Identity requirements for public cloud services
- Authentication: Users getting authenticated to the app based on company policies
- Okta is a leader here, followed by Azure AD. New passwordless startups are attacking this space by focusing on developers. But even if one SaaS app does not have the passwordless authentication wired in, the customer still has to rely on federation solutions like Okta
2. PAM/Authorization: Define roles/policies to control permissions to action/data
3. IGA: Access review, compliance, on-boarding/off-boarding
- I believe a single platform should have PAM, Authorization and IGA (#2, #3). If not you are managing multiple vendors and not reducing risk
- This space is very active as legacy players like Saviynt, Sailpoint had a gap here (though they have offerings now). Newer players are trying to marry permission management (process of authorizing users) with access review, compliance or fix it through API/SDK route within the app itself
4. Posture Mgmt.: Configuration, overly permissive settings, data leakage/policies
- App configuration and governance is partly related to identity, but makes sense when done together in one platform. I expect #2 ,#3, #4 to consolidate at some point or more likely #4 to become part of a broader cloud security platform or #4 become part of a broader IGA/PAM platform (similar to Saviynt, SailPoint)
- Two categories of vendors compete in this space
5. Data Loss Protection: Data access for SaaS will be addressed by #2,#3,#4 above, but for customers needing additional DLP controls and visibility will need to use specialized data security vendors. Vendors just focusing on SaaS might remain niche
- This is an upcoming space. Obsidian has been focused on this for a while. A newer breed of players are focusing on the 3rd party apps that sit on top of larger SaaS platforms like Salesforce and monitoring run time activity of users and data
- Authentication - Users getting authenticated to the app based on company policies
- As PaaS platforms tend to be few, customers can use existing IDP for authentication
2. PAM/Authorization - Define roles/policies to control permissions to action/data. Managed privileged users/admins
3. Data Access Control - Fine grain, table granularity
- This tends to be a big pain point, particularly related to privacy and security due to valuable and sensitive data being stored in these systems
- Currently vendors are stronger on #2 or #3. Long term can see #2 consolidated into broader IGA, PAM platform and #3 into a broader data security platform or within the data platform itself (SnowFlake, Elastic, etc.)
- Don't see dedicated vendors so far, but see PaaS and IaaS run time to be addressed by similar vendors
- IaaS
- Authentication - Users getting authenticated to the app based on company policies
- This is becoming a strategic control point for cloud providers. This is one of the most important pillar for cloud providers to enforce lock-in for customers. Though cloud providers support your on-premise AD or SAML or openID, they are providing options and more granular control/policies. As you burn in these controls/policies for every asset, user, it becomes a lock-in as it is easy to move a workload with k8s, but identity needs to be lift and shifted. See more discussion in multi-cloud below
2. CIEM/PAM/Authorization: Define roles/policies to control permissions to action/data. Managed privileged users/admins
- Related to #1 above, cloud providers are adding CIEM/PAM/Authorization functionality. Microsoft acquired CloudKnox to bolster its capabilities. Customers using single cloud will benefit but large enterprises using multi-cloud will see benefit in multi-cloud CIEM vendors
3. Run-time Protection: Weaves events from different systems together to give you a full story of what your identity of interest has been up to in your cloud
- I believe this will be the battle of the future. Authentication, CIEM, PAM fixes authorization issues at a given moment of time but lacks a comprehensive view of the identities. In cloud, everything is API driven (not network driven like on-prem), so identity becomes the first bastion and also the major attack vector. CSPM, CWPP fixes vulnerabilities in apps and hosts but lack east-west visibility of data and identities. In future we can see complicated attacks stemming from identity and tracing multiple layers, assets or even clouds. Currently a few vendors are addressing this, with Permiso (disclaimer - investor) being the only pure play.
4. Multi-Cloud - Identity virtualization layer to make identities portable across multiple clouds
- Let's revisit this from #1 above. Any enterprise with multi-cloud strategy are not really multi-cloud unless they make identities portable. Along with public clouds you also need to marry your on-prem identity with cloud identity. Each cloud will have varying capabilities, so moving from one cloud to another will not be easy
- A good anecdote to this is what Okta did for SaaS, these vendors are orchestrating identity for IaaS, PaaS
- Long term I see this as a better fit with multi-cloud management solutions provided by non-cloud vendors like VMware, IBM as it would need integration and collaboration with cloud management, data management, etc, but can also be a good fit for CNAPP vendors
CEO Polymer-Data Loss Prevention for AI
2yPramod Gosavi a good read! Agree, Authentication related cloud lock-ins is also a pain for Security SaaS Product companies like us who have to support multiple versions!!!
Security, Privacy and AI
2yFantastic analysis 😀
Regards to 3), not only real time analytics such as multi-cloud Observability, CNAPP requires to block threat w/o killing the containers and no downtime