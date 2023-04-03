By Microsoft Security

How many permissions exist within your current technology suite? If your organization is anything like the millions of other companies that deploy cloud services, that number could be in the tens of thousands.

There are more than 40,000 permissions across the key cloud platforms alone, and many of these permissions aren’t even utilized fully. The Microsoft Security 2023 State of Cloud Permissions Risks Report found that identities are using only 1% of the permissions for which they’re authorized. This has created a dangerous phenomenon known as the permissions gap. The bigger this gap between permissions granted and used gets, the larger the potential attack surface a company faces.

As security teams look to evolve their identity management and permissions coverage to more thoroughly encompass their many cloud deployments, they must also strike a balance between ensuring security and maintaining end-user productivity. A truly comprehensive identity and access management (IAM) model should include existing best practices like single sign-on (SSO) and multifactor authentication (MFA) alongside new identity governance and permissions solutions.

Here’s what that can look like in practice.

Assign people and workload identity profiles

Before companies can accurately audit their current IAM model, they must first understand how many permissions exist within their organizations. In today’s technology-driven workforce, this means that each unique user and non-human workload identity needs an individual usage profile.

Creating these profiles allows security teams to gain much-needed visibility into organizational risks by uncovering who is doing what, where, and when across their cloud infrastructure. And because permissions are constantly evolving, auditing permissions that were granted in the past allows you to see if they are still needed today.

After all, risks arise when circumstances change—whether it’s an employee who has taken on a new role, a contractor who has completed their engagement, or something else entirely. This is especially helpful when your identity infrastructure spans across multiple cloud environments or you’re working with a hybrid of on-premises systems and cloud technologies.

Implement a CIEM strategy

The adoption of multicloud has led to a massive increase in identities, permissions, and resources across public cloud platforms. Without visibility across cloud providers, or tools that provide a consistent experience, it’s become incredibly challenging for identity and security teams to manage permissions and enforce the principle of least privilege across their entire digital estate.

In 2020, analyst firm Gartner created a new category of solutions to address the identity and permissions problem the cloud presents. These solutions, called cloud infrastructure entitlement management (CIEM), are described as “specialized identity-centric SaaS solutions focused on managing cloud access risk via administration-time controls for the governance of entitlements in hybrid and multicloud IaaS. They typically use analytics, machine learning (ML) and other methods to detect anomalies in account entitlements, like accumulation of privileges, dormant and unnecessary entitlements. CIEM ideally provides remediation and enforcement of least privilege approaches."

According to Gartner, CIEM is comprised of seven core pillars: account and entitlements discovery, cross-cloud entitlements correlation, entitlements visualization, entitlements optimization, entitlements protection, entitlements detection, and entitlements remediation. And while this may sound like a lot, CIEM can be broken down into a lifecycle approach that allows security teams to continuously discover, remediate, and monitor the activity of every unique user and workload identity operating in the cloud.

CIEM is important because it provides visibility into all actions performed by all identities, enforces the principle of least privilege, and continuously monitors for permission risks across multiple clouds.

Unify identity management

Finally, simplicity can be just as important as a sophisticated cyber defense. Identity management isn’t effective if it interferes with users’ productivity, overall experience, or if it creates an undue cost or workload burden. Organizations need access decisions to be as granular as possible and to automatically adapt based on real-time assessment of risk. And they need this everywhere—whether on-premises; across multiple clouds; or within their multi-layered network of third-party apps, websites, and devices.

That’s why we recommend unifying your identity management procedures in a centralized solution that provides comprehensive visibility and control over permissions for any identity and resource. Deploying a unified identity management solution enables companies to take advantage of the most promising technological innovations without the fear of being compromised. This, in turn, instills trust—not only in their digital experiences and services, but in every digital interaction that powers their services.

To learn how you can confidently enable smarter, real-time access decisions for all identities across hybrid, multicloud, and beyond, check out our family of multicloud IAM solutions: Microsoft Entra. And explore Microsoft Security for the latest news on emerging threats and helpful tips on improving your cybersecurity.