* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [DevSecOps](https://www2.paloaltonetworks.com/blog/cloud-security/category/devsecops/)
* What to Know About Cloud ...

# What to Know About Cloud Infrastructure Entitlement Management (CIEM)

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F10%2Fcloud-ciem%2F)  
[](https://twitter.com/share?text=What+to+Know+About+Cloud+Infrastructure+Entitlement+Management+%28CIEM%29&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F10%2Fcloud-ciem%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F10%2Fcloud-ciem%2F&title=What+to+Know+About+Cloud+Infrastructure+Entitlement+Management+%28CIEM%29&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/10/cloud-ciem/&ts=markdown)  
\[\](mailto:?subject=What to Know About Cloud Infrastructure Entitlement Management (CIEM))  
Link copied  
By [Jonathan Bregman](https://www.paloaltonetworks.com/blog/author/jonathan-bregman/?ts=markdown "Posts by Jonathan Bregman")  
Oct 22, 2020  
3 minutes  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[CIEM](https://www.paloaltonetworks.com/blog/tag/ciem/?ts=markdown)  
[Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/tag/cloud-infrastructure-entitlement-management/?ts=markdown)  
[Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/tag/cloud-native-security-platform/?ts=markdown)  
[Gartner](https://www.paloaltonetworks.com/blog/tag/gartner/?ts=markdown)

Effective cloud native security relies on [properly administering identity and access management (IAM) policies](https://www.paloaltonetworks.com/blog/2020/10/cloud-iam-misconfiguration-risks/) to users, workloads and data (also called entitlements). As cloud adoption continues to grow rapidly (Gartner forecasts that worldwide public cloud revenue will [grow 17% in 2020](https://www.gartner.com/en/newsroom/press-releases/2019-11-13-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-17-percent-in-2020)), and given that resources are often created and spun down in a matter of hours or even minutes, a challenging reality has emerged for security teams -- cloud infrastructure entitlement management (CIEM) is complicated and difficult to get right.

Further complicating effective entitlement management is the fact that most organizations utilize multiple cloud service providers, each with its own definitions and rules for entitlements. [According to Gartner](https://www.gartner.com/en/documents/3986121/managing-privileged-access-in-cloud-infrastructure), "*by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020."*

To address these challenges and continue our commitment to bring our customers the most [comprehensive cloud native security platform](https://www.paloaltonetworks.com/blog/2020/10/cloud-evolution-comprehensive-cnsp/), Prisma Cloud supports a number of identity-focused capabilities for stronger entitlement management.

## What is Cloud Infrastructure Entitlement Management?

CIEM addresses cloud native security challenges of [managing IAM in cloud environments](https://www.paloaltonetworks.com/blog/prisma-cloud/iam-security-controls/). These challenges are often too complex and dynamic to be managed effectively by the native tools provided by cloud service providers (CSPs). The emerging CIEM category defines technologies that provide identity lifecycle and access governance controls, which ultimately reduce excessive cloud infrastructure entitlements and streamline least-privilege access controls across dynamic, distributed cloud environments (the principle of least privilege refers to limiting permissions for users to the bare minimum they need).

##### **Challenges to Entitlement Management**

In addition to dealing with the complex and dynamic environment in which cloud native technologies operate, a CIEM solution should also address **privileged access management** and **identity governance and administration** .
![Key Challenges in Cloud Infrastructure Entitlement Management, marked dark blue for Privileged Access Management and light blue for Identity Governance and Administration.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/challenges.png)
The challenges addressed by a CIEM solution.  
Source: Gartner: "Managing Privileged Access in Cloud Infrastructure" June 9, 2020.

For privileged access management, a CIEM should:

* Monitor and prevent entitlement misuse.
* Assess the necessary duration of entitlements.
* Address the prolific nature of cloud entitlements.

For identity governance and administration, a solution should cover:

* Visibility, governance and compliance oversight.
* Monitoring excessive and risky entitlements.
* Rightsizing automation.

## CIEM and the Cloud Native Security Platform

CIEM represents an essential pillar of the [Cloud Native Security Platform](https://www.paloaltonetworks.com/prisma/cloud) (CNSP), one which specifically addresses organizations' need to ensure that privileged accounts and entitlements across their cloud infrastructure are consistently managed and assigned following the principle of least privilege. Because the CNSP combines CIEM with the functionality of [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/blog/2020/05/cloud-secure-cloud-native-applications/), Prisma Cloud can correlate identity information with configuration data.

This powerful depth of visibility and control enables unparalleled protection. Take, for example, the AWS S3 storage service -- the Prisma Cloud Data Security module can discover and identify sensitive data, the CSPM capability can calculate true internet exposure, and the CIEM capability can provide granular insights into exactly who has access to the data and make appropriate recommendations to enforce least-privilege access.
![The four pillars of the Cloud Native Security Platform include Cloud Security Posture Management, Cloud Workload Protection, Cloud Network Security and Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/pillars.png)
The four pillars of the Cloud Native Security Platform

##### **How to Implement CIEM Functionality**

The [Identity and Access Management (IAM)](https://www.paloaltonetworks.com/prisma/cloud/identity-access-management-security) module for Prisma Cloud will become generally available (GA) toward the end of 2020. This new feature set helps customers build a more identity-centric view of their cloud infrastructure entitlements, understand appropriate access and efficiently remove and adjust unneeded entitlements in line with CIEM challenges.

To learn more about the capabilities in the upcoming Prisma Cloud IAM module, read "[IAM Security Controls to Protect Cloud Entitlements](https://www.paloaltonetworks.com/blog/prisma-cloud/IAM-security-controls/)."

*** ** * ** ***

## Related Blogs

### [Cloud Native Application Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-platform/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Maturing Your Cloud Security Program](https://www2.paloaltonetworks.com/blog/cloud-security/maturing-your-cloud-security-program/)

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Prisma Cloud 2.0 Just Launched: Why a Comprehensive CNSP is Essential](https://www2.paloaltonetworks.com/blog/2020/10/cloud-comprehensive-cnsp-essential/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud 2.0: The Industry's Most Comprehensive CNSP](https://www2.paloaltonetworks.com/blog/2020/10/cloud-evolution-comprehensive-cnsp/)

### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### A Leader in the 2020 Gartner WAN Edge Infrastructure Magic Quadrant](https://www2.paloaltonetworks.com/blog/2020/09/2020-gartner-wan-edge-infrastructure-magic-quadrant/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Using a Full Lifecycle Approach to Secure Cloud Native Applications](https://www2.paloaltonetworks.com/blog/2020/05/cloud-secure-cloud-native-applications/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Highlighting the Latest Compute Security Capabilities in Prisma Cloud](https://www2.paloaltonetworks.com/blog/2020/04/cloud-compute-security/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language