Identify Identity Risks

Securing cloud environments is of paramount importance for organizations leveraging cloud services. Identity risks pose a significant threat to the confidentiality and integrity of sensitive data and resources. Unauthorized access and data breaches can have severe consequences, leading to reputational damage and regulatory non-compliance.

To address these critical security and compliance challenges, Prisma Cloud's Cloud Infrastructure Entitlement Management (CIEM) module provides invaluable security and compliance benefits to organizations using cloud services. CIEM continuously monitors and analyzes permissions and entitlements across cloud environments, and helps ensure that your users have appropriate access levels and privileges based on their actual needs.

By focusing on identity risks, CIEM empowers organizations to maintain a strong security posture. It provides real-time visibility into cloud permissions, allowing you to promptly identify and remediate potential security gaps. Through this proactive approach, CIEM significantly minimizes the risk of data breaches and unauthorized access attempts.

1. Subscribe to CIEM

Begin your journey by onboarding your cloud accounts and subscribing to CIEM on Prisma Cloud. This will allow you to manage and monitor your identity-related risks effectively.

2. Onboard your cloud accounts

Make sure to onboard your AWS, Azure, or GCP accounts where you manage IAM (Identity and Access Management) to allow Prisma Cloud to access your IAM data.

Confirm that you do not have errors with the additional permissions required for CIEM.

An example from Azure:

3. Connect your IDP for enhanced visibility

Integrate Prisma Cloud with IdP Services such as Okta and Azure AD with CIEM to gain extensive visibility into your identity ecosystem. The integration is recommended as a best practice to help you with more valuable insights and monitoring capabilities.

When you connect the IdP, the Prisma Cloud can leverage the user identity information from these sources, and can use the SSO data obtained from the integrated IdPs to calculate and manage effective permissions for different users within the cloud environment. This is crucial in cloud environments, where access control can quickly become complex due to multiple resources, services, and user roles.

4. Explore high-priority identity risks

Identify and understand the most critical identity risks facing your organization. The out-of-the-box IAM policies will help you prioritize and address these risks efficiently.

1. Select Alerts.
2. Select the Policy Type and set it to IAM to filter for IAM alerts.
   Now, you can explore the different alerts that have been generated related to IAM policies.
   
3. View the generated alerts.
   For easier analysis, sort the alerts by severity to prioritize critical and high-impact issues.
   
4. Select a specific alert.
   For example, from the list of alerts, locate the policy titled "AWS IAM effective permissions are over-privileged (7 days)" or choose any other relevant policy based on your needs. To investigate the details of a specific alert, click on the one you want to examine further.
5. Perform a detailed investigation.
   Within the alert details, you'll find the option to Investigate. Click on it to access more information about the permissions that were not used in the last 7 days.
6. Remediate the issue.
   After understanding the unused permissions, you can proceed to remediate the issue.

When you click Remediate, you have the minimal set of permissions required for the identity, and can easily address the over-privileged access permissions.

5. Investigate top identity concerns

You can dive deep into your top identity issues and resolve these concerns to strengthen your overall security posture.

1. Enter an RQL query for IAM issues.
   1. Log in to the Prisma Cloud Console, and select Investigate.
      The Investigate page is where you can perform queries to find answers about your cloud resources and access privileges.
   2. Enter an RQL query to search for IAM access.
      For example: config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'.
      This query checks for S3 buckets in your account that are accessible from the Internet.
      If you have connected your IdP, you can also retrieve IDP-related information.
      For example: config from iam where source.idp.service = 'okta'.
      Modify the query to replace 'okta' with the IdP service you integrated above and the query displays results on all the IdP users with access to the cloud.
   3. Save the query, if you would like to reuse it.
      
      
2. View IAM Access Details.
   The Prisma Cloud Console gives you the ability to investigate IAM access using RQL queries and visualize the results in a graph or table view. The graph provides a visual representation of IAM access relationships, making it easier to analyze complex access patterns.
   1. Select the table view to see the details presented in columns.
   2. Review the details.
      • Source: Represents the resource with permissions, such as IAM user, IDP user, EC2 instance, Microsoft Compute Virtual Machine, and Lambda function.
      • Granted By: Indicates the group, role, or policy that grants permissions to the source to interact with the destination.
      • Cloud Account(s): Displays the cloud account and region associated with the IAM entity.
      • Action: Shows the operations that the entity can perform based on the permissions granted.
      • Destination: Lists the cloud resources that had an action occur on them or are the targets of the action.

6. Customize your policies

Tailor your CIEM experience to your specific needs by creating custom policies. These policies will align with your organization's unique security requirements. As a best practice, review and test the modified policy thoroughly before applying it in a production environment to ensure it meets your requirements.

• Use an alert to create a custom policy.

1. Select Alerts.
2. Select the Policy Type and set it to IAM to filter for IAM alerts.
   Make sure that the results are grouped by policy name. Group By: Policy Name.
3. Select the policy to modify. For example, AWS IAM effective permissions are over-privileged (7 days).
4. Click on the pen icon next to the policy's name to start editing the policy.
5. Rename to create a new policy.
   1. Change the name to something descriptive, for example, "AWS EC2 instances with effective permissions that are over-privileged (7 days)."
   2. Select the Create a Query to modify the RQL query.
      This section allows you to modify the RQL query that defines the policy match criteria. Replace the existing query with the updated one to cover only EC2 instances with over-privileged permissions: config from iam where dest.cloud.type = 'AWS' and action.lastaccess.days > 7 and source.cloud.service.name = 'EC2'
6. Save the updated policy.
   Your policy is now customized with the new RQL query, focusing on over-privileged permissions for EC2 instances.

• Use the search query to create a custom policy.

1. Select Investigate.
2. Select a saved query in the Query Library or enter a new query.
3. Save as Policy.
   

7. Mitigate identity risks

With the insights you’ve gained from the CIEM module, take proactive measures to mitigate the identified identity risks. Implement the necessary changes and improvements to enhance the overall security of your cloud environment.

There are two main ways to mitigate identity risks. The first is to remediate an alert, and the second is to generate the least privileged role/group.

• Remediate an alert:

1. On the Prisma Cloud console, select Alerts.
2. Find the policy associated with the alert you want to remediate, for example, "AWS IAM effective permissions are over-privileged (7 days)."
3. Select the policy, and click the Remediate button at the top of the table.
   A pop up will be displayed with the CLI command to run for the risk mitigation.
   For more information, see Remediate Alerts for IAM Security.

• Generate the least privileged role/group:

1. Filter the identity assets.
   1. On the Prisma Cloud console, select Inventory.
   2. Add the Asset Type filter, and select any Identity (For example, EC2 instances).
2. Generate the least privileged role.
   1. Select the identity for which you would like to generate the least privileged role.
   2. In the side panel, select the IAM Details section and Generate Least Privilege Role.