The cloud-first strategy adopted by many organizations has led them to create new infrastructure within cloud-computing platforms and progressively migrate as many existing infrastructures as possible to the cloud.

As a result, many organizations have extended their existing infrastructure with Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), resulting in multiple cloud computing services from multiple cloud service providers on top of existing legacy, on-prem infrastructure. 

Adding to the complexity, many organizations are using Edge computing systems to process data at the periphery of the network and running workloads in virtual machines (VMs), resulting in multiple IT architectures.

This multi-hybrid, multi-cloud infrastructure is becoming increasingly common, but this change in IT infrastructure and increasing use of agile development and DevOps tools means that there is an urgent need to adapt the management of infrastructure to keep pace with the proliferation of entitlements across these complex and dynamic infrastructures.

The market has attempted to address this need by introducing a new class of products and services that has been dubbed Cloud Infrastructure Entitlement Management (CIEM). These products, which include many existing capabilities, are aimed at helping organizations to manage identities and access across multiple clouds and even VMs.

From a tactical perspective, starting with CIEM might be reasonable, but it has a fairly narrow focus on Infrastructure as a Service (IaaS), and therefore does not address the real need of organizations, which is to gain control of identities and access across all of IT infrastructure, including legacy on-prem; virtual infrastructure; IaaS, PaaS, and SaaS on multiple clouds; and Edge computing systems.

To deal with the real complexity of managing volatile and highly dynamic infrastructures in a hybrid world, organizations need to look beyond CIEM for a paradigm that will enable them to manage access of everyone and everything to all resources consistently in a multi-cloud, multi-hybrid environment.

To help organizations meet this challenge now and in the future, KuppingerCole has defined a model for this new paradigm of Dynamic Resource Entitlement and Access Management (DREAM), which was introduced recently at the European Identity and Cloud conference.

The DREAM model envisages common service development, delivery, and operations; infrastructure management and operations; and security and identity across on-prem, Edge, and private and public cloud, including managed service providers.

Successful implementation will enable enterprises to run policy-based security automation for all IT and governance and security operations for the entire IT stack.

But ultimately, KuppingerCole believes that organizations need to move towards an “identity first” approach, which is encapsulated in the concept of an “identify fabric” or an interconnected layer of identity functionalities and capabilities, which includes the set of services provided by DREAM.

The identity fabric concept is key to moving to a strategic future-proof vision by maintaining a blueprint for a unified identity, access, and cloud security eco-system, and by defining a general strategy for multi-cloud, multi-hybrid IT.

CIEM addresses important challenges and provides valuable services - so these capabilities are essential, but CIEM addresses a limited scope. It focuses on IaaS and sometimes PaaS, but SaaS is usually out of scope, so we need to think bigger.

— Matthias Reinwarth, Lead Advisor & Senior Analyst at KuppingerCole.

Because we understand how important­­­­­­­­ it is for organizations to gain control of identity and access across their whole IT environment, and because we are committed to helping your business succeed, KuppingerCole is building up a library of content on this topic in a variety of formats.

This includes events such as our hybrid Cybersecurity Leadership Summit 2021 in Berlin, Germany and online from 9 – 11 November. Register today to attend sessions on Managing security in dynamic environments: CIEM & beyond and Mastering Complexity in Your Multi-Cloud & Multi-Hybrid IT, plus many more topics designed especially for cybersecurity leaders. 


For a short introduction to and overview of the topic of CIEM, listen to this analyst chat that addresses the question: Do we really need Cloud Infrastructure Entitlement Management (CIEM).

Following on from that, have a look at this panel discussion between representatives of the business world, identity vendors, and KuppingerCole on What CISOs need to know about CIEM.

For a detailed explanation of why the management of infrastructure needs to change, the actual role that CIEM can play, and the need to look beyond CIEM to a more strategic approach to security and identity for multi-cloud and multi-hybrid IT, have a look at this presentation entitled: Cloud Infrastructure Entitlement Management (CIEM): Advancing from Cloud First to Identity First.

And then, for a detailed explanation of some of the new paradigms and models referenced in that presentation, have a look at the presentation entitled: Multi-Cloud Multi-Hybrid IT: How to Make your Digital Business Fly, which presents KuppingerCole’s newly-defined paradigms of BASIS, SODAS, and DREAM for the future of core IT.

For a perspective on the risks and challenges related to entitlement management across the modern IT landscape, have a look at this presentation on Entitlement Management across Hybrid Cloud for Security & Compliance.


If you would prefer to read about the DREAM paradigm, have a look at this blog post on Managing Access and Entitlements in Multi-Cloud Multi-Hybrid IT.

And for a written perspective on the nature and future of hybrid architectures, have a look at this blog post on The need for an "integrated identity" within hybrid cloud infrastructures

For a perspective on Microsoft’s acquisition earlier this year of CIEM vendor, CloudKnox Security, read this blog about how Microsoft further strengthens Identity and Security offerings by CloudKnox Security acquisition.


Some of the content mentioned above includes references to the concept of “Identity Fabrics”. To learn more about this concept, which is key to achieving the ultimate goal of enabling a unified identity, access, and cloud security eco-system, choose from this Leadership Compass on Identity Fabrics, this blog entitled Creating an Innovative Identity Fabric Structure, these Leadership Briefs on Identity Fabrics - Connecting Anyone to Every Service and Leveraging Identity Fabrics on Your Way Towards Cloud Based IAM, this webinar on Delivering on the Promise of an Identity Fabric in a Modern Enterprise, and this whitepaper on Modern Identity Fabrics: A Cornerstone of your Digital Strategy.