There is no denying that modern IT environments are complex and are becoming even more so every day. Most organizations have a mix of on-prem and cloud-based applications in multiple clouds, as well as Edge computing systems.

The challenge of managing infrastructure to keep pace with proliferation of entitlements across these complex and dynamic infrastructure is exacerbated by the increasing use of agile development and DevOps tools.

Traditional access management platforms such as IGA, IAM and PAM are not able to meet the demands of modern enterprises because of the dynamic, agile, and volatile nature of needs to be managed in an environment where workloads are constantly changing.

There is an urgent need for a new model for managing access and entitlements in today’s complex and volatile hybrid IT environments, that can operate at the speed of the cloud and grant access dynamically, based on tasks, toolchains, and workloads.

To help organizations meet this challenge now and in the future, KuppingerCole has defined a model for this new paradigm of Dynamic Resource Entitlement and Access Management (DREAM). The DREAM model envisages common service development, delivery, and operations; infrastructure management and operations; and security and identity across on-prem, Edge, and private and public cloud, including managed service providers.

Platforms that conform to this model include things like Cloud Infrastructure Entitlement Management (CIEM) platforms that offer rapid access to cloud infrastructure itself and in some more advanced examples, offer granular control of cloud-based resources. Also included within DREAM are the newer PAM for DevOps tools that extend the traditional functionality of PAM for toolchain-focused access for DevOps teams.

Successful implementation of the DREAM model will enable enterprises to run policy-based security automation for all IT and governance and security operations for the entire IT stack. But ultimately, organizations need to move towards an “identity first” approach, which is encapsulated in the concept of an “identify fabric” or an interconnected layer of identity functionalities and capabilities, which includes the set of services provided by DREAM.

The identity fabric concept is key to moving to a strategic future-proof vision by maintaining a blueprint for a unified identity, access, and cloud security eco-system, and by defining a general strategy for multi-cloud, multi-hybrid IT.

Given the importance of managing access and entitlement in a consistent way across an increasingly complex modern IT environment, organizations need to understand the true nature of the risks and challenges, and familiarize themselves with the products and services that support the DREAM model, which will help address those risks and challenges.

Dynamic cloud environments require dynamic access. Dynamic cloud architecture is coming to dominate enterprise networks and operations, as business leaders and IT vendors understand a paradigm shift is necessary for organizations to compete as fully digital enterprises.

— Paul Fisher, Lead Analyst, KuppingerCole.

Because we understand the importance of ­­­­­­­­managing access consistently in a multi-cloud, multi-hybrid IT environment, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.


CIEM and DREAM are relevant to every modern enterprise seeking to improve security through effective management of entitlements across today’s hybrid, multi-cloud IT environments. A good place to start in understanding these concepts, their business benefits, the technologies that support them, and how to find which are best suited to your organization’s needs, have a look at this newly published Leadership Compass on CIEM and Dynamic Resource Entitlement & Access Management (DREAM) platforms.

The concept of “Identity Fabrics” is key to achieving the goal of enabling a unified identity, access, and cloud security ecosystem. To learn more about this concept, have a look at this Leadership Compass on Identity Fabrics.

To find out more about other key identity and access control technologies and how to identify the right ones for your organization, choose from the following list of Leadership Compass reports:


CIEM and DREAM have a role to play within IAM, and to find out exactly how they fit into this context by reading this Advisory Note on the KuppingerCole IAM Reference Architecture.

Get a broader perspective on why traditional approaches to Access Governance are no longer fit for purpose, and why instead, organizations should be considering a risk-based and policy-based approach to reduce the cost, effort and complexity of overseeing and enforcing access entitlements, by reading this Advisory Note on Redefining Access Governance.


For a short introduction to and overview of the topic of CIEM, listen to this Analyst Chat that addresses the question: Do we really need Cloud Infrastructure Entitlement Management (CIEM), and for a high-level perspective, have a look at this presentation on Cloud Security 2025 – Perspective & Roadmap.

Discover how the CIEM market is evolving and how it complements CSPM (Cloud Security Posture Management) and CWP (Cloud Workload Protection) tools to offer a comprehensive approach to cloud security by watching this presentation from this year’s EIC on Demystifying CIEM for an Effective Multi-Cloud Security Enablement.

Broaden your understanding of CIEM in the context of Zero Trust by having a look at this panel discussion entitled: Managing Your Cloud Scale Risk with an Identity Defined Security Approach.

Get a security leadership perspective by watching this panel discussion from EIC 2021 between representatives of the business world, identity vendors, and KuppingerCole on What CISOs need to know about CIEM.

For a detailed explanation of why the management of infrastructure needs to change, the actual role that CIEM can play, and the need to look beyond CIEM to a more strategic approach to security and identity for multi-cloud and multi-hybrid IT, have a look at this presentation entitled: Cloud Infrastructure Entitlement Management (CIEM): Advancing from Cloud First to Identity First.

And then, for a detailed explanation of some of the new paradigms and models referenced in that presentation, have a look at the presentation entitled: Multi-Cloud Multi-Hybrid IT: How to Make your Digital Business Fly, which presents KuppingerCole’s paradigms of BASIS, SODAS, and DREAM for the future of core IT.

For a overview of the topic of DREAM and how it fits into the context of managing entitlements across today’s complex IT environments, listen to this Analyst Chat entitled: DREAM - Policies and Automation for All of Today's IT, and this Analyst Chat that addresses the question: Can DREAM Help Me Manage My Multi-Hybrid Infrastructure?

For a more in-depth discussion of the DREAM paradigm, have a look at this presentation entitled: Mastering Complexity in Your Multi-Cloud & Multi-Hybrid IT.


Get a concise view of the DREAM paradigm by having a look at this Blog Post on Managing Access and Entitlements in Multi-Cloud Multi-Hybrid IT.

For a brief analysis of the need for organizations to manage complex multi-cloud IT environments in a consistent way, and the role of CIEM, have a look at this Blog Post entitled: Digital Transformation - Multi-Cloud and Multi-Complex.  

Have a look at this blogpost on Making DevSecOps a Reality and Going Beyond – Introducing SODAS (Secure Operations & Development of Agile Services), which integrates with the DREAM paradigm, and this blogpost on IT for the Digital Age: Introducing BASIS – Business-Driven Agile Secure IT as a Service, which also integrates with the DREAM paradigm.


Find out where CIEM and DREAM fit into the evolving IAM picture by watching this Webinar on Identity & Access Management Predictions 2022.

Get an overview about what Zero Trust Architectures must include, why policy-based access management is essential, and what this means for dynamic, policy-based authorizations, with refence to KuppingerCole’s DREAM model in this Webinar entitled: Zero Trust: Now Is the Time and PBAC Is Key.

Discover how enterprises should plant for a secure hybrid, multi-cloud environment in this Webinar on Security in the Age of the Hybrid Multi Cloud Environment.

Tech Investment

Organizations investing in technologies to manage permissions across hybrid infrastructure can have a look at some of the related technology solutions that we have evaluated: