Connect with us

Expert Speak

Why CIEM Will Become an Indispensable Part of the Region’s Future Technology Environments



Written by Michael Byrnes, Director – Solutions Engineering, iMEA, BeyondTrust

The GCC is humming with cloud activity, and understandably so. The cost-benefit analysis of cloud services had already proved favorable before the pandemic. Governments looking to deliver on economic visions were using it. Businesses looking to align with those visions and be part of their success story were using it. And consumers looking for streaming entertainment and cheap storage for self-made media were using it.

When COVID reared its head, those organizations that were still evaluating cloud had to get down from the fence and run to the barn. The cloud was the only way to deliver safety to employees (through remote work) and business continuity (through several other services). Right now, the list of hyperscale cloud providers that have regions in the GCC or are building them includes Google, Oracle, Microsoft, AWS, and IBM. Many of these launches were before the pandemic, so these companies definitely believe in the future of cloud in the region.

But the downside of cloud is the complexity of the technology environment, especially as it relates to security and identity management. Multiple clouds, personal devices and overworked IT and security staff — these factors combine to impose severe risk burdens on regional organizations.

Say ‘Hello’ to Kim
CIEM, pronounced “Kim”, stands for Cloud Infrastructure Entitlements Management, and it is designed for precisely the kinds of environment that we see more commonly today. Not only does it manage permissions and entitlements, it discovers them. And most importantly it enforces least-privilege standards throughout cloud ecosystems. CIEM is the ultimate multi-cloud watchdog.

Good for both public and private single-cloud setups, CIEM’s value is unlocked to a greater degree in multi-cloud. It is of immediate benefit to security teams that currently rely on a disparate bunch of tools, each native to a different cloud. The cloud’s flexibility adds a layer of complexity in multi-cloud arenas where different identities weave in and out of sensitive areas. These identities, whether for employees or third parties, tend to be over-provisioned. They therefore present a risk because if they are hijacked, they can offer widespread access to a malicious party.

Another tendency that exacerbates risk is the lack of portability of native identity-management tools. They cannot be used to manage identities in other clouds. This issue is at the center of the risk factors associated with multi-cloud.

The need for CIEM
Managing cloud identities and their entitlements through just-in-time (JIT) provisioning and least privilege may be Cloud Security 101 but finding the right solution to cover multi-cloud environments can be tricky. Such a system requires standardized controls, full visibility of the environment, and the ability to plug cloud security gaps and uncover compliance anomalies. Only then can security teams be assured of being able to chase down and prevent breaches.

CIEM enables the discovery, management, and monitoring of entitlements in real time. It can build comprehensive behavior models for each identity across multiple cloud infrastructures, including hybrid environments. Anomalies are flagged. Least-privilege is enforced. The changing of policies and entitlements is automated and capable of extending to traditionally incompatible cloud resources.

CIEM integrates with Privileged Access Management (PAM) solutions to homogenize the management of secrets, passwords, least privilege, and remote access. Least-privilege security models mean that each session, machine, employee, contractor, process — anything that uses a digital identity — will only receive enough permissions to perform a specific task. Additionally, the JIT access model ensures that those permissions expire when the task is completed. These practices greatly reduce the risk of compromised credentials, so the integration of CIEM with PAM is an excellent way to plug gaps.

The benefits of CIEM
By now, the benefits of CIEM should be clear. It is able to reach into every corner of the environment (from premises to multi-cloud) and provide a rich view of cloud identities and their entitlements. It enables the granular monitoring and configuration of permissions and tracks privilege models across the different cloud service providers they visit. And it automates a range of processes to maintain the integrity and relevance of each active identity and ensure it has access to every resource it needs for its owner (human or otherwise) to be productive, but no more than necessary.

CIEM is also capable of comparing cloud environments, discovering their differences, and issuing actionable insights on how to address the risks these dissimilarities may pose to the organization.

The ideal CIEM solution
CIEM has become a prerequisite of robust cloud-identity security and should be sought as part of an advanced PAM platform if security teams are going to receive the tools they need to address all the challenges they face regarding identities in cloud and multi-cloud environments.

The ideal CIEM solution will be able to automatically discover accounts and assess their entitlements, create an inventory of identities, and classify them by permissions sets, all in real time. This capability alone is a boon to organizations that are trying to align their security posture with the dynamic nature of cloud environments and the fleeting existences of their native resources.

Part of the discovery and inventory will be the determination of which identities are unique to a cloud and which are shared. The result will be a searchable repository that can be readily audited, and managed. Based on the information gathered, CIEM solutions can flag over-provisioning and enforce least privilege automatically. Real-time discovery also enables the identification of changes in account privileges, and the judgement of their necessity or appropriateness. Anomalies can be flagged for assessment as potential liabilities. And identities can be deleted or blocked if they violate any policy.

The future
CIEM will be an indispensable part of the region’s future technology environments. Its uncompromising policing of identities across multi-cloud environments is a perfect fit for current technology trends. Only with CIEM can organizations hope to conquer the unavoidable complexities with which they wrangle daily.


Preparing a Secure Cloud Environment in the Digital New Norm



Written by Daniel Jiang, General Manager of the Middle East and Africa, Alibaba Cloud Intelligence

As hybrid or remote working is being adopted by many companies globally and becoming the ‘new norm’ for millions of workers, cyberattacks meanwhile continue unabated. Building a secure and reliable IT environment has therefore become an increasingly important priority for many businesses who are exploring opportunities in the global digital economy. While moving to the cloud and using cloud-based security features is a good way to challenge cyber risks, it’s important to delve deeper into how best to construct a secure and reliable cloud environment that can fend off even the most determined attacker.

In today’s digital environment, discussions about cyber security’s best practices have never been more important. The UAE in particular established the Cybersecurity Council to develop a cybersecurity strategy and build a secure cyber infrastructure by creating related regulations. Following this move, the nation ranked 5th place on the International Telecommunications Union’s Global Cybersecurity Index 2020, jumping 33 places and it continues to prioritize cyber security and awareness. Creating a secure cloud environment – from building the architecture to adopting cutting-edge security technologies and putting in place important security management practices – will inspire more thorough conversations on this subject.

A resilient and robust security architecture is essential for creating a cloud environment capable of assuring an organisation about the availability, confidentiality and integrity of its systems and data. From the bottom up, the architecture should include security modules of different layers, so that companies can build trustworthy data security solutions on the cloud layer by layer – from the infrastructure security, data security, and application security to business security layers.

In addition to the security modules of all of the layers, there are a variety of automated data protection tools that enable companies to perform data encryption, visualisation, leakage prevention, operation log management and access control in a secure computing environment. Enterprises can also leverage cloud-based IT governance solutions for custom designs of cloud security systems to meet compliance requirements from network security and data security to operation auditing and configuration auditing. This ensures full-lifecycle data security on the cloud, with controllable and compliant data security solutions in place.

Another consideration is to build a multi-tenant environment, abiding by the principle of least privilege and adopting consistent management and control standards to protect user data from unauthorised access. In addition, establishing strict rules for data ownership and operations on data, such as data access, retention and deletion, is also pivotal in creating a safe environment.

Moreover, enterprises can embrace the zero-trust security architecture and build a zero-trust practice by design to protect the most sensitive systems. The architecture requires everything (including users, devices and nodes) requesting access to internal systems to be authenticated and authorised using identity access protocols. As such, the zero-trust security architecture cuts down on automatic trust, or trust without continuous verification, addressing modern challenges in securing remote working environments, hybrid cloud settings and increasingly aggressive cyber threats.

Cutting-edge security technologies such as comprehensive data encryption, confidential computing and many more emerging tech solutions, can be leveraged to ensure we stay on top of the trends in cybersecurity. Comprehensive data encryption provides advanced data encryption capabilities on transmission links (such as data-in-motion), compute nodes (such as data-in-use), and storage nodes (such as data-at-rest). Key Management Service and Data Encryption Service help users securely manage their keys and use a variety of encryption algorithms to perform encryption operations.

Another emerging technology to safeguard the cloud environment is confidential computing. Confidential computing is dedicated to securing data in use while it is being processed, protecting users’ most sensitive workloads. Confidential computing based on trusted execution environments (TEEs), ensures data security, integrity and confidentiality while simplifying the development and delivery of trusted or confidential applications at lower costs.

It is equally important to adopt proper security management practices and mechanisms to maximise the security protection of one’s critical system and important data. One essential mechanism to protect the cloud environment is to develop a comprehensive disaster recovery system, which enables businesses to configure emergency plans for data centres based on factors such as power, temperature and disasters, and establish redundant systems for basic services such as cloud computing, network and storage. It helps companies to deploy their business across regions and zones and build disaster recovery systems that support multiple recovery models.

Setting the effective reviewing and response mechanism for your cloud security issues is imperative. First, having vulnerability scanning and testing in place is important to assess the security status of systems; second, it is vital to use cloud-native monitoring tools to detect any anomalous behaviour or insider threats; furthermore, establishing proper procedures and responsibility models to quickly and accurately assess where vulnerabilities exist and their severity, will help ensure that quick remedy actions can be taken when security problems emerge.

In the future, developing the security architecture, technologies, management and response mechanism will no longer be perceived as a cost-centre burden for companies, but rather, as critical capabilities to safeguard the performance and security of daily business operations. Crafting a comprehensive cloud security plan, adopting the best industrial practices, and choosing a professional cloud service provider with strong security credentials to work with, should be an imperative subjects in a CXO’s agenda.

Continue Reading

Expert Speak

Why You Should Use a VPN While Traveling



According to a survey conducted by NordVPN, 50% of travellers use public Wi-Fi while on the road. However, only 20% of them use a VPN (a virtual private network) to protect themselves while being connected to a public network. “Travelers connect to public Wi-Fi in airports, cafes, parks, and trains. Some even use public computers to print their visa information or flight tickets. A VPN in those cases is crucial if you want to make sure that your vacation will not be ruined by cyber criminals. Nobody wants to lose access to their device or their bank account during a trip to a foreign country,” says Daniel Markuson, a cybersecurity expert at NordVPN.

As International VPN day (August 19th) is just around the corner, Markuson lists all the benefits offered by the service.

Enhanced online security
The main purpose of a VPN is to keep its user’s online connection secure even when they are away from home. Hackers can set up fake hotspots or access unsecured public routers and this way monitor users’ online activity. Once a user is connected, criminals can intercept their internet traffic, infect the device with malware, and steal their victim’s personal information.

When authenticating themselves on public Wi-Fi, users often need to type in their email address or phone number. However, if a user has accidentally connected to a hacker’s hotspot, they could be exposing themselves to real danger.

A VPN hides users’ IP addresses and encrypts their online activity. That means that, even if a user is using a malicious hotspot, the hacker behind it won’t be able to monitor their activity. Therefore, getting a VPN for travelling abroad is essential if you want to stay secure and private online.

Grab the best deals
Depending on the country in which you’re located, the prices for airline tickets, car reservations, and hotels might vary. That’s because businesses know that people in different countries can and will pay higher amounts for certain products and services. If you use a VPN for travel, you can hop between servers in different countries and find the best deals available.

Make the best of additional VPN features
As the industry is evolving, many VPN providers add new features to make their users’ experience even more wholesome. NordVPN, for example, recently added the Meshnet feature that lets travellers connect to other devices directly no matter where in the world they are. This enables users to form a remote connection with their home or office PC from anywhere in the world to share files or for other uses.

However, having said that, please check local laws and regulations about using VPN services on your devices, before you do.

Continue Reading

Expert Speak

API Security Moves Mainstream



Written by Cameron Camp, Security Researcher at ESET

As swarms of IoT gear, seek richer data retrieval from their cloud mother ships, the more robust – and more potentially dangerously hackable – API interfaces get a fresh push toward center stage. With Google’s API security initiative Apigee, API security is growing up. And it’s not just IoT. Machine-to-machine data behind super-slick UX designs need seamless interfaces that help move masses of data with less friction, offering more responsive mashups of tech polled from locations far and wide.

But to make this all “just work”, those more robust interfaces bake in more robust attack possibilities to potentially slurp data wholesale to parts unknown and at record speed. Recently, we wrote about the spate of new startups at this year’s RSA Conference that tried to get attendees to wrap their heads around how to make sure an API doesn’t suddenly start misbehaving or does stuff no one knows about until it’s too late. It’s not just us: our friends at DarkReading purport to tally the mounting business losses associated with API hacks.

And now the heavyweights are moving into this space too, cementing API security as “A Thing”. Google’s Apigee Advanced API Security for Google Cloud aims to let organizations identify API misconfigurations and thwart malicious bots, the former being one of the main culprits of API security incidents. Luckily, there are tools from folks like the OWASP API Security Project where you can do a health check on your own APIs, or on those you interface with, which can serve as a baseline. They also have a drill-down about the most common misconfigurations and how to avoid them, so it’s a great place to start.

As we mentioned in our previous post, there was a bevvy of API security startups darkening the halls at RSA, so you may also have some commercial options, with more coming in the future. Expect to continue to see API hacks ramp up as companies wrestle with the prospect of securing yet another interface, this time an industrial one that sits at the heart of the cloud and big data, and – configured wrong – can allow vast troves of data to be siphoned off around the world to parts unknown. Just make sure it’s not your data.

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.