1 Introduction
A dynamic multi-cloud, multi-hybrid IT architecture is coming to dominate enterprise networks, as business leaders and IT vendors understand that a paradigm shift is necessary for organizations to become fully digital and deliver improved business value.
The speed and dynamic nature of this architecture is essential for organizations create the applications and tools needed for fast changing markets and operating conditions. Developers and other agile teams within organizations have come to rely on dynamic clouds to complete workloads on a Just-In-Time (JIT) basis, in response to demands from internal customers. All the while, networks are much more open to employees, third party users, suppliers, and customers; what was once considered "privileged" is becoming the norm as collaboration and data sharing become ubiquitous.
A greater number of workload identities such as applications, containers and scripts are gaining access to cloud-based resources and becoming increasingly important components of the new environment as process automation takes hold. The downside of this is keeping track of permissions in expanding cloud architectures with industry figures suggesting that 90% of identities use less than 5% of permissions granted - with too many undocumented permissions and activity sitting outside traditional IAM tools.
The speed at which these environments operate has put severe pressure on the capabilities of traditional access management platforms such as role-based IGA, IAM and PAM. While workloads have long been present in servers and private clouds these tended to be static and not time critical. What has changed is the breadth of access, but primarily the dynamic/agile/volatile nature of what needs to be managed. It is not about setting up a server on a physical machine that runs for years anymore, but about constantly changing workloads.
KuppingerCole has responded to this paradigm with our Dynamic Resource Entitlement & Access Management (DREAM) classification for access management and entitlement platforms that can manage the challenges in the computing environments mentioned above. Fundamentally, DREAM platforms must operate at the speed of the cloud with permissions based on tasks, toolchains and workloads rather than roles - and to ensure the right identities receive the right access permissions.
DREAM also encompasses CIEM (Cloud Infrastructure Entitlement Management) platforms that offer rapid access to cloud infrastructure itself and in some more advanced examples, offer granular control of cloud-based resources. Also included within DREAM are the newer PAM for DevOps tools that extend the traditional functionality of PAM for toolchain focused access for DevOps teams.
All included platforms must address the protection of the clouds themselves, the assets held in the cloud, and include those assets which remain on-premises but are needed to connect to the cloud. We are addressing such common components as VMware, Linux/Windows Servers, Web Servers, SaaS, IaaS, databases, containers, code, confidential data, secrets, credentials and privileged accounts.
The IT environment has inevitably become complex just as the business environment has made it harder to be competitive and profitable with the shifts in consumer behaviour and new delivery models of goods and services. None of this will stop; more likely the speed of change will accelerate as new technology, such as the metaverse and Web 3.0, opens new markets and opportunities. New technology, business practices and cultures are arising that will further put a strain on traditional Identity and Access Management solutions for multi-hybrid environments.
Organizations understand the business and operational imperatives for these environments but how to make them successful and to be secure is less well understood. And the tools for enhanced access and identity requirements are only just emerging. It is within this new environment that Microsoft Entra Permissions Management must compete as part of the software giant's wide-ranging effort to manage access and permissions in multi-cloud operating environments.