Cloud permissions management (CPM) is a branch of cloud security that has emerged over the last couple of years. Its objective is to rein in any excess access rights to cloud assets, aka permissions or entitlements, which may be enjoyed by people or systems within an infrastructure. In doing so, it seeks to impose/enforce the principle of least privilege as a means of minimizing an organization's attack surface.
This is a salutary approach to security generally, because permissions tend to suffer sprawl, in that:
- People gain access rights to certain assets just by joining a particular group within the organization, even if they don't need to use all of them.
- Developers are allocated access rights during an application's development process, but those rights may not be revoked once it goes into production'
- People leave a company, yet their permissions to access assets may not all be removed after they are gone, creating so-called "orphan" accounts.
- In terms of machine-to-machine permissions and service accounts, it is hard for an organization to keep tabs on all the dependencies and attack paths that become available through its infrastructure as new systems are deployed and existing ones change the way they operate.
As such, CPM can be thought of as good hygiene, gaining a complete inventory of all the extant permissions within a company's cloud environment to identify areas where they exceed requirements, then curtailing the unnecessary ones.
A Rose by Any Other Name
The sector is so new that Omdia had to come up with a name for it when we encountered our first CPM vendor back in early 2020. Since then, Gartner has come up with one of its own: cloud infrastructure entitlements management (CIEM), which Omdia dislikes for two reasons.
First, it is an unwieldy mouthful in its long form, but second, the acronym is confusingly close to two others in security: SIEM (security incident and event management) and CIAM (customer identity and access management). With SIEM often pronounced "sim" in conversations and CIAM pronounced "cyam," CIEM often ends up being pronounced "kim," which is silly.
Meanwhile Forrester calls the technology cloud identity governance, which is acceptable, but less precise than CPM.
Build or Buy?
As is often the case in cybersecurity, the first wave of companies offering the capability were dedicated startups, and Omdia waited to see whether larger industry players would buy some of these minnows or develop the capability themselves. In the event, both things have happened.
Privileged access management (PAM) market leader CyberArk unveiled a CPM capability in November last year, hotly pursued by customer relationship management (CRM) behemoth Salesforce, which launched its offering the same month. This year, cloud-based security-as-a-service vendor Zscaler acquired CPM startup Trustdome in April, then Microsoft acquired CloudKnox, arguably the pioneer and market leader in CPM, in July.
A Big Business, or a Feature?
So will CPM develop into a major sector of cyber technology in its own right, or will it be subsumed into broader offerings, becoming a feature on a list of cloud security capabilities? In other words, what’s next for this sector?
Some technologies such as next-generation firewalls (NGFWs) and endpoint detection and response (EDR) have grown into major sectors within cybersecurity, a path that the more recent extended detection and response (XDR) looks set to follow. On the other hand, segments such as data loss prevention (DLP) and cloud access security brokers (CASBs) saw wholescale landgrabs, as larger entities within cybersecurity acquired startup vendors to add their product to a broader portfolio, in many cases even integrating their software into a broader platform rather than retaining it as a standalone product. The evidence so far suggests that this "disappearance into the fabric" is the fate that awaits CPM.
Aside from CyberArk, another of the broad-based security vendors to enter CPM was Attivo Networks, which after making its name in deception technology expanded into Active Directory and endpoint security. Thus when it launched its IDEntitleX product in July this year, it highlighted the fact that it can combine this CPM capability with its insight into events in AD or on corporate endpoints, not only to derive a fuller picture of what is happening in a customer's infrastructure, but then also to take remedial action across those different domains.
Will the Market Require "One Ring to Rule Them All"?
Circling back with the startups, most of them are broadening their portfolios already. One such company, C3M, actually had a cloud security posture management (CSPM) another technology with obvious affinities with CPM (indeed, Zscaler said it was buying Trustdome to bolster its own CSPM offering). A broader portfolio of cloud security capabilities is on the road map for most of these vendors.
Which brings us to yet another Gartnerism: cloud-native application protection platform (CNAPP) is the latest, posited as a comprehensive set of technologies required to secure corporate applications from cradle to grave — i.e., from the development pipeline through to whenever they are retired from production. These capabilities include:
- Infrastructure-as-a-code (IaC) security
- Container security
- Cloud workload protection platform (CWPP)
- CIEM (Omdia's CPM) and
A lot of the vendors swimming in the broader cloud security pool are making noises about this being their general direction. Still to be confirmed is whether a CNAPP will end up being a single product from these companies or, as seems more likely, a series of modules on a common underlying platform, which is an easier sales pitch as it enables gradualism in the customer’s adoption process.
Omdia is readying a Market Radar on the CPM market in which we will be analyzing how the key players are evolving and where they are taking their product offerings, with publication scheduled for the beginning of 2021. Stay tuned!