing policies across cloud platforms
  4. Mitigate privilege creep by continually illuminating and right-sizing excessive permissions
  5. Understand the risk associated with over-provisioned identities and entitlements, with a single risk score
  6. Track mitigation efforts with a view of risk-over-time
  7. Help security and audit teams meet and prove compliance with a view of completed recommendations and an audit trail.

CIEM solutions address a gap in multicloud entitlement management and provide much needed visibility and control over permissions that could expose organizations to dangerous threat vectors and make them susceptible to a breach. These cloud security management solutions are evolving and integrating seamlessly with PAM to ensure that on-prem, cloud, and hybrid environments are harmoniously represented and equally secured.

BeyondTrust Cloud Privilege Broker offers customers centralized, efficient, and granular management of thousands of cloud permissions and entitlements that put teams back in control of their critical infrastructure, significantly reducing the risk of a cloud breach.

Learn more about Cloud Privilege Broker.


Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

You May Also Be Interested In:

Prefers reduced motion setting detected. Animations will now be reduced as a result.