A signage of Microsoft is seen on March 13, 2020, in New York City. The Redmond, Wash., company this week acquired CloudKnox, a leader in the cloud infrastructure entitlement management (CIEM) field. (Jeenah Moon/Getty Images)

Microsoft earlier this week strengthened its approach to cloud security,  identity management and privileged access with the acquisition of CloudKnox, a leader in the cloud infrastructure entitlement management (CIEM) field.

CIEM consists of human entitlements, such as permissions and privileges that are needed to let users access cloud infrastructure resources, such as S3 buckets and virtual machines. It also includes machine entitlements required by apps and machines to communicate between databases and applications.

In a blog post, Joy Chik, corporate vice president of Microsoft Identity, said CloudKnox offers full visibility into privileged access. CloudKnox works to help organizations “right-size” permissions and consistently enforce least-privilege principles. It also uses analytics to deliver intelligence that helps prevent security breaches and ensure compliance.

“While organizations are reaping the benefits of cloud adoption, they still struggle to assess, prevent, enforce and govern privileged access across hybrid and multi-cloud environments,” Chik said. “Even if they piece multiple siloed systems together, they still get an incomplete view of privileged access. Traditional privileged access management and identity governance and administration solutions are well-suited for on-premises environments. However, they fall short of providing the necessary end-to-end visibility for multi-cloud entitlements and permissions.”

Consider this a strategic move by Microsoft, given their prominent position with Github, Azure and Azure Identity Protection Services, said Carla Roncato, a senior analyst who covers security with the Enterprise Strategy Group. Roncato added that CloudKnox already supports multi-cloud and it gives Microsoft the advantage of identifying and managing non-Azure cloud entitlements for better identity protection as the world’s largest identity provider. 

“It could go a long way to improving managed IAM services, as well. For organizations that do not have the in-house skilled IAM talent, these services can be offered to combat identity-based attacks and breaches, in addition to improving DevOps velocity,” Roncato said.

Peter Firstbrook, a research vice president with Gartner who covers security, added that mapping identities has become more imperative because privileged identities can serve as a bridge for an attacker from low security environments to higher security ones.  However, it’s really hard to map identities and detect missed configurations with current tools,” said Firstbrook.   

“Tools like CloudKnox let administrators better understand cloud identities and privileges and apply best practices like least privilege to minimize risk,” Firstbrook said. “They also monitor identity infrastructure for anomalous usage that may indicate an account takeover attack or man-in-the-middle attack. This has become increasingly important as more critical transaction systems and data move to the cloud and applications are built using microservices that interface with each other via APIs. Think of these types of tools as identity detection and response tools. They help harden the environment and detect identity misuse.”

Frank Dickson, program vice president, security and trust at IDC, said as workloads and applications move the cloud, the controls that security teams can put in place are more limited. As a result, implementing zero trust in a multi-cloud world relies on identity and data centric measures. Additionally, as the industry moves to multi-cloud, complexity makes security controls more important as there’s is a greater attack surface to protect.

“Cloud entitlements are essentially dedicated cloud-centric, identity approaches to implement least privileged access in cloud environments,” Dickson said. “CloudKnox accelerates Microsoft’s ability to extend its rich Azure Active Directory capabilities to multi-cloud environments. It’s a great move.”