Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Paul Fisher. He is a Lead Analyst with KuppingerCole and he's based in London. Hi, Paul. Good to see you.
Hi, Matthias. Good to see you, too. We haven't done one of these for a while, so good to catch up.
Exactly. Yeah, but I think you were busy. You had to do lots of work around the document that we're talking about right now. We want to talk about the Leadership Compass that has just recently been published with quite a long title.
Yeah. Yeah. Well, that title is spelt out for you, the Leadership Compass on DREAM and CIEM. So DREAM stands for Dynamic Resource Entitlement and Access Management. And CIEM stands for Cloud Infrastructure Entitlement Management. So people are saying probably, what the hell is that?
Exactly.
So DREAM is all kind of a new term for everything related to entitlement management, but for what we now term dynamic resources. And CIAM, which kind of precedes DREAM. It stands for cloud infrastructure entitlement management But we, myself and Martin, and a few others here at KuppingerCole thought that we need a wider definition or wider paradigm, so it's not only just about cloud entitlements or cloud access but all sorts of dynamic entitlements, which could include stuff that still exists on-premise. Now, as it turns out, quite a lot of what we are talking about is on the cloud. So because that's really where dynamic resources tend to be now. And so what we did with the Leadership Compass is, we looked at some... well, I was going to say traditional CIAM vendors, but they're hardly traditional. They, you know, it's something that's only really evolved in the last few years, unlike, for example, privilege access management. So we took some of those and some of the emerging ones. And we also then included some privileged access management vendors that are now starting to dabble in cloud entitlement. But also where it becomes a little bit more specific are those PAM vendors that have developed individual solutions or platforms for DevOps. And DevOps, as you know, Matthias, is cloud-based, it's dynamic, it's very fast. And most organizations are now pretty much dependent on dev ops for their future and even if they don't know it. So that's a very long way of saying what the Leadership Compass is about. So to put it shortly, it is about those platforms or that software that we believe serve dynamic resource entitlement and access management. And that can be those resources on the cloud.
But not only limited to the cloud but also includes dynamic infrastructures that can be deployed on-premises as well. Think of Docker, Kubernetes, OpenShift, and so on infrastructures that can be created and destroyed on the fly with all their credentials in there. So this is what you mean by dynamic in that context, right?
Yeah. I mean, dynamic means stuff that's fast moving. So, for example, developers, not just developers, as we have seen other lines of business such as perhaps HR or even sales, even finance, for example, or research, whatever you might want to call it. Then they've become quite accustomed to spinning up resources on different cloud services and which needs or leads to a demand or a need for somehow managing these resources because they are certainly dynamic. What often happens is, though, that an instance, for example, on AWS will be spun up. So in other words, a server, but it will be used maybe once and then left up there because it's so easy to do that on AWS for example, is also quite inexpensive. And people will think, oh well you know, we might need that in the future. So you end up with all these unregistered and protected resources sitting on clouds and it could be AWS, it could be Google, it could be Azure, or it could be an OVH or any number of more specialized clouds. So we have created this, you know, the create, we created dynamic environments and they serve digital transformation very well. And they serve DevOps very well and they serve, like you said, projects that may be happening on-premise. So as far as a business is concerned, they see a good return on that. The problem is that the rest of the business or IT security or identity management hasn't got a real idea about who's doing what in the cloud or even on-premises with these dynamic environments. They don't know who's entitled to what and which identities have what we call zero standing privilege to certain resources.
So all of that. So while privilege access management platforms do a lot of that on a traditional privilege basis. So, you know, the traditional idea of a privileged account is to give it to an admin so that they can operate on someone else's computer, etc. But the idea of privilege is changing in as much that it's not just admins that are allowed to do stuff sensitively. It's increasingly other end users, it can be vendors or third parties or I should say, it could even, although it's not that common at the moment, it could potentially be a customer in the future that is given access to some resource. It's even people working in social media so, people have access to the corporate social media account. Those people should be pretty much vetted, who should be controlled so that we don't see the kind of embarrassing instance that often happened on social media where someone goes rogue and tweets something which is pretty unflattering to the business.
So we have all of this going on. So the definition of privilege changes. So is really anyone that has access to what I call high-value assets or has access to servers or resources, has access to sensitive databases, etc. So all of that is not necessarily covered by the traditional parts of privilege access management, which quite often have standing privileges that are connected to passwords, which are connected to a vault, etc. So what's happening in DevOps, or otherwise is that they're bypassing all that and they're even, for example, and this is, you know, from documentary evidence, having talked to people in the field, the people in DevOps are bringing in their own password managers or their hiding privileges or passwords or sensitive code within containers and things and then they set up their own access to it and they give it to other people within that environment. And they don't think that they're doing anything wrong because they're there to get things done.
So but I think it's also important to say that DREAM is not just PAM in another name and it's not just CIEM in another name. So there are aspects of CIEM and there are aspects of privilege, and access management feeding into DREAM. But I think what we have found out is that there are vendors that can do parts of what we call the DREAM paradigm, but very few could say that they've got the whole area covered so that they, for example, would do a traditional PAM, they would do PAM for DevOps. They would also be able to manage cloud entitlement, et cetera. But what's interesting for me is the vendors that are coming up with very, very good tools but are perhaps platforms specific. So Salesforce, for example, lots and lots of businesses use Salesforce and that is a particular type of cloud so one vendor has, for example, specialized in managing access to that. So and I think, you know, there is a market for that. The same with things like ServiceNow, etc. So it's not a one size fits all. It's a changing and developing market and you know, the results are being kind of reflect that. So we've got what you might call mid-size vendors that have done very well in this because of their innovation and their ability to understand how cloud infrastructure works. And needless to say, the most nimble, the most advanced, or the most innovative are cloud-native themselves. So you know, they've developed their solution using dynamic and agile methods. So it's pretty exciting and we are right at the end of the sort of process now. So we're hoping to see this come published in the next few weeks. When the rest of the world can find out about the DREAM. That's what I call it.
Absolutely. I think when we publish this episode, it will be just published as well. So that will, this episode will go live in parallel. And when I think of it, we have been talking about the Leadership Compass PAM for DevOps in a much earlier episode, if I remember correctly. Now, we've added so much functionality to that when we look at DREAM, at CIEM, and these capabilities, I think that that has to lead to a large set of vendors to look at. Or how did you, how did you limit that and who qualified for such a Leadership Compass?
Well, exactly. So this has kind of replaced the PAM for DevOps Leadership Compass because we thought that was a bit limiting because as I said, DevOps aren't the only users of cloud environments. So we don't want people to think that as long as we control DevOps and everything is fine because this huge expansion of cloud usage is affecting all parts of the business, or a business. So yeah, we approached most of the PAM vendors that have been in the PAM for DevOps initially, I think we had a couple that had not been in that, but then of course we approached to see what people that call themselves CIEM vendors. And in all our Leadership Compasses we have a set of qualifications. So those qualifications were to be able to manage entitlements in cloud environments. But we also asked that they have some privilege access management capabilities, not the most advanced when asking, otherwise that would then just have been the PAM Leadership Compass with some stuff bolted on. So it's not meant to be a replacement for a PAM Leadership Compass because there is still a huge market for what we call traditional PAM. And that'll be coming up in the next Leadership Compass, which I've just started working on, where people, organizations that like to have vaults, that like to have passwords, etc., and who possibly still do an awful lot of privileged access management on-premises, et cetera. So there is that still going on. So yeah, so that's how we chose the participants. I can't remember how many we invited, but I think we have in the end 23 that accepted. And of course, we have some vendors to watch, like we always do, who are not in the full review, but we still think that they have something worth looking at for our readers, our clients. So that was the process. And then the usual process is that we talk to all these vendors. I must say it was nice to talk to some new people, like new vendors that I hadn't spoken to before, obviously, and some older acquaintances. So I think it's as I said, it's going to cause some conversations in the market but...
That's not only in the market because I see that in, I'm doing advisory as the main occupation of my day. So I'm talking to end user organizations who are using their identity and access management, their PAM solution, and are extending it to the cloud, to these dynamic infrastructures. And this is a hot topic. So this CIAM/DREAM market is something that is nothing for the future. It is there. It's real and it requires proper solutions. And I think that's the reason why this Leadership Compass will gain some traction and will gain some attention also with vendors, and end-user organizations. When you look at this market, you said there are more seasoned names, more names that are usual in the business. If you compare the share between startups and newcomers and the traditional organizations, which ones are more, or is it a fair share?
I think it's ended up almost like 50/50, I would say between traditional PAM vendors, but those PAM vendors that have extended capabilities into the cloud, et cetera. And then the newer, I bracketed them in CIEM, I mean, you know, they might not all consider themselves CIEM, but when we looked at what they do, they seem to, as we said, qualify as a dynamic resource management platform. So that's why we've got them in. But yeah, I hope it stimulates some conversation. I mean, as I said, it has already stimulated some, from the vendors and, you know, we'll see what the market makes of it. But I think long term, where are we going with privilege access management, is difficult to say, you know. I don't think some vendors are thinking that privilege access management might disappear altogether. And the idea that it'd be difficult to differentiate between traditional privileged accounts and any other kind of account because the type of work that people are doing is changing so much. Everybody in a workspace, well, not everybody, but a lot of people that wouldn't normally be considered privileged users may at some point in their type of work need access to something which is considered restricted, high value or sensitive, et cetera. And they all probably need that access on a dynamic basis. And that means without passwords, without standing privileges, but on a just-in-time or ephemeral basis. So I think we're increasing with those vendors that use based around certificates have already sort of started the groundwork for that, so that we will move to a passwordless exchange of identity so that people can get access quickly to something. So. It might still be lumped together as privilege access in some way because you could say, well, you know, I've got pretty access this afternoon to access this database, for example. So but I think what's going to happen is that privilege access management won't stay static like still much of it is. We will even if there's like actual what looks like passwords at the endpoint may not be passwords behind them if you see what I mean. That might just be because users like the comfort of typing in a password. But the market is definitely, I've been covering it for KuppingerCole for three years and it's already quite a lot in towards this just-in-time, ephemeral and dynamic nature.
Absolutely. And I think and this is also a volatile market, there's happening a lot at that market, if you just think of the, and you've covered that in the document already, this acquisition of just an example of CloudKnox by Microsoft and integrating that into their new platform for managing these types of entitlements, that is a volatile market. But it's also, yeah, an interesting market and a market worth watching.
Yeah, absolutely. And thanks for bringing that up because that's an important point. Unfortunately, that came too late for this version of the Leadership Compass. But, you know, active directory has two camps, those that don't like it and those that feel comfortable with it. And the fact that Microsoft has now acquired CloudKnox and has now developed into a multi-ranging platform, which I believe they call Entra, to do, among other things, cloud management. It's significant only because of how many people still use Microsoft, still use Active Directory, and still use, you know, everything that we understand around the Microsoft sort of stack. So I don't think that them or it moving into this market means that it's over for every other player. But I do think that they will pick up customers from those businesses that traditionally have used Microsoft like Active Directory for all its faults and strengths, et cetera. And I think they will do very well. I'm working on more research into that whole platform. So maybe we could when I know a bit more about it, because Microsoft is certainly done a lot to I think it's in my experience is one of the most rapid integrations of an acquisition I've seen quite often, as you know, acquisition is sort of left pretty much sort of in limbo a bit. The acquired company carries on a sort of independently for a bit, and it says, "now part of whatever company it was acquired by", this Microsoft rolled their sleeves up and decided, right, we're going to create all of our entry into this market. And here it is. So worth watching, indeed. But unfortunately, unfortunately, not in this Compass.
Yeah, but we'll follow up on that as well anyway. Nevertheless, for those who are interested in this volatile market, in this huge market, in this broad market, when it comes to capabilities, we did not even touch upon the required capabilities in this episode. And we're almost at the end of this episode already. Everyone interested in learning more about that can either reach out to you, Paul, or could go to the KuppingerCole website and download the Leadership Compass on CIEM / DREAM just like the dream. And it's the actual current information of your research covering as I see 21 vendors in the central part of the document and eight vendors to watch as far as I can see so this is an interesting document. I will read it and I'm interested in learning more about that because is the requirement for my daily advisory business for every organization that does business in the cloud and, in brackets, who does not should be interested in learning how to manage these entitlements, these accounts, these infrastructures more properly. Any final words from your side, Paul?
Well, I was going to say that, you know, traditional advice is that you should have a portfolio of products for your identity access management and IT security, et cetera. I could see that some businesses will say, OK, we'll risk not having a session recording or some kind of integration with SIEM, not CIEM, but SIEM, because this particular platform, we like what it does for this particular department. And we'll take the risk that if something happens, we have no record of who is doing what, but they might just want something that gives them a more secure management basis. So I think that that's a controversial thing to say that people would apply an application purely for one purpose in one department but I think some of these platforms, you may see that, especially as nearly all of them have APIs, nearly all of them have integrations. So they could be built upon.
OK. Thank you for these final thoughts. I'm looking forward to reading that. And I recommend for those who are interested in learning more about this market to come to our website. Thank you again, Paul, for joining me today. And I'm looking forward to continuing this Microsoft CloudKnox discussion, or Entra discussion but for now, I recommend the Leadership Compass CIEM / DREAM. Thank you very much, Paul.
Thanks, Mathias.
Bye bye.
