Where Is Cloud Permissions Management Headed?
Cloud permissions management (CPM) is a branch of cloud security that has emerged over the last couple of years. Its objective is to rein in any excess access rights to cloud assets, aka permissions or entitlements, which may be enjoyed by people or systems within an infrastructure. In doing so, it seeks to impose/enforce the principle of least privilege as a means of minimizing an organization’s attack surface.
This is a salutary approach to security generally, because permissions tend to suffer sprawl, in that:
- People gain access rights to certain assets just by joining a particular group within the organization, even if they don’t need to use all of them.
- Developers are allocated access rights during an application’s development process, but those rights may not be revoked once it goes into production’
- People leave a company, yet their permissions to access assets may not all be removed after they are gone, creating so-called “orphan” accounts.
- In terms of machine-to-machine permissions and service accounts, it is hard for an organization to keep tabs on all the dependencies and attack paths that become available through its infrastructure as new systems are deployed and existing ones change the way they operate.
As such, CPM can be thought of as good hygiene, gaining a complete inventory of all the extant permissions within a company’s cloud environment to identify areas where they exceed requirements, then curtailing the unnecessary ones.
A Rose by Any Other Name
The sector is so new that Omdia had to come up with a name for it when we encountered our first CPM vendor back in early 2020. Since then, Gartner has come up with one of its own: cloud infrastructure entitlements management (CIEM), which Omdia dislikes for two reasons.
First, it is an unwieldy mouthful in its long form, but second, the acronym is confusingly close to two others in security: SIEM (security incident and event management) and CIAM (customer identity and access management). With SIEM often pronounced “sim” in conversations and CIAM pronounced “cyam,” CIEM often ends up being pronounced “kim,” which is silly.
Meanwhile Forrester calls the technology cloud identity governance, which is acceptable, but less precise than CPM.
Build or Buy?
As is often the case in cybersecurity, the first wave of companies offering the capability were dedicated startups, and Omdia waited to see whether larger industry players would buy some of these minnows or develop the capability themselves. In the event, both things have happened.
Privileged access management (PAM) market leader CyberArk unveiled a CPM capability in November last year, hotly pursued by customer relationship management (CRM) behemoth Salesforce, which launched its offering the same month. This year, cloud-based security-as-a-service vendor Zscaler acquired CPM startup Trustdome in April, then Microsoft acquired CloudKnox, arguably the pioneer and market leader in CPM, in July.
A Big Business, or a Feature?
So will CPM develop into a major sector of cyber technology in its own right, or will it be subsumed into broader offerings, becoming a feature on a list of cloud security capabilities? In other words, what’s next for this sector?
Some technologies such as next-generation firewalls (NGFWs) and endpoint detection and response (EDR) have grown into major sectors within cybersecurity, a path that the more recent extended detection and response (XDR) looks set to follow. On the other hand, segments such as data loss prevention (DLP) and cloud access security brokers (CASBs) saw wholescale landgrabs, as larger entities within cybersecurity acquired startup vendors to add their product to a broader portfolio, in many cases even integrating their software into a broader platform rather than retaining it as a standalone product. The evidence so far suggests that this “disappearance into the fabric” is the fate that awaits CPM.
Aside from CyberArk, another of the broad-based security vendors to enter CPM was Attivo Networks, which after making its name in deception technology expanded into Active Directory and endpoint security. Thus when it launched its IDEntitleX product in July this year, it highlighted the fact that it can combine this CPM capability with its insight into events in AD or on corporate endpoints, not only to derive a fuller picture of what is happening in a customer’s infrastructure, but then also to take remedial action across those different domains.
Read the full article by Rik Turner on Dark Reading.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise