1 Introduction/Executive Summary
The complexity of cloud architectures and design – Kubernetes alone has enough mind stretching concepts, permissions, building block terms to service a cottage industry of self-help books – means that trying to manage these environments, particularly in dev environments is not just about Privileged Access or CIEM. It’s kind of another level of cloud security in itself which some of these platforms can assist with to different levels.
Cloud access is managed by the developers who have little time for IAM + Security - according to one vendor, so there is a fork in the road emerging – one way is to persevere with the top down (PAM) method of controlling access centrally – or by opening up identity and security to individual departments within organizations – i.e., developers, operations, HR, etc.
Dynamic cloud environments require dynamic access. Dynamic cloud architecture is coming to dominate enterprise networks and operations, as business leaders and IT vendors understand a paradigm shift is necessary for organizations to compete as fully digital enterprises.
This new architecture incorporates multiple instances of cloud services including IaaS, PaaS and SaaS, as well as hybrid combinations of cloud and on-premises installations and within it all, clusters of teams using and running these clouds.
This new IT architecture has become essential to organizations seeking the speed and dynamism essential for organizations to run the applications and tools needed for fast changing markets and challenging operating conditions. DevOps and other agile teams within organizations have come to rely on dynamic clouds to complete workloads on a Just In Time (JIT) basis, in response to demands from internal customers (LoBs). All the while, networks are much more open to employees, third party users, suppliers, and customers; what was once considered “privileged” is becoming the norm as collaboration and data sharing become ubiquitous. The emergence of non-human identities gaining access to cloud-based resources is also an important part of the new environment.
The speed at which these environments operate has put severe pressure on the capabilities of traditional access management platforms such as role-based IGA, IAM and PAM. While workloads have long been present in servers and private clouds these tended to be static and not time critical. What has changed is the breadth of access, but primarily the dynamic/agile/volatile nature of what needs to be managed. It is not about setting up a server on a physical machine that runs for years anymore, but about constantly changing workloads.
Hence the need for our new Dynamic Resource Entitlement & Access Management (DREAM) classification for access management and entitlement platforms that can manage the challenges in the computing environments mentioned above. Fundamentally, DREAM based platforms must operate at the speed of the cloud and grant access based on tasks, toolchains, and workloads rather than roles – or only permission access to static resources such as servers or vaults.
These platforms include those categorized as CIEM (Cloud Infrastructure Entitlement Management) platforms that offer rapid access to cloud infrastructure itself and in some more advanced examples, offer granular control of cloud-based resources. Also included within DREAM are the newer PAM for DevOps tools that extend the traditional functionality of PAM for toolchain focused access for DevOps teams. It’s an emerging market but one that is attracting significant attention, not least from some of the biggest names. Microsoft acquired CIEM vendor CloudKnox in 2021 and has now relaunched the technology as Microsoft Entra Permissions Management as part of a wider sweep into cloud security management. Unfortunately, the package arrived too late for this Leadership Compass but there are more details in the Vendors to Watch section.
All included platforms must address the protection of the clouds themselves, the assets held in the cloud, and include those assets which remain on-premises but are needed to connect to the cloud. We are addressing such common components as VMware, Linux/Windows Servers, Web Servers, SaaS, IaaS, databases, containers, code, confidential data, secrets, credentials and privileged accounts. Finally, certain IGA products will contribute to a DREAM based architecture for compliance purposes.
- The IT environment has become complex, but this will not stop as more technologies such as Edge Computing start to take hold.
- New technology, business practices, and cultures are arising that will further put a strain on traditional Identity and Access Management (IAM) solutions for multi-hybrid environments.
- KuppingerCole has identified the Dynamic Resource Entitlement and Access Management (DREAM) classification to measure the increasing number of platforms that address cloud entitlement challenges.
- The Leadership Compass analyses platforms from established CIEM and PAM vendors that offer components to manage privileged access in the cloud.
- DevOps and developer environments are a key focus for DREAM but increasingly other lines of business are creating and using cloud services.
- Reporting and discovery are key capabilities for CIEM and DREAM.
- While most CIEM and DREAM platforms support AWS, Azure and GCP as standard, the market is looking for wider cloud support to include Oracle, OVH, IBM, etc.
- Some vendors have designed fully cloud native packages that also support open source and API customization by customers.
- The CIEM and DREAM sector is impacting on classical PAM; its vaults and standing privilege architectures are increasingly too slow for dynamic cloud workloads.
- Overlapping technologies may have different buyers now. DevOps security and access management often bought by engineering depts, while infrastructure designers look to PAM.