Cloud Infrastructure Entitlement Management (CIEM) is a cloud security solution used to manage identities and cloud permissions through the principle of least privilege (POLP). 

CIEM uses machine learning and analytics to detect anomalies in account permissions within multi-cloud environments. This visibility enables organizations to apply consistent identity access management (IAM) across their cloud services to mitigate cyber threats, such as data breaches and data exfiltration

CIEM solutions are delivered through a software-as-a-service (SaaS) model, alongside other cloud security solutions, such as Cloud Security Posture Management (CSPM) and Cloud Access Service Brokers (CASBs).

What is a Cloud Identity?

A cloud identity is any entity with access to cloud services/cloud resources. There are two types of cloud identities: 

  • Human identity - Any person accessing the cloud, e.g., users, admins, developers.
  • Non-human (service) identity - Any non-human entity that accesses the cloud on behalf of a human, e.g., connected devices, IT admin, software-defined infrastructure (SDI), artificial intelligence (AI).

An organization can grant both of these cloud identity types with cloud entitlements.

What is a Cloud Entitlement?

Cloud entitlements determine which tasks an identity can perform and which resources it can access across an organization’s cloud infrastructure. 

The main types of entitlements are cloud resources and cloud services.

  • Cloud resources, e.g., files, Virtual Machines (VMs) and servers, serverless containers.
  • Cloud services, e.g., databases, buckets and storage, applications, networking services.

How CIEM Works

CIEM operates using the principle of least privilege (POLP) to manage users' private and public cloud permissions, minimizing the risk of granting excessive entitlements.

Effective CIEM solutions follow a five-stage lifecycle to cloud IAM capabilities.

What is the Principle of Least Privilege (POLP)?

The principle of least privilege (POLP) is a cybersecurity concept that limits the access rights of user accounts to only those necessary to complete their job requirements.

Applying such strict access control through privileged access helps organizations minimize their attack surface and exposure to cloud leaks, data breaches, insider threats, and other cyber threats.

POLP is a crucial element of the zero-trust network architecture (ZTNA).

The CIEM Lifecycle

The CIEM lifecycle is a framework that all effective CIEM solutions should follow to provide the scalable enforcement of least privilege across cloud deployments. 

The framework allows organizations to easily manage and monitor the entitlements of all identities across multi-cloud environments.

  • Account and Entitlement Discovery: Provides granular visibility of cloud identities and their entitlements, in line with cloud-based activity. 
  • Entitlement Optimization: Enforces strict access control via POLP.
  • Cross-Cloud Entitlement Correlation: Enables consistency of entitlement policies across cloud deployments.
  • Entitlement Visualization: Centralizes datapoints into concise, actionable insights, enabling security and DevOps teams to effectively monitor cloud security posture and user access to cloud resources.
  • Remediation: Identifies risks related to access rights, such as excessive permissions, and provides alerts and automated responses to security and DevOps teams when threats are detected.
CIEM Lifecycle

The Importance of Identity Management in the Cloud

Digital transformation has driven the adoption of cloud computing, propelled further by the recent demand for remote access brought on by COVID-19 and flexible working arrangements. 

Gartner predicts that by 2025, 85% of organizations will implement a cloud-first strategy, with 95% of new digital workloads being deployed on cloud-native platforms – a 35% increase from 2021.

Unlike traditional, on-premise networking, the cloud can’t rely on physical network security perimeters and firewalls for security.

The absence of a firm perimeter means the role of identity as a security mechanism is much more critical in a cloud environment.

Existing identity and access management (IAM) solutions, such as identity governance administration (IGA) and privileged access management (PAM), do not provide the granular visibility necessary to secure cloud resources at scale.

Gartner also expects that, by 2025, 99% of cloud security failures will be the customer’s fault, further increasing the pressure on organizations to invest generously in cloud data security.

CIEM solutions address the capability gap of these traditional solutions, enabling organizations to manage and monitor cloud permissions across multi-cloud deployments.

Addressing Cloud IAM Challenges

Managing cloud identities is challenging for several reasons. 

Below are some of the main challenges organizations face with IAM in cloud deployments and how CIEM solutions can help address them.

Lack of Visibility

Cloud infrastructure’s on-demand scalability is one of its major benefits but also downfalls. The ever-growing nature of cloud environments complicates the ability to monitor and manage identities and their access privileges effectively as security teams lose visibility of all identities on the network.  

CIEM solutions provide granular visibility into the permissions and activity of all identities in a cloud environment. With CIEM, admins can quickly identify who is accessing specific cloud resources/services and the exact time they access them.

Inconsistent Security Mechanisms

Organizations likely use many different cloud services to perform various business operations. Each cloud provider has unique security policies and IAM capabilities, creating security inconsistencies across the cloud environment. 

Identifying and remediating each platform’s security gaps and vulnerabilities drains significant time and resources from security teams. 

CIEM is a centralized platform for implementing IAM in cloud deployments. CIEM solutions can apply consistent security policies across all cloud platforms by enforcing least privilege access.

Permissions Gap

Shifting workloads to the cloud is a time-consuming process for admins. To save time, Organizations often assign excessive permissions to users rather than using individual discretion, creating a cloud permissions gap. 

These unnecessary entitlements expose organizations to unnecessary cyber risks

Another common contributor to the permissions gap is the presence of inactive identities – users with access to cloud resources and services they don’t use.

CIEM tools can identify the over-provisioning of entitlements and alert security teams of users with unsuitable permissions. 

CIEM Permissions Gap

Top CIEM Vendors

The following vendors provide organizations with effective CIEM solutions.

1. Authomize

Authomize’s platform integrates SaaS, Platform-as-a-Service (PaaS), Data, IT Service Management (ITSM), and (Identity Providers) IdPs Identity Providers to normalize and correlate an organization’s identity and account entitlements, generating a unified access and authorization model. 

Authomize is compatible with all major cloud service providers (CSPs), including Azure, AWS, and GCP.

Main features:

  • Crown jewel protection
  • Least privilege enforcement
  • Cloud guardrail enforcement
  • Suspicious behavior detection

2. Britive

Britive is a cloud-native solution that delivers unified access cross-cloud.

Main features:

  • Just-in-time provisioning
  • Secrets governance
  • Cross-cloud discovery
  • Proactive threat monitoring
  • Least privilege enforcement

Britive is compatible with Azure, AWS, GCP, Oracle Cloud, and Service Now.

3. Zscaler

Zscaler’s Cloud Protection solution ensures least-privilege access to cloud resources, for users, applications and machines, with access policies recommended by machine learning.

Zscaler Cloud Protection is compatible with all major cloud service providers (CSPs), including Azure, AWS, and GCP.

Main features:

  • “Safe to Remove” permissions policies
  • Permissions mapping
  • Risk-based prioritization
  • Part of a larger data protection platform

4. CloudKnox Security

CloudKnox Security’s CloudKnox Permissions Management platform is a cloud infrastructure entitlement management (CIEM) solution, currently in preview that provides visibility and control over permissions for cloud identities. 

CloudKnox is compatible with Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).


  • Full visibility
  • Automatic least privilege access
  • Unified cloud access policies

5. Ermetic

Ermetic automates entitlements management and risk remediation.

The platform is compatible with all major cloud service providers, including Azure, AWS, and GCP.

Main features:

  • Multi-cloud visibility and asset management
  • Risk assessment across identities, network and data
  • Automatic remediation
  • Proactive policy enforcement and shift left
  • Anamoly and threat detection
  • Compliance and access governance

6. Obsidian Security

Obsidian helps security teams make informed decisions around privileged access to mitigate risk, cut unnecessary costs, and protect organizations’ most critical business applications.

Obsidian Security is compatible with all major cloud service providers, including Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).


  • Machine learning models to identify privilege creep
  • User access and activity monitoring
  • Data analytics

6. SailPoint

SailPoint’s Cloud Governance platform discovers and protects cloud platforms and resources using AI and machine learning.


  • Full visibility
  • Automated access provisioning and monitoring
  • Policy modeling and management
  • Automated access reviews and report creation

7. Saviynt

Saviynt’s platform establishes and enforces risk-based access policies over machine identities so organizations can extend governance, secure data, and meet compliance mandates.

Saviynt is compatible with all major cloud service providers, including Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).


  • Identity and access lifecycle management
  • Automated real-time provisioning
  • Control exchange
  • Cross-application Separation of duties (SoD)
  • Fine-Grained Entitlement Visibility
  • Risk-Based Data Access Governance

The Future of Identity Management in the Cloud

Organizations are increasing their investment in infrastructure-as-a-service (IaaS) providers like Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Computing (GCP). As the number of cloud identities across these infrastructures multiplies, internal and third-party attack surfaces expand. 

CIEM streamlines IAM across the cloud environment, helping organizations improve their cloud security posture.  By providing security teams with centralized visibility and control over user permissions, organizations can mitigate common cloud security risks, such as data leaks, data breaches, and other cyber attacks undertaken by insider threats. CIEM solutions work well with other cloud security technologies like Cloud Access Service Brokers (CASBs) and Cloud Security Posture Management (CSPM) tools to provide more effective cyber threat protection. 

For comprehensive cloud security, organizations must identify such cyber threats in real time to remediate them before a serious security incident occurs. Organizations can further strengthen their cloud protection strategies by combining the functionality of a CIEM solution with an attack surface management solution, such as UpGuard BreachSight.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?