At the start of June 2022, just before RSAC 2022, Microsoft announced a new product family, Microsoft Entra, which encompasses all of Microsoft’s identity and access capabilities. Microsoft Entra products include:
- Azure Active Directory (Azure AD) as well as two new product categories:
- Microsoft Entra Permissions Management (a Cloud Permissions management (CPM) / Cloud Infrastructure Entitlement Management (CIEM) solution)
- Microsoft Entra Verified ID (a decentralized identity product offering)
According to Microsoft, Entra is part of the company’s expanded vision for identity and access. The plan is to verify all types of identities and secure, manage, and govern their access to any resource, by:
- Protecting access to any app or resource for any user;
- Securing and verifying every identity across hybrid and multicloud environments;
- Discovering and governing permissions in multicloud environments; and
- Simplifying the user experience with real-time intelligent access decisions.
Azure Active Directory (Azure AD)
Microsoft Azure AD, is also part of the Microsoft Entra family, and all its capabilities, such as conditional access and passwordless authentication, remain unchanged. Azure AD External Identities continues to be the vendor’s identity solution for customers and partners under the Microsoft Entra family.
Identity Governance for employees and partners is another area of focus for Microsoft. It’s a significant challenge for IT and security teams to provision new users and guest accounts and manage their access rights manually. This can have a negative impact on both IT and individual productivity. New employees often experience a slow ramp-up to full effectiveness while they wait for the access required for their jobs. Similar delays in granting necessary access to guest users undermine a smoothly functioning supply chain. At the other end, without formal or automated processes for reprovisioning or deactivating people’s accounts, their access rights may remain in place when they change roles or exit the organization (the dangerous "orphan account" scenario that can be exploited by threat actors).
Microsoft believes that their Identity Governance (in Azure AD) offering addresses this with identity lifecycle management, which simplifies and speeds up the processes for onboarding and offboarding users. Lifecycle workflows automate assigning and managing access rights and monitoring and tracking access as user attributes change. Lifecycle workflows enhancements in Identity Governance are scheduled to enter public preview in July 2022.
Omdia believes that automating identity, authentication, and access features and tasks is a key trend within this space. There is an ever-increasing amount of data that companies need to keep secure and interpret when things go wrong, the automating of features and tasks will continue to accelerate in the coming years. This increase in data is helping to drive automation in a number of segments within the identity, authentication and access sector.
Microsoft Entra Permissions Management (Cloud Permissions Management)
Microsoft stated that the Microsoft Entra Permissions Management product/solution will be a standalone offering, be integrated within the Defender for Cloud dashboard, extending Microsoft Defender for Cloud's protection into the CPM realm (a.k.a. CIEM). It is worth recalling the history and development of this product. In July 2021, Microsoft acquired CloudKnox Security, which was the market leader in CPM technology, with a view to enabling businesses using its Azure Active Directory service to exercise tighter control over employees’ access rights to their cloud assets, regardless of which cloud they reside in.
CPM is an emerging technology segment, with most of the start-ups offering the capability dating from the late 2010s. CloudKnox was among the first, having been founded in 2017. So recent is the technology that it still has no standard name: one analyst firm calls it cloud infrastructure entitlements management (CIEM), which is both excessively wordy and confusing, given its similarity to security incident and event management (SIEM) and customer identity and access management (CIAM). Another calls it cloud identity governance, which is less self-explanatory than Omdia's preferred name, cloud permissions management. The permissions management product/solution will be available worldwide in July 2022.
It is also worth noting that the Permissions Management product is cloud agnostic, i.e. it will be able to enforce the principle of least privilege in Microsoft Azure, Amazon Web Services, and Google Cloud Platforms.
Microsoft Entra Verified ID (Decentralized Identity)
Microsoft Entra Verified ID is a new product offering based on decentralized identity standards that makes portable, self-owned identity possible. Verified ID represents Microsoft's commitment to an open, trustworthy, interoperable, and standards-based decentralized identity future for individuals and organizations. Instead of granting broad consent to countless apps and services and spreading identity data across numerous providers, Verified ID allows individuals and organizations to decide what information they share, when and with whom they share it, and—when necessary—to take it back by rescinding access rights. The Verified ID product will be available from early August 2022. Omdia believes that decentralized identity is gaining traction and this announcement by Microsoft to launch a product in this space will help to turbocharge the segment.
Expansion of the Microsoft Entra product family – Which IAA segments next?
It was interesting to note in Microsoft's recent press release that they stated this launch "is an important step towards delivering a comprehensive set of products for identity and access needs, and we’ll continue to expand the Microsoft Entra product family." So what areas are they likely to expand into? PAM? CPM technology looks like a natural adjacency for privileged access management (PAM) vendors, and indeed, the largest player in PAM, CyberArk, launched a CPM module in late 2020. Meanwhile Zscaler, which delivers security as a service from the cloud, acquired CPM start-up Trustdome in April 2021, reportedly for $31M, and XDR vendor SentinelOne's $616M acquisition of Attivo in March this year brought it, among other things, a CPM capability.
If Microsoft were to enter the PAM market, then what other areas of identity, authentication and access are logical to look at?
In recent years, segments such as PAM and IGA have undergone the cloudification of their products/solutions. Enterprise applications were already moving to the cloud long before the pandemic, to be delivered as a service. However, the impact of the pandemic was to turbocharge that process, and with it, the need for cloud-based identity management capabilities.
This backdrop explains the importance Omdia attributes to the cloud in the identity services market, not only as a locus from which to deliver IGA, but also as the place where an increasing number of corporate assets now reside, which puts a new level of requirement for entitlements management. It is also worth noting that Okta, the 800 pound gorilla of cloud-native identity management, is planning to launch IGA and PAM products in Q4 2022 and Q1 2023.
There has also been an expansion of diverse access points over the last couple of years and an overlapping of identity and access tools. All of this helps to explain why Microsoft has expanded its identity, authentication, and access product portfolio and why it sees this area as being central to secure access in a connected world.
Identity As a Trust Fabric
By launching Entra, Microsoft plans to move forward, by expanding their identity and access solutions so that they can serve as a "trust fabric" for the entire digital ecosystem, now and long into the future.
The "trust fabric" is an identity mesh of connections that secures, governs, and manages for Microsoft products. To make this vision a reality, identity must evolve. This interconnected world requires a flexible and agile model where people, organizations, apps, and even smart devices could confidently make real-time access decisions.
Microsoft has traditionally been seen as the unspoken giant of identity. With the Entra announcements it is now entering the fray in a more direct fashion, and other IAA vendors need to sit up and take notice of these developments. Where once they simply played nicely with Active Directory as the backend identity repository for their technology, Microsoft may now be coming for their lunch.
The next few years will certainly be an interesting time in the identity space, with new entrants, new product launches and more mergers and acquisitions. Omdia predicts disruption and displacement, with Microsoft as the disruptor in chief!