Martin Kuppinger, Principal Analyst at KuppingerCole, will give a presentation entitled Cloud Security 2025 – Perspective & Roadmap on Thursday, November 11 from 11:00 am to 11:20 am at Cybersecurity Leadership Summit 2021.
To give you a sneak preview of what to expect, we asked Martin some questions about his presentation.
Are today's identity and access solutions such as IGA and PAM able to serve the needs of today's complex multi-cloud, multi-hybrid IT environments?
I think that's a good question. When we look at this and we look at a little bit of where do IGA and PAM solutions stem from, then these solutions were created to work with environments where you have a traditional server set up, where you focus on your workforce identities, but they were not built for agile IT environments, they were not built for environments that you have in a cloud environment or on your private cloud, on your kubernetes environment, we have workloads going up and down where you have way more types of identities, where you have service identities and things and devices and other things. So, both IGA and PAM, as we know them, are focused on a very traditional problem. So how to give access to your workforce, to applications. To extend it a little to partners and other things, there's consumer identity management. But in fact, no they weren't built for multi-cloud and multi-hybrid, which means there are use cases, there are challenges, there are requirements that can't be served well with these types of solutions.
So, you are saying that there's a need for additional solutions if we look at today’s agile IT workload. Would Cloud Infrastructure and Entitlements Management (CIEM) be a solution for that?
So, CIEM is an interesting thing and it popped up and emerged because there's a challenge, which is: How do you manage the access of resources to services and of resources to other resources in your dynamic environments, which you find in public cloud environments which you find in your private cloud, which you find in other modern work environments and so CIEM is something which solves a problem, which is., when you go to the core of CIEM, it's cloud and it's infrastructure. At the end, what we need is to look at, how can we work with all the environments we have in a multi-cloud - which CIEM does - and the multi-hybrid. If you count private clouds, if you count your own so to speak de facto private cloud or your own data center as a hybrid part, then CIEM doesn't fully serve that.
It is part of the problem, it's super important to address that, but I believe we should do it better for everything, not just for cloud, or multi-cloud, but for the entire types of modern workloads. And also looking at how can we, from a management perspective, from a policy perspective, from a governance perspective, do that for every type of workload in a consistent manner, because having one solution for the cloud, the public cloud, one solution for your private cloud and for your UVM environments and for the traditional workloads and having other solutions, or workforces or resources and services, makes it, over time, rather complex. So, yes, it is a solution, we need to figure out solutions in that space, CIEM is a step in the right direction. But I don't believe that it's the final step in that evolution.
You say that CIEM will not be the last step to a full strategic approach. Could you maybe recommend to CISOs how they could approach this topic strategically?
Yeah, and I think there are two levels, there's tactical and there's strategic. For the strategic part, at our recent European Identity and Cloud Conference, we unveiled three concepts, three models we call BASIS, SODAS and DREAM. And DREAM is that perspective, the tension of CIEM towards dynamically managing all types of resources: Dynamic Resource and Entitlement and Access Management, and it covers all types of resources. So this, I think, gives a good target state from a strategic perspective for a unified management, for a unified delivery of applications in Europe. Today's IT to serve the needs of the digital business. Tactically, I think it's worth to look at CIEM and how these tools are evolving. Some of them are really making some interesting progress and we see other vendors coming in more from policy management perspective.
So OPA, the open policy agent, for instance, is a very interesting theme here, which all of them help you to get a better grip with the dynamic workloads by managing them through policies. Strategically seen, in any case, you need to put policies at the forefront. You can't manage dynamic workloads with static concepts such as roles or so, but you need dynamic concepts. That means you control via policies. This is in some way the common denominator of everything you're doing in the future. And this is, I think, a very central aspect in everything you do strategically. Tactically, look at the solutions out there today because. You must address the challenge of. Managing entitlements in your cloud environments and beyond.