App Identity Modernization

What is application & identity migration

Geese migrating and clouds photo

Why app & identity migrations are necessary and how to make them more manageable

Migrating applications and identities to the cloud is a bit like the Wild West. There’s no set way to do things, the risks are real, and the stakes are high. However, there are approaches to avoid and best practices to consider when planning app or identity migrations to help ensure they go smoothly. 

We’ll explore what identity migration is, what app migration is, why the two are tied together, and how to solve app and identity migration challenges. 

What is identity migration?

Migration generally means moving from old legacy identity systems to new modern, cloud-native identity systems. A migration has two components: user identity migration and application migration. Identity refers to the people/names who are registered to use a computing system. 

In some cases, an enterprise has its identities and user attributes in on-premises directories and databases. When trying to get off a legacy system, like CA Siteminder or Oracle Access Manager, getting the user identities to the new cloud is the priority. 

What is app migration?

Application migration is the process of moving software applications (apps) from one computing environment to another. Like identity migration, generally, the computing environment referred to with app migration is a legacy on-premises system to the Cloud. 

Applications are built for specific cloud architectures making migrations complicated. In addition, each app is intertwined in its cloud identity system. Untangling the identities is not a simple project. We’ll get into that in a moment. 

Why do enterprises need to migrate apps & identities?

Organizations need to migrate for several reasons. A recent study by Strata found that the main reasons organizations cite for moving to the cloud include:

  • To implement a Zero Trust security model 
  • To implement an identity governance program
  • To manage identity silos created by multi-cloud environments 
  • To modernize identity systems and reap the benefits of the cloud
  • To avoid vendor lock-in with a legacy system at its end of life (EOL) 

More than 75% of enterprise workloads are still on-premises, and hundreds to thousands of apps need to migrate. The move to the cloud and adoption of Zero Trust architectures is accelerating, but apps remain on-premises behind legacy identity systems. 

Related reading: The State of Multi-Cloud Report 2023

Challenges of identity migrations 

The main challenge of identity migration is getting information from one place to another while doing it in a way that’s not disruptive to the user. The traditional method of bulk migration projects requires an organization to move most identity data at once, but not the usernames and passwords that go along with them because of encryption. 

Other obstacles preventing a seamless migration include data consistency and quality, as well as the high failure rate of a “Big Bang” migration. 

User experience disruption

Often, the end-user is the unwitting victim of a poorly planned migration. When an organization migrates user identities and apps from one place to another, it can be very disruptive to the end-user. After the identity information is moved during the migration, the user has to reset passwords or register accounts. 

Getting each person in a large company to reset their credentials takes up a lot of time and causes innumerable headaches for already stretched-thin IT teams. 

Even more concerning than the frustration resetting login credentials causes is the risk it creates. Changes to login screens are a favorite for phishing attacks. Also, an email asking a user to reset their password is a classic phishing pattern. So your legitimate credential resetting requests reduce a users’ suspicion of harmful emails asking for the same information. 

Data consistency & quality

Another common obstacle is ensuring the consistency and quality of the data when doing a user identity migration. Most often there is a mix of identity sources like AD, LDAP, SaqL, and apps that hold identity. These various sources need to be rationalized and many integrated into a few causing complexity. This complexity is the source of data consistently.

Big fails of “Bang Bang” migrations 

When a company insists on a “big bang” migration to speed up the process, it sets itself up for failure. Why? It becomes an all-or-nothing situation. They are gambling with their valuable data. If it succeeds, great, but most of the time, that’s not what happens.

Inevitably, a complication will occur for which there is no simple fix. Unfortunately, when all of the data is already migrated, the only option for organizations is to roll everything back. As a result, any gains made with time savings are lost. 

The Big Bang approach also assumes you can fully shut off legacy identity. The reality is that you need coexistence so you can gradually replace the old with the new. You can’t get all the apps and identity done at once. Instead, you need to move in batches as you can do the work.

Challenges of application migrations

Migrating apps is a manual process. It takes roughly three to nine months and $100,000 to re-code each app to work with a different identity system. It’s time-consuming, expensive, and in some cases, not even possible. Many organizations are stuck between a rock and a hard place, though, when it comes to migrations.

Application migrations are costly, complicated, and time-consuming

For an app on an old legacy system to integrate correctly with a new cloud-based identity system, it must be re-coded to work with new standards and protocols, like SAML or OpenID Connect. It is a prohibitively expensive undertaking. For a company with hundreds of apps, it will cost tens of millions of dollars. 

It’s not only expensive but also time-consuming. Investing money and people in a project that will consume them for years is de-energizing. Moreover, with the skills shortage in tech right now, companies can’t afford to tie up their teams with backward-facing projects. 

Often the source code was written by someone years ago who is no longer around to update it. Without the source code, it is risky to change the app because it could break, and many legacy apps are still running critical business processes for the enterprise.

Finally, most companies have commercial apps and SaaS apps for which the source code doesn’t and never has belonged to them. It’s not possible to change the source code for apps to which you don’t have access.

Recommendations for identity & application migrations

When getting started with an identity or app migration, ask the following questions: 

  • What systems do we have? 
  • Are we moving our apps from one cloud to another or from a legacy on-premise system to the Cloud? 
  • How many apps do we have? 
  • Do we have access to the source code? 

Those questions are just the tip of the iceberg when planning a migration. The best way to overcome the obstacles is to trade in the traditional “Big Bang,” all-or-nothing approach and follow a pattern instead called “live migration.” 

Do a “live” migration

Live migration is incremental, meaning the migration can essentially test the waters at each step. Rather than grabbing all the identities and moving them at once, live migration involves taking small batches or cohorts of very low-risk users to migrate, then proxying their interaction with applications. 

As that is happening, the user information, credentials, and attributes are captured and moved from the old system to the new one.  With small batches, if something goes wrong, it’s straightforward to take those small groups and revert to the previous state. 

The incremental approach is much more agile, adaptive, and infinitely better suited to the distributed multi-cloud global enterprises that are operating increasingly in today. The user experience is not even comparable. When the user logs into the new system, they don’t have to reset their credentials — they’re not even aware that they’re using a new system. It’s seamless. 

Use Identity Orchestration for migration

Identity Orchestration can be used to route migrated users to the new identity system in the background, so it’s transparent. At the same time, additional steps can be taken to increase security, such as hardening the credentials or adding multi-factor authentication to an app. 

Identity Orchestration software automatically keeps track of those users that have already migrated. If it’s the user’s first time logging into an application, the software routes them to the new identity system, logs them in, and then sends them to the application using the same login screen. 

Making application & identity migration easier  

Proper preparation and planning before beginning your migration project can save you a ton of headaches. Consider taking the “live” approach to migration using identity orchestration software to move incrementally rather than doing a bulk migration.

Orchestration software takes on the heavy lifting of app and identity migrations. It automates the process and uses an abstraction layer to move the apps and re-route identities. With orchestration, apps never have to be rewritten to work with the new identity system. 

Ultimately, Identity Orchestration enables zero trust and lets organizations modernize and gain all the benefits that come from the Cloud. The Maverics Identity Orchestration can be used to orchestrate any Orchestration Recipes to help ease the burden of migrations for even the most challenging apps.   

Learn more about identity orchestration recipes for app & identity migrations