Access granted: the future of identity in the cloud

I’m excited to share the first in a series of articles I’m writing about identity and access in the cloud era. We’re at a pivotal moment—one where organizations aren’t just upgrading a tool, they’re being handed an opportunity to rethink how cloud identity should work in a world dominated by machines, APIs and multi-cloud environments.

‍

Identity is the new perimeter

The firewall isn’t the front line anymore—identity is. And attack strategies are no longer focused on human identities. They are exploiting every container, service, bot and background task that’s asking for access—sometimes thousands of times a day.

‍

Every breach headline you see? Almost all of them start with compromised credentials or over-permissioned access. The scary part? Most organizations don’t even know who (or what) has access to what. When every microservice, script and intern’s test environment can spin up access to production data, you’re playing defense against an invisible opponent.

‍

The Cloud Security Alliance said it best:

“IAM platforms are increasingly fragmented across IaaS, PaaS, and SaaS ecosystems—resulting in inconsistent access policies and gaps in oversight.”
– CSA, Top IAM Priorities for 2025

‍

That fragmentation is what makes identity such a huge risk—and also why it’s time to shift from managing identities to mastering identity.

‍

The cloud changed everything—so should your identity strategy

During my time at Splunk, I saw firsthand how cloud adoption forced every part of the security stack to evolve—except identity. We kept duct-taping tools together and expecting them to work just because they had acronyms we trusted.

‍

But here’s the thing: Cloud identity isn’t just “identity, but in the cloud.” It’s fundamentally different.

You're not managing a handful of employees with badge access anymore. You're managing thousands of identities, many of which are non-human, with access to sensitive data across multiple cloud environments, all spinning up and down in real time.

‍

I talk to CISOs all the time who say things like, “We have a solid IAM program… except for the bots. And the cloud functions. And for our engineers who have standing admin privileges. And the third-party data pipelines.” That’s not a program—those are blind spots waiting to be exploited.

‍

It’s not time for another upgrade. It’s time for a rethink.

The recent announcement by Microsoft that it’s sunsetting Entra Permissions Management is more than product news—it’s a signal that the legacy identity stack is cracking under the weight of the cloud.

And if your reaction is, “Ugh, guess we need to swap in a new tool,” you’re missing the opportunity.

‍

This shift isn’t about layering on another platform that you’ll need to phase out five years from now. It’s about recognizing that identity is now your security perimeter—and that perimeter includes not just humans, but every service, workload, container, and automation bot that asks for access.

• This is a rare moment to pause and reimagine how identity should actually work in a world that’s API-first, multi-cloud and packed with complex human and machine identity requirements. This is your chance to simplify, consolidate, and take control. Not just swap one acronym for another.

It’s time to stop saying “I’d like to buy an acronym!”

‍

IAM, PAM, IGA, CIEM… the alphabet soup of identity tools was built for a time when:

• Enterprise infrastructure was predominantly on-prem
• Identities were mostly human
  
• Multi-cloud wasn’t even a thing

If you think about it, these tools all manage identity and access in different ways:

• IAM provisions and manages users
• PAM handles privileged accounts
  
• IGA governs access through compliance
  
• CIEM manages cloud permissions and entitlements

Each of these tools was built in a silo, with limited visibility and a narrow use case. They manage the same identities with different policies, creating blind spots, inconsistencies and duplication. To be fair, they each had a role to play when cloud adoption was still in its early days. But in a converged, always-on, multi-cloud-native world, it’s like carrying four compasses that all point in slightly different directions.

‍

What does this mean for DevOps, IT and security teams? Orchestration complexity, blind spots and a nearly-impossible job trying to govern it all.

‍

As the Cloud Security Alliance puts it:

“More than a third of organizations are not satisfied with their ability to monitor their IAM environments.”
– CSA, Top IAM Priorities for 2025

‍

So instead of patching over the cracks with another acronym or point solution, this is your chance to consolidate, modernize and actually gain control.

We’ve entered the era of cloud-native identity. And for the first time, we’re building platforms that are purpose-built for the real challenges of cloud access—at scale, with automation, and with governance in mind.

‍

The four pillars of a modern cloud identity platform

(And why it’s not just alphabet soup)

So what does a modern identity platform actually need to do? It comes down to four key things. And here’s the truth: no single legacy tool was built to do all four.

‍

Discover and monitor every identity across every cloud

You can’t secure what you can’t see. A modern platform must continuously discover and track every identity—human or machine, every credential—permanent or short-lived—across AWS, GCP, Azure, Kubernetes, and beyond. This includes users, roles, service accounts, credentials and entitlements. No more guesswork. No more hidden access paths. Yes, even that forgotten Lambda function from two sprints ago.

‍

Reduce identity risks with real-time prioritization

Just because someone can access something doesn’t mean they should. Modern identity platforms go beyond flagging basic issues—they assess blast radius, surface the highest-risk exposures, and cut through the noise. Whether it’s an over-permissioned service account, an unused key, or a toxic policy combo, the platform should help teams act on what matters most.

‍

Automate access orchestration, purpose-built for the cloud

Visibility without action is just shelfware. The right platform enables just-in-time access, auto deprovisioning, credential rotation, and policy enforcement without slowing down developers. No agents, bastion hosts or proxies. No workflow blockers. Just seamless, secure access automation that integrates into existing CI/CD and cloud pipelines.

‍

Enforce unified governance across IAM, PAM and IGA

Identity governance shouldn’t be a spreadsheet exercise. With compliance requirements only increasing, you need one system that automates access reviews, applies fine-grained policies, and generates auditable evidence of control. The right platform helps you stay aligned to frameworks like SOC 2 and ISO 27001—without sacrificing cloud speed.

‍

This is the opportunity

This shift isn’t a burden. It’s not one more tool to implement before budget season. It’s a reset button. You can consolidate siloed tools. You can clean up access. You can reduce risk and operational drag at the same time.

‍

Access should be granted—but only to the right things, at the right time, for the right reasons. And it starts with rethinking identity from the cloud down.

‍

I would love to hear about your journey and whether you see this convergence taking place as well.