Multicloud Threats Prompt Higher Education IT to Consider CIEM

For instance, what can you do to harden the security at your network endpoints at a time when more applications and systems are moving off-premises to public clouds and Software as a Service providers where you have less control?

What about faculty and staff turnover? Do you really know if you’ve removed all the security accesses and permissions for every instructor who has left the system or taken a leave of absence?

In both cases, IT leaders are likely to acknowledge that their colleges face potential security holes. Unfortunately, security breach perpetrators know this too.

CIEM: A Revised Approach to Higher Education Cybersecurity

Historically, universities have used identity and access management to manage and control user access, whether that access is to internal network resources or to the cloud. The beauty of IAM is that security managers obtain a single pane of glass view of all user access and permissions, whether they occur internally or on the cloud.

Cloud infrastructure entitlement management is a security management technology that is specifically dedicated to cloud user access and permission management. It does not manage internal network access. The disadvantage of CIEM is that it is unable to provide security management with a universal view of total user access and permissions activity; it manages the cloud only.

RELATED: How to approach higher education’s hybrid cloud migration.

That being said, there are good reasons colleges should consider bringing on CIEM to complement their existing security tools, including IAM.

First, by continuing with IAM, IT workers should be able to maintain their universal view of everything that happens within their environment, whether user access is occurring on internal networks or in the cloud.

Second, by adding CIEM, staffers gain security management capabilities in the cloud that IAM doesn’t have. This is especially important as more core IT is moving to the cloud. In a CIEM environment, IT security teams are delivered more granular views of cloud security, which helps to ensure that users only have access to the cloud-based resources they are authorized to access.

For example, if Joe Smith is a mathematics instructor who subscribes to cloud-based resources that enable him to enter grades and access cloud-based mathematics courseware for his courses, based upon his role as a mathematics faculty member Joe could gain access to these resources — but he more than likely wouldn’t be authorized to look at the university’s budgets. Conversely, Mary Whitcomb, a dean at Joe’s institution, would have cloud access and permissions based upon her role as a dean. Mary would be able to see summaries of university demographics, student performance and institutional budgets, but she wouldn’t have access to the grading and mathematics courseware cloud resources that Joe uses.

To ensure that all the security rules IT has assigned are adhered to in the cloud, CIEM uses automation that continuously scans user access control policies, rules and configurations to determine which users can access which resources in a cloud environment. It backs this up with AI and machine learning that evaluate use patterns and can instantly detect access anomalies or behavior deviations, and then issue an alert to IT staff about any abnormal access that is occurring in the cloud.

Why does this matter?

According to the 2024 CDW Cloud Computing Research Report, 88% of higher education institutions have already moved at least a quarter of their applications to the cloud. It’s also the case that many CIOs and IT leaders don’t always know how many clouds are being used in their organizations. An instructor might go rogue and subscribe to a cloud-based service on their own, and IT may or may not be aware of it. However, if there is a CIEM policy in place, it could require all university personnel to go through IT to register any user authorizations and privileges they are requesting for the cloud.

Click the banner for more higher ed insights in the CDW Cloud Computing Research Report.

How to Use CIEM Tools in Higher Education 

For organizations moving to CIEM, new tools are needed and must be mastered.

This begins with single pane of glass software for administering and managing multicloud security. There are CIEM offerings that have this overarching software for one-stop multicloud observability, but it’s not affordable for every organization. To use this software, IT departments will need training because it’s not the same as the single pane of glass observability software that they’re used to running on their internal networks.

This type of CIEM management software is integrated with tools that audit and automate the monitoring and detection of security access, and access anomalies across multiple clouds, whether the access relates to humans, bots, scripts, AI machine access or individual server and endpoint hardware identities. The tools embed an AI engine that can detect abnormalities and anomalies, but it is up to IT to train the AI with the appropriate security and governance rules for user, machine and process access. Over time, the AI will use machine learning to observe access patterns so it can improve its overall ability to detect and report on unusual activities.

There are also tools that enable you to input your governance and security policies for vulnerability and misconfiguration detection, and to assist you in only provisioning the minimum amount of access per user, process or device that is needed.

These CIEM tools can be added to a cloud workbench in a one-off fashion, for those who don’t wish to make the leap to a full CIEM system.

Challenges of CIEM Implementation in Higher Education

CIEM sharpens the ability to control and patrol cloud access, but it also presents its share of challenges. These include:

1. The need to manage a much larger multicloud security surface. IT will need to develop more all-encompassing oversight and control strategies, and this will force revisions to security operations. Process revisions that incorporate new types of automation for security monitoring, reporting and remediation will also be needed.
2. IT staff training will be required. CIEM tools differ from IAM tools, and IT training will be needed to use the tools.
3. Security access tools will need to be continuously monitored and fine-tuned as needed. CIEM is new to most organizations, as is security access control in a multicloud environment. There will surely be a need to refine security operations and insert more automation as experience is gained.
4. Users might not like CIEM. A primary goal of CIEM in the cloud is to tamp down access privileges per user to only the bare minimum of what a user needs to do their job. The net result for a user is that they will likely have reduced access to cloud resources. It will be important for IT and administrators to educate staff on why this degree of cloud security is needed.
5. CIEM has its limits. CIEM can be useful for universities because so much IT is moving to the cloud — but that doesn’t mean that internal networks and on-premises IT will disappear. What current IAM systems give IT departments is a 360-degree view of both on-premises and cloud-based security; CIEM is cloud-only.

Benefits of CIEM Implementation in Higher Education

 CIEM offers greater security in higher education cloud environments, and with ransomware and other types of cyberattacks presenting a persistent threat, there are certainly reasons colleges and universities should consider taking the plunge. Here are some of the ways higher education institutions can benefit from CIEM:

1. More granular visibility of cloud security access points and operations.
2. Reductions in security risks, because the cloud environment is fully observable and actionable with CIEM.
3. Advanced tooling from CIEM that enables IT to remove unused and under-utilized machine, process and human access points, which can occur when an obsolete server that no longer needs cloud access still has it, or when a retired faculty or staff member still has access privileges that haven’t been removed.
4. Built-in AI and automation that aim for “basic needs” access per user, thus reducing the cloud attack surface because users get only what they need to do their jobs.

KEEP READING: What are all these AI tools going to do to IT infrastructure? 

How Seriously Should Higher Education Institutions Consider CIEM?

At colleges and universities, and in general across other industries, CIEM is in early stages of adoption. Of the CIEM solutions that are available commercially, some are fully integrated toolsets but there are also many that are more stand-alone and piecemeal in nature, and that function more as cloud security “hole-fillers” than as fully integrated and mature systems.

CIEM is experiencing growing pains, but organizations increasingly recognize that stronger security and administration are required for multicloud environments — and the market reflects this.

By 2028, the CIEM market is projected to grow by a compound annual growth rate (CAGR) of 44%. Despite CIEM’s complexity, expense and growing pains, organizations recognize that IT is moving to the cloud and that newer, more robust cloud security tools like CIEM are going to be needed to control and patrol access.