Microsoft Debuts AWS, GCP Permissions Management Offering

‘This is really the first big thrust by Microsoft to say, ‘Hey, we‘re going to help you manage across all your clouds. And you’ll see a whole bunch of news from us in the future as we just continue to push this direction,’ says Microsoft’s Alex Simons.


Microsoft has debuted capabilities to help customers discover, manage, and govern user and workload permissions across Amazon Web Services, Google Cloud Platform and Microsoft Azure.

Redmond, Wash.-based Microsoft said the public preview of CloudKnox Permissions Management is a pivotal step toward providing customers with true multi-cloud security. The offering leverages the cloud infrastructure entitlement management (CIEM) capabilities Microsoft acquired from CloudKnox in July, according to Alex Simons, corporate vice president of program management for Microsoft identity.

“This is really the first big thrust by Microsoft to say, ‘Hey, we‘re going to help you manage across all your clouds,’” Simons told CRN. “And you’ll see a whole bunch of news from us in the future as we just continue to push this direction both in CloudKnox and across all of our cloud security.”

Sponsored post

[Related: Microsoft Buys Privileged Access Startup CloudKnox Security]

Microsoft was historically focused on securing its own cloud, but over the past 18 months has gone all-in on providing multi-cloud security that also protects rival public cloud platforms AWS and GCP, Simons said. An internal survey from Microsoft found that the biggest challenge for 83 percent of customer security leaders was managing across multiple clouds, and Simons said Microsoft wants to help.

Simons said a big turning point was Microsoft’s hiring of longtime AWS leader Charlie Bell in September 2021 to oversee a newly combined security, compliance and identity unit focused on providing multi-cloud and multi-device protection. Microsoft had a small set of multi-cloud security features in the past, but Wednesday’s CloudKnox announcement is Microsoft’s first big foray into protecting AWS and GCP.

“We‘re just all in,” Simons said. “We know we have to go compete in this space and get really, really good at it.”

Microsoft’s identity team has for years had great relationships with AWS and GCP, Simons said, with more than 5,000 Azure Active Directory customers using AWS and nearly 5,000 using GCP. Extending permissions management beyond Microsoft requires a tremendous depth of understand since the permission models, resource models and way the identity systems work are different for AWS and GCP.

“We have a really great working relationship with them,” Simons said. “We all want the same thing. We want our customers to be super secure and to have a really great experience across all these platforms.”

The CloudKnox team had not only a tremendous depth of understanding across AWS, Azure and GCP, but had developed a model that provides very consistent representation of all of a customer’s resources and identities and makes it simple for customers to act. Some 90 percent of software identities are over-permissioned, and on average are using just 5 percent of the permissions they’ve been granted, he said.

For channel partners, Simons said CloudKnox Permissions Management opens opportunities for solution providers to work with their customers and design what the least privilege ideal state should look like and help customers get there. Smaller customers are almost entirely dependent on channel partners to run their infrastructure, while larger customers turn to the channel for help with multi-cloud initiatives.

“Our channel partners have that expertise, and our customers badly need it,” Simons said. “So it really is yet another opportunity for partners to take that expertise and apply it to an ever-growing segment of the market.”