Attivo Networks Blogs

Where Is Cloud Permissions Management Headed?

Dark Reading

Cloud permissions management (CPM) is a branch of cloud security that has emerged over the last couple of years. Its objective is to rein in any excess access rights to cloud assets, aka permissions or entitlements, which may be enjoyed by people or systems within an infrastructure. In doing so, it seeks to impose/enforce the principle of least privilege as a means of minimizing an organization’s attack surface.

This is a salutary approach to security generally, because permissions tend to suffer sprawl, in that:

  • People gain access rights to certain assets just by joining a particular group within the organization, even if they don’t need to use all of them.
  • Developers are allocated access rights during an application’s development process, but those rights may not be revoked once it goes into production’
  • People leave a company, yet their permissions to access assets may not all be removed after they are gone, creating so-called “orphan” accounts.
  • In terms of machine-to-machine permissions and service accounts, it is hard for an organization to keep tabs on all the dependencies and attack paths that become available through its infrastructure as new systems are deployed and existing ones change the way they operate.

As such, CPM can be thought of as good hygiene, gaining a complete inventory of all the extant permissions within a company’s cloud environment to identify areas where they exceed requirements, then curtailing the unnecessary ones.

A Rose by Any Other Name
The sector is so new that Omdia had to come up with a name for it when we encountered our first CPM vendor back in early 2020. Since then, Gartner has come up with one of its own: cloud infrastructure entitlements management (CIEM), which Omdia dislikes for two reasons.

First, it is an unwieldy mouthful in its long form, but second, the acronym is confusingly close to two others in security: SIEM (security incident and event management) and CIAM (customer identity and access management). With SIEM often pronounced “sim” in conversations and CIAM pronounced “cyam,” CIEM often ends up being pronounced “kim,” which is silly.

Meanwhile Forrester calls the technology cloud identity governance, which is acceptable, but less precise than CPM.

Build or Buy?
As is often the case in cybersecurity, the first wave of companies offering the capability were dedicated startups, and Omdia waited to see whether larger industry players would buy some of these minnows or develop the capability themselves. In the event, both things have happened.

Privileged access management (PAM) market leader CyberArk unveiled a CPM capability in November last year, hotly pursued by customer relationship management (CRM) behemoth Salesforce, which launched its offering the same month. This year, cloud-based security-as-a-service vendor Zscaler acquired CPM startup Trustdome in April, then Microsoft acquired CloudKnox, arguably the pioneer and market leader in CPM, in July.

A Big Business, or a Feature?
So will CPM develop into a major sector of cyber technology in its own right, or will it be subsumed into broader offerings, becoming a feature on a list of cloud security capabilities? In other words, what’s next for this sector?

Some technologies such as next-generation firewalls (NGFWs) and endpoint detection and response (EDR) have grown into major sectors within cybersecurity, a path that the more recent extended detection and response (XDR) looks set to follow. On the other hand, segments such as data loss prevention (DLP) and cloud access security brokers (CASBs) saw wholescale landgrabs, as larger entities within cybersecurity acquired startup vendors to add their product to a broader portfolio, in many cases even integrating their software into a broader platform rather than retaining it as a standalone product. The evidence so far suggests that this “disappearance into the fabric” is the fate that awaits CPM.

Aside from CyberArk, another of the broad-based security vendors to enter CPM was Attivo Networks, which after making its name in deception technology expanded into Active Directory and endpoint security. Thus when it launched its IDEntitleX product in July this year, it highlighted the fact that it can combine this CPM capability with its insight into events in AD or on corporate endpoints, not only to derive a fuller picture of what is happening in a customer’s infrastructure, but then also to take remedial action across those different domains.

Read the full article by Rik Turner on Dark Reading.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

16 + 12 =

Ready to find out what’s lurking in your network?

Scroll to Top