KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Most businesses are adopting cloud services from multiple providers to remain flexible, agile, efficient, and competitive, but many do not have enterprise-wide control over and visibility of tens of thousands of cloud access permissions, exposing the enterprise to risk of security breaches.
Most businesses are adopting cloud services from multiple providers to remain flexible, agile, efficient, and competitive, but many do not have enterprise-wide control over and visibility of tens of thousands of cloud access permissions, exposing the enterprise to risk of security breaches.
Good afternoon, everyone. And welcome to this latest webinar today supported by Microsoft. We're gonna be talking about multi-cloud permissions management, a hot topic if ever, ever was one. We'll be talking about cloud infrastructure and entitlements management. And to do that, I'm delighted to be de joined by BJI permi, who is the general manager of multi-cloud security at Microsoft. Before we start, just to let you know that you don't have to do anything, you just sit back and relax. You're muted. Centrally.
We are gonna run a two, a couple of polls during the webinar, and then we'll discuss the results during the Q and a. And if you are watching this and you think that one of your colleagues or would, would benefit from seeing it also, then the recorded version will be available on our website. And also the slide decks of both of us will be available to download so quickly. Then I'm gonna just talk briefly about some of the issues around cloud entitlement management, and then BJI in his session. We'll talk a little bit more about what Microsoft is able to do now with its new cm solution.
And then we'll have that Q and a session, as I mentioned, and we'll, then we'll wrap it up. So the whole thing should take well less than an hour, so let's get started and I'm gonna talk a little bit about culture, but before we do that, here is the first of our polls. So what worries you most about access management in the cloud? And the options are not knowing who has access too many standing entitlements, sometimes known as standing privilege, new cloud resources being spun up without permission, DevOps in particular reporting to non it lines of management.
So they're, they're using and creating new clouds without it knowing about it or too many different ISPs in usage. So just give you a few minutes to answer that not knowing who has access too many standing entitlements, new cloud resources being spun up without permission, DevOps reporting to non it lines of management or too many different ISPs in use.
So before we get into talking about the actual nuts and bolts of infrastructure, a cloud infrastructure, entitlement management, I always like to think a little bit more about what the business side of things actually wants when we think about what's they want from the new cloud infrastructures that they're paying for. And generally speaking there, I, it is sort of these six things here, business, as we're all told, and as we all know needs to be much more agile, and the belief is that cloud infrastructure does provide that agility.
It does provide the agility for all departments to create new products, create new services, to get better feedback on what their customers want, et cetera. And so that should enable them to get a rapid rollout of the services and products.
If, if cloud is for anything, it is for actually helping the business run more effectively to increase, excuse me, increase productivity and eventually to improve profitability. Otherwise there is no point investing all this money into the cloud infrastructure.
So the, the business knows the, the positives of digital transformation and the cloud transformation that's going on. And they believe that they should be able to get all these things. So including cost reduction and better productivity and added to that is that they want to get better feedback on what's happening in the business. So they're looking for greater data opportunities from all of this.
They're looking, as I said, for better analytics to better evaluation of how the business is performing, what isn't working, where other bottlenecks, et cetera, and this actually feeds into the security element as well. And we'll, we're talking about that later. So if we have better cloud management, we can actually better secure these clouds and the two work for each other. So if we have better security, better management, then the business is much more likely to get the things that they want from the cloud. And increasingly it's, it's what we're seeing.
I think now in, in some organizations is a, a kind of a blurring of traditional lines of business. So we are seeing that perhaps in departments like develop DevOps or just in the development department, that some responsibility for that security has now been given closer to those lines of business. And this is just because of the nature of these, these departments, where, who are spinning up and using new clouds, they tend to understand better than perhaps essentially run it security department, what it is they want from those clouds.
And so with better cloud management, we're seeing better tools emerge that allow closer management and closer control of clouds. And it's also giving some responsibility to people that actually work on those clouds rather than being told what to do essentially. So we're seeing some changes from what's driving the, the, the, the cloud, but also we're seeing that, that this culture means that we are, we are reshaping in effect how we manage our cloud, how we manage security, how we manage identity in the cloud. So there's a lot going on.
So one area I wanna talk about is, as I keep saying, development and coding, and I'm particularly interested in this part of, of what's happening, because I think that these programmers, coders, developers, whatever you want to call them are kind of a, a special breed of people that work within our organizations they're increasingly looked to or looked upon to deliver application services and code, et cetera. They're increasingly looked at, looked upon to deliver, you know, the future of the business.
And there's a very good book that you may be interested in reading called coders, simply called coders written by a journalist called Clive Thompson. And this quote comes from directly from that. And I think it's very, very interesting.
So said, programs are assessed with efficiency. Nearly everyone found deep, almost soulful pleasure in taking something inefficient and ratting, a notch, removing friction is an aesthetic joy, their eyes blaze. When they talk about making something run faster or how they eliminated some bothersome human effort from a process. So in a nutshell there, what Clive Thompson is saying is that coders are actually doing the things that the business would like other parts of their business are, do that is to become more efficient and to see how they can make processes run better.
So taking that a bit further, what else do we know about developers and how they contribute to the improvement of our organizations, particularly in the commercial world, they are highly focused on meeting targets. They they're polyglot. So they set the standard really for being able to work across cloud environments.
They, they, they can understand the different parameters, the different need or different clouds, and they love automation and they love speed. And those two things are also what the business wants. The more that can be automated in business, the better, the more that business processes can be speeded up the better.
And another key thing that's happened in parallel with the COVID 19 period that we live through recently is that developers are increasingly remote workers, which means that we have another level or another responsibility towards them to make sure that they can work from any location. And that we actually give them access to the clouds that they need to do their job, but at the same time, protecting our infrastructure from attack via an endpoint, they're obviously a big fan of open source. They love to collaborate and they love to have feedback.
And that sometimes sets alarm bells ringing amongst security people or identity management people because of the very word open means, oh, we can't control it, but what we need to get to. And I think Microsoft and others are trying to get to is a paradigm where that we can actually support open platforms such as slack and get up, et cetera, but also make sure that they are secure so that we don't put a break on what our coders are best at and finally their problem solvers.
And again, that's something that we probably overlook a bit and at the moment, they tend to be solving problems within their own sort of world, but we should be looking more towards developers and how they use the cloud, et cetera, and how they solve the problems to help us manage the cloud better in other parts of our organization. So that's what coders need. And just developing that a bit further, if we allow developers, you know, if we unleash developers, if we say that, you know, we embrace the cult of efficiency because it is a cult of efficiency and a culture of delivery.
The one thing that developers always want to do is to make things more efficient, but they also focused on delivery, but we need to work out. Maybe who's in charge of that and how we can protect developers. When I say who's in charge of that, I'm not talking in the old way of putting a hierarchical layer of control over developers that somehow embracing all the good stuff I've been talking about, but making sure that we have new tools that can manage the environments.
They're mostly work in, which is mostly in the cloud, mostly in things like containers, et cetera, microservices in transferring code from one place to another. And we, we need to make that easy for them. And we need to make sure that we, we still protect them. And more importantly, perhaps no, not more importantly, actually it's equally important that we protect the business. So what can we learn from them? And as I said, we should, and it's a good exercise to see perhaps what they do already.
You might find that some of their practices might caused the, the back of the, the hairs on the back of your neck to stand up for example, but you might also find that they're actually creating efficiency and they're actually creating some ideas that we can adapt. So let's look at some issues around clouds and identity and developers. But before that, let's do another poll, which is a very simple one. And one that would like to find out is how many polls do you, sorry? How many polls, how many cloud services providers do you use currently? Is it just the one?
Is it AWS, Azure and GCP more than three, not including AWS, Azure and GCP, or more than three, including those, or simply no idea. So just waiting for you to vote. And as I said, we should look at the results that during a Q and a session later. So just one O AWS, zero GCP, more than three, not including those three or more than three, including AWS, Azure GCP, or simply no idea. So let's move on to a, to the next part of this and this I've taken a simplified here, an identity flow in the business, as I, as it's kind of typical right now and with developers.
So we have on the left, basically the core business infrastructure, which obviously now will include end points, include people working in different locations, as well as the core infrastructure that might be sitting in physical buildings. So I've highlighted developers here amongst the identities that are all trying to access stuff. And of course that would also include normally admins, end users, machines, third parties, and end endpoints themselves.
But specifically for developers, now we are seeing the emerge interest of applications or platforms that seem to specifically assist them with the work that they do. Privilege access management and identity access management do have some tools or some capabilities, particularly some Pam platforms will, are good enough for DevOps, et cetera, but cloud infrastructure and entitlement management seems now to be something that is emerging and it's developing quickly and it's giving developers the kind of speed and security.
They need to access cloud services, such as platform as a service SaaS infrastructure as a service or even private clouds. And then that allows them to access the stuff they need, which includes files, servers, workloads, and containers. But you can also include it's that those four probably are of most interest to developers, but they may still also need access to privilege accounts, credentials, databases, and pieces of code. So that is a simplified look at how I see cm fitting in with privileged access management identity and access management and how particularly cm will help developers.
And I think as in the second half of this webcast will hear a lot more about how CIM is being developed, especially by Microsoft. So this slide is perhaps a little controversial we, or People have often said, or like to say within organizations, security is not is everyone's is, is everyone's responsibility. I think that actually is not quite true. I think in reality, we need to get to a situation where end users, developers, third parties are able to access what they need and do the job.
And then the security, the access management identity management should be such that it takes care of their access, their security and the security of the business, without them needing to think about it, which has always been, if you go back to developers, one of the, the criticisms of developers is which again is a bit unfair, but that they don't care about security. I think actually they do care about security and they care very much about writing clean code, et cetera, but they don't physically want to get involved in security.
So they don't want things that get put in, put things in their way. So some of the, you know, more traditional privileged access management platforms where you have to check in, check out, you have to find credentials, etcetera. They don't wish to be involved in that. So they want invisible.
They want, they need a more seamless approach to access management. And I believe that traditional centralized platforms are not suited to the cloud. And some of our, some of our lines of business are actually starting to move outside the CIO, the CCI zone of influence, and don't get me wrong.
When I, when I, I talk about the, the CSO and the CIO, I'm not saying that they are redundant, but what I think is that we are seeing it while we're seeing a decentralization of it management technologically, we're also seeing a decentralization of the management of identity management. If you wanna put it that way in the, the CSO and the CIO will fill confident that they can shift a lot more security left, closer to where it's needed closer to the access point, allowing developers and others to, to get on with their job.
So to bring in a little bit of the zero trust theory, then what we need to do in the most efficient way possible is verify entitle and secure. Or you could say secure verify entitled those three words are key to how we deal with iden access management and entitlement in multi-cloud environments. We are now seeing mushrooming everywhere. So before I hand over just a, a couple of things to, to think about, think about everything I've said about empowerment and what's happening in developers.
Well, and start to think about new centers of control, what I call zero distance identity and access management. So the identity and access management piece or the entitlement management piece is actually much closer to the action. So it's much closer to those clouds and the things that are happening inside them and embrace cloud embrace infrastructure as a service and start looking and thinking about automation.
There's an awful lot part of traditional parts of workflow that can be automated, which would take away the, the, the heavy lifting from some of the security processes that we do right now and start looking at what we call dynamic resource entitlement and access management platforms. And of course, within those cloud infrastructure, entitlement management solutions, start looking at that and start thinking about how we can start shifting our whole approach, not just a security in the cloud, but positive entitlement management in the cloud. So that's the end of my piece.
I'll now hand over to BJI. Hi. Yeah. Hi Paul. Thank you. Okay. All right. I shall now disappear and let you carry on Morning, everybody. So the agenda that we wanna just go through today is what are the challenges in our multi-cloud environment? Why is there's a new approach needed in order to address those challenges and how can Microsoft's performance management help before we jump in, let's just see what is a permission. It is simply an identity, having the ability to perform an action on a resource. So there are basically three dimensions in that identity action and resource.
Why is it? There are so many challenges in a multi-cloud environment to manage these permissions today. Cause the level of automation within cloud and plus is tremendous. All it takes is few lines of scripting in order to do pretty much anything like export the entire data set or create an entire data center or destroy an entire data center and change security posture at a massive scale and all these kinds of things.
So that level of automation is enabled within the cloud infrastructure that led to an identity, becoming a superpower, cuz identity has the ability to perform any of those actions. Then that identity has those superpowers and combine that with DevOps evolution, there are literally hundreds and thousands of identities that are operating in this environment, this power, the enormous power and the exponential growth in the number of a that are operating the environment creates a huge while it is great for efficiency, but it creates, it creates a huge risk if, if not managed properly.
And these entities are not just limited to human beings, there are several less functions, machines, bots, access, keys, and all, all kinds of things that exist. And these make up a vast majority of the entities that are operating in the environment and all these entities need permissions in order to perform their functions.
But unfortunately, using the old methods of provisioning permissions, all of these S are given certain permissions, but none of them use more than 5% of the commissions that are granted and just across VMware, AWS, Azure and GCP, these four cloud platforms, there are 40,000 plus actions that can be performed by these. And more than 50% of them can severely disrupt the business. When I say disrupt business, if use in the wrong sense, be it data exfiltration or service degradation or disruption or security, posture changes and all these kinds of things.
And all these challenges are exacerbated in a multi-cloud moment because a lack of confidence and visibility. Like if, if, if some administrator wanna look at, I wanna look at all the entities that are operating in my cloud accounts or subscriptions or projects and what are the entitled to do and what are they actually doing on a day to day basis? There's no single place that you can go and get that kind of visibility. And the commission models across all these clouds are vastly different. That makes it even more complicated to the point where even the taxonomy is different.
So if you say the role, the meaning of role in AWS is completely different from the meaning of the same thing in Azure. So that adds a lot of complexity for both the IM teams and the security teams to manage these permissions across these different cloud platforms.
And there is a, as I mentioned in the previous slide, there is a huge gap in what is provision versus what is being used to the point only, I mean, less than 5% of the functions are used, meaning the more than 95% of the functions that are unused that are not necessarily for S day to day operations, that having those functions understanding creates a huge risk. If those functions are misused. And so how do we, so first of all, how did we get into this kind of predicament? So today's approach is based on a 30 year old technology that's been created in the early days of LD app. That was okay.
Let's just use a static approach where we assign a role to an identity based on job responsibilities and all that kind of stuff. And that role maps to thousands and thousands of actions in the cloud infrastructure. I mean this approach work in the past really well because let's say you take the example of an administrator before cloud infrastructure came, came in. So you had an administrator for endpoint, you had an administrator for your storage, you had an administrator for your network and data. So all these things are completely distributed systems.
And if you are an admin in one doesn't mean that you have control over everything else. And the automation wasn't at this level, that it is today.
So if you, if somebody is an admin at an end on an endpoint, they, that identity is reached is confined to that. But you extend the same concept to an admin in a cloud account or a subscription or a project, whether it is AWS, Azures GCP that admin has complete control over compute storage network data and everything. You see the same approach being taken in one system or this other where the power of an has become enormous. So that one argument has the power to bring an enterprise to its niche.
So this, this static approach of, oh, I'm gonna use static role because based on the job responsibilities and all these projects are happening manually. And even with governance and administration, all the access reviews happen manually, but somebody has to go in and manually clean up all these kinds of things and doing this cloud scale is almost impossible because even in one cloud account, you are looking at hundreds and thousands of these charities when you combine non humanities as well.
And this is where we need a new approach instead of using static assumptions based approach, we need to go to dynamic data-driven approach. You look at the historical activity, you figure out what an identity is needed for its day to day operations and grant those permissions. Based on that, since it is based on the actual usage of what that identity needs, the, any obstructions to productivity are gonna be minimal to the point where all the permissions that are needed for identity for its day to day operations are actually provision.
If there is anything that is needed for a one off job or break room type of scenario, what room type of scenario allow the identity to get those permissions on demand, whether it is on a temporary basis or a permanent or anything, like if the identity is starting off with the least privileges that it needs in order to perform it job. And when there is additional requirements and it can get those functions on demand, its best for the both words. And as part of this historical usage and activity, track that activity on a continuous basis, it's not like a one snapshot, one snapshot.
And then you may, as entities come and go as resources, come and go. So continuously track the, all the activity and attributes information within the cloud infrastructure so that you can provide the right set of permissions for all IDs that are operating the environment and you can prevent further permission creep. And this is where emission management, this is approach that permissions management will help you to adapt. So we invented this activity based authorization technology with this technology.
We're looking at all the attributes information from your identity providers and also from your cloud security. I mean cloud service providers with all that activity, we create profiles across the three dimensions of a permission, which is identity action and resource. So that gives you the ability to that get the comprehensive view of every action performed by every identity on any resource within your cloud infrastructure, whether it is AWS, Azure or CCP.
The operating model is exactly the same, because like I said, at the beginning, when you up level what a commission is, to the extent where a commission is simply an identity, having the ability to perform an action on a resource, it doesn't matter whether the underlying cloud that you're using is AWS, Azure, GCP, VMware, or something else like Oracle cloud, or it doesn't matter.
You're always operating in that in the sense, oh, which I, what actions on bot resources and our platform gives you the ability to get that kind of visibility for every identity that is operating in the environment, the aspect of the identity type and where the identity is coming from. And once you see that visibility, you see that huge gap in terms of what are the provision permissions provision versus what are the permissions that are being used. We also created a metric to measure that I'll get into the details as we go into the next slide.
Once you see that huge gap, obviously you wanna eliminate that gap. You wanna minimize that gap. That's where the remediation will come in and you have the ability to rightsize those functions since you are rightsizing these functions based on actual usage, because the profile is created based on the actual activity, you can minimize that we can eliminate that gap. And for any one scenarios, there is formation on demand with a self-service workflow built in that gives the ability for items to just request anything that, that that is needed at, at, at the right time.
And the system is continuously looking at all the activity and attributes information, and we keep on creating these UC profiles, updating these profiles. So you can see any anomalist behavior or any inactive or permissions or identities that have accessible permissions, and you can get all kinds of these forensic reports and all these kinds of things. So as part of the discovery, if you have, let's say thousands, AWS accounts or Azure subscriptions are GCP projects.
You can, the system will look at for every identity. It creates that usage profile. And for every identity it sees what are the permissions that are granted versus what are the permissions that are being used. And you can see that gap in films of the provision versus used. And we created this metric called permission creep index to measure that gap, meaning higher, the unused permissions that exist for an identity higher, the permission creep indexes. It's a number ranging from zero to a hundred hundred being the worst. The more unused highest functions exist, higher, the ING access.
And this is computed for every identity, whether it is human or machine or access key or bar or a, it doesn't matter if an identity can establish a session and do something within your cloud infrastructure. The is computed for that identity. And we also create a ed number so that when you are looking at thousands of account subscriptions and projects, you wanna, the heat map gives you an idea about, okay, which accounts, which subscriptions, which projects have the highest number of identities with high permission treatment desk. So that gives you a way to prioritize, okay.
These are the accounts that I wanna just focus on because to start off with, because there are, these accounts have higher number of with access. So this gives you the visibility into which accounts to start from and where to go. And then when you dig into each and every one of those accounts are subscriptions of projects.
Again, for every identity, you can see the detail analytics in terms of, okay, what is the permission treatment index? How did we, how did that identity get that permission treatment index within each cloud infrastructure? We group it based on the services within that, right? For example, in AWS, there are close to 250 services in Azure. There are again, hundreds of services in GCPS also see here are all the, within each of these services within my cloud. And moment here are all permissions that this entity is entitled to do.
Here are the things that this has actually done in the past 90 days. And this profile is updated on an hourly basis on a sliding window method. So that at any point in time, when you log into the system, you can see if for any identity across your cloud infrastructure, whether it ISS or GCP, you can see what are the options that are granted, what are the function that are being used and, and you, and then the permission index is based on the actual usage. So you get that complete picture. As I said, the ideal type can be anything.
When I say type is human or non-human, they are non-human meaning machines, serverless functions, access, keys, bar script. It doesn't matter. And the identity, the origin can be anything. The origin could be the local IM provided by the cloud provider, or it can be from the enterprise directory, or it could be coming from an identity Federation system using Sam, lot of some other means to log into the cloud infrastructure. So this visibility gives you that complete picture and the next step of remediation. Okay. There are.
So now since the profile is created, based on the actual usage, you can right size the permissions of any of these identities based on the actual usage. When you, when you're doing rightsizing, all you're doing is you are creating the necessary policies and roles by looking at, okay.
I, based on the activity of these three users, I wanna see what the permissions, what is the policy and AWS that, that I needed to create for these three entities. Since that information is already in there, as far as visibility, bring it in, you can see, okay, here are all the permissions that are being used by all these three identities and click, click click.
We can create that policy in your AWS account and assign that policy to identity so that your rightsize, these function, since the right sizing is done based on the historical activity, you're not hampering any productivity because whatever that identity has been using in the past days, you've given exactly those inter, and this is especially for non, this works really well because most of the times, almost a hundred percent of the time non-human R use usage patterns fixed.
So if you observe the usage patterns for, for a couple of weeks or a month, you know exactly what does, unless they script are application that is running with the, within that monument, by the application, changes nothing changes, but for any changes, there is an on demand function on demand component, where with the self-service workflow built in, or you can use any its and things like it and tools as well.
Or you can, you can, you can use your own workflow systems where an identity can request, okay, I want to do these actions on these resources, but every one of these requests are required to have a time to live, time are associated with that. So that gives the ability for identities to request permissions on their behalf. And also on behalf of other identities that are, I mean, you can configure all these kinds of things and you can get these functions like ASAP on demand, or you can schedule them to be on a daily basis or weekly basis or monthly or whatever the time period.
So the goal of this is to, I don't have permissions to do certain things and I need to get those permissions right now, or I want those permissions every week on Friday from my name to lab name type thing. Once these, these permission automatic was sort approved, they permissions are given automatic. I mean the permission provisioning happens automatically behind the scenes, by the system. And since every one of these requests have a timer associated with them, the revocation of those function are completely automatic as the timer expired.
I mean, there are options to extend the timer on all these kinds of things, but at least you taking away a lot of the manual things that exist within the system that, that are needed within the system with this kind of automation and the, the environment is so especially the IRS, the environments are completely dynamic. So there are ton of entities and resources come and go all the time. So that's where this continuous marketing of the activity and, and attributes and updating these formation usage profiles and all these things will keep an eye on what is going on.
And the system will give you the ability to generate detailed reports and perform the cyber kill chain analysis and all these kinds of things in order to do any investigations or remediations and all these kinds of things. Now at the same time, since the system is continuously looking at the activity, you can, you can create kinds of alerts in order to strengthen your security posture. But based on, let's say, if you want to look at, okay, I have this sensitive data source.
And if there's anybody that downloads data from that sensitive data source, I wanna know about it, and you can create those activity based alerts, or we can look at any anomaly outlier based alerts. You can, our rules based alerts. You can create all these kinds of things here. So the system is continuously being monitored and, and yeah, and you're aware of course this. So if you go, I mean, you can, you can try management today to GA and it's a 90 day free trial. And with this, I am ready for any questions, LA, thank you so much for the explanation and overview of entra we've spoken before.
And it is a pretty exciting move into this market. Before we delve into the questions. Let's just have a quick look at the results of the first poll, which was what worries you most about access management in the cloud? So the results there, 33 very easily spread 33% not knowing who access 33%, too many standing entitlements and 33% new cloud resources being spun up without permission. And no one is worried about DevOps, which is fantastic.
And no one is worried about too many ISPs being in usage, which is actually quite interesting because I think that's the whole key or the point of CIM is that we shouldn't have to worry about how many cloud services we have. Would you agree? Ji? Yeah. So that that's the whole point. Yeah. Okay. And the second poll was how many different cloud providers do you use?
And again, the results are probably what you'd expect. So 13% of just one 38% using the big three 13% using more than that. And interestingly 33% are using clouds, which are not from Microsoft, Google or Amazon, and 4% have no idea, which I think is a very honest answer, which again is possibly not untypical given the way that cloud is spreading in the way that people are spinning up resources, et cetera. So that is the results of those two polls. But we do have some questions for you. The first one is how will, how will adopting a C IAM solution help organizations with zero trust?
And I appreciate that is potentially a very low answer, but if you could just give us an outline. Yeah. One of the core pillars of zero trust security is implementing the police privilege. And you look at implementing the principal of police privilege, especially at the cloud infrastructure layer level.
The, the, the level of granularity that is needed in terms of visibility and remediation is quite complex because like I said, cloud, as you mentioned in your conversation in your slides, that it is closer within the, the, the permissions and models and everything within the cloud infrastructure closed closer it to the cloud infrastructure, but the identities are coming from a central location, especially at the enterprise level, either through active directory or through our Federation system.
So combining these two and implement the principle of lease Porwal, you're looking at two major systems that are traditionally being at, in two different departments within an it industry to bring them up into one place where both of them will look at the visibility and implement at that level of granularity. So that's why CIM, especially the permission management, especially for a multi-cloud is critical in implementing that principle of lease P, which is the found, which is one of the foundational pillars for zero security. Okay. Thanks.
I, I touched on this a bit in my presentation, but you could maybe enlarge on it. And how, how is cm different from privilege access management and identity and access management?
Yeah, I mean, so the, if you look at, let's say you have a big compound within that compound, you have several buildings and within each building, there are certain things that can be done. So when you look at privileged access management, you are letting somebody into the compound, let's say through MFA or some authentication mechanism. So once they're in, so they, if they wanna be a privileged identity, they need to go to building some building X where all the money diamonds and everything isn't there.
So they needed to go through a password ward or they needed to have higher levels of, I mean, secondary level of authentication or access to prove that they are indeed allowed to go to that building. So that from a, from a privileged to access management perspective are an access management perspective. Today's systems are all in place. Okay. Once you are in the compound, you needed to do other additional steps in order to go to that building. But once you are in that building, what can you do is completely on the CIM, the permissions management side of things.
So that mean from, from an analogy perspective. I think that that analogy kinda explains it better in terms of what is the difference between access management and management? Yeah. Maybe a quick Joseph does, this Is different. This does not require E five. This product is sold as a separate license on its own.
Okay, nice, easy, precise answer this question and not seems to be not fully formed, but anyway, a basic improvement. This is from market Martin reader. He said a basic improvement is providing transparency of access for identities in the IAM stroke RTA solution. And it is needed to request to approve audit access. So how is it possible to integrate in IgM, IGA and IM do, do you understand that question? Yeah. Yes.
I mean, if, if you look at the existing IGA to predominantly the IGA use case are access reviews and recertifications, I mean, life cycle management, join, move separation of duties, and always the traditional IGAs have, have done a great job in terms of addressing these use cases with your SaaS applications and your on-prem systems and all these kinds of things. Now, by integrating into IGA, the level of details that we're providing into the cloud infrastructure as well. Now you can perform the same level of governance and administration functions.
Now you're extending it to your cloud infrastructure as well. Let's say on an let's say you, you are doing access reviews every quarter. So imagine that the system integrated with CIM will automatically populate. Here are all the access reviews that need to be done. But in the cloud infrastructure, the, these access reviews are not limited to the entities within your enterprise strategy. There'll be lot more, literally artists are magnitude hire. So you'll get that visibility. And at the same time, some identity joins organization.
And if you're on a provision that iron T some admin role in AWS and contribute a role in Azure and some other role in GCP, you can, the CIM integration is the one that makes these kinds of things happen. Just like you, the, the connectors that these IG providers have built for all these SA applications, the CIM will act as a Uber connector for all these kinds of cloud, so that the IG does not need to integrate with how these kinds of things. Fantastic. This is an interesting one from Ash Alexander.
He says, what is the model behind permission management? Is it peer to peer data modeling? When you say peer to peer data modeling, I'm assuming that you are you're, you're talking about, okay, you get all the data from different companies and then enterprises, and then you combine into one Uber.
No, that's not the case because every identities function requirements, even within an enterprise, completely different, depending on the type of work. So when the activity is collected, the activity is isolated.
Let's say if an, if an enterprise has thousand cloud accounts across AWS, Azure and GCP, these and these thousand accounts may have hundred entities that are common across all those thousand, but the RDS activity in each and every one of these accounts is created as a separate profile, just to that specific account so that you can, you, you can truly implement that principle of least privilege specific to that account because in account, a identity X can do something, but in account B the same identity may be doing something else.
So it is completely, it's completely tailored to each and every one of these enterprises accounts in the cards. Okay. Thanks. I hope Asha that answered your question. Obviously you can send more questions to Microsoft directly to find out more. So finally then a, a very important question. How is this price? Is it priced per user It's priced per resource cause in the cloud infrastructure, all the resources. And so we're protecting all those from the permission perspective. So it's priced per resource.
When I say resource, anything that uses CPR memory, you can treat that as a resource, like a VM or as a function or database service or something like that. Okay.
Well, as you, I think you said in your, your deck that you can find everything about EDRA on Microsoft website to, to get those details. Well, we don't have any more questions coming in from, but I thank you for some great questions there from, from our audience that really, I think I've got nothing left to do.
I haven't, I haven't pushed these forward. So I'll do that now, some related research there for you, but actually thank you so much for, for being with us this afternoon. There is obviously a lot of interest in this area. There's a lot of interest in Microsoft's move into cm, so sure. We'll be revisiting this very shortly. So thank you for, for joining us, Bella, and thank you for your deck. I should also thank all of you for listening in today. And as I said, don't forget that the deck will be available to download so that you can pass on to any of your colleagues.
And the whole thing is recorded as well. So with that, I'll say goodbye. Thank you, Bob. Goodbye.
