Identity Integration for the Distributed Multi-Cloud Era
Cloud computing is universally recognized as one of the most transformative technologies to ever come along. It allows anyone with an internet connection to access applications and data from anywhere while providing any size organization with on-demand, elastic and scalable IT infrastructure. Because of these and other benefits, cloud adoption continues unabated.
Meanwhile, the cloud has also amplified some existing IT challenges. Chief among these is identity management. There are several reasons for this. Most companies, for example, use multiple cloud providers alongside their existing on-premises IT infrastructures. These multi-cloud environments as they are known, require organizations to manage a different identity system used by each provider. In addition, on-premises, legacy applications are typically hard-coded to a particular identity solution, making them very difficult to migrate to another platform. With so many identity silos in use, security administrators are rapidly approaching a cliff in terms of their ability to manage them all.
Identity challenges lurk below the surface
This is not an isolated challenge. According to a recent survey, 85% of organizations currently use a multi-cloud environment. The same study also found that 98% of organizations expect to operate within a multi-cloud environment by 2021. This means that practically every company is or will be grappling with managing multiple identity systems in the near future. On the surface, these identity silos are just the tip of the iceberg. Here are some thorny challenges that lurk below the surface for many companies:
1:1 Legacy Application Integration
Companies with legacy applications that are run on-premises typically operate separate identity solutions for each one. These older identity systems such as CA SiteMinder and Oracle Access Manager and others are tightly integrated with an application. This means that companies are often locked into using outdated identity technology unless they are prepared to rewrite their application, which is very expensive and time-consuming.
Meanwhile, rewriting an application to utilize a newer identity management system often means locking into yet another proprietary platform. Rather than doing 1:1 integrations between each application and identity system, using an abstraction layer enables 1:many integration and can eliminate the need to rewrite apps each time.
Without a better option, many organizations resort to setting up and maintaining cloud identity systems manually. These often fail since a typical company uses some combination of AWS, Google Cloud, and Microsoft Azure, each with its own identity system. When combined with managing legacy applications, this creates a recipe for confusion and frustration.
Even adding staff does not adequately address the problem, since large organizations with hundreds or thousands of employees generate identity adds, changes, and deletions on a daily basis. There is too much complexity across systems, clouds, and organizations to manage this entropy manually.
Meanwhile, each Cloud Service Provider requires an organization to use its own built-in identity domain. Even companies that have adopted an Identity-as-a-Service (IDaaS) platform for cloud identity must still use built-in identity domains from AWS, Azure, and GCP. Complicating matters, some Software as a Service apps, such as Microsoft Office 365 requires enterprises to use Azure AD, its proprietary identity management system.
Legacy End of Life
As the cloud takes priority in boardrooms and budgets, many legacy identity-management vendors have deprioritized investments and ended support for “legacy” on-premises software including Broadcom (CA) SiteMinder, IBM Tivoli Access Manager, and Oracle Access Manager. Thousands of enterprises still rely on these products to protect core business applications and cannot easily migrate away from them. Primarily because modernizing legacy Identity Domains has historically required several quarters or even years of complex migration planning, execution, and validation. The cost and complexity are too great for many enterprises.
The case for integrating identities and apps
There are a number of reasons why it makes sense to integrate identities and apps. Identity lifecycle management, which encompasses adding, removing, updating, and deleting users is one. Integrating identities and apps provide a unified view and control so that changes can be made once and propagated across multiple identity domains where user identities exist.
Session management is another. A web session is a sequence of network HTTP request and response transactions associated with a user that involve variables such as authentication, access rights, etc. Some organizations use single sign-on services provided by Okta, Ping Identity, and others, to manage access to multiple cloud-based applications. A solution that can easily integrate all identities from any solution and unify policy across identity systems will make the network or security administrator’s job much easier.
Lastly, consider composite identity management where an app runs across multiple cloud platforms and requires consistent identity in multiple systems. These apps also require the integration of identities and apps.
Although identity silo sprawl originated and persists in on-premises enterprise IT infrastructures, it is being magnified by the multi-cloud phenomenon. Reigning in this problem, and creating a bridge to migrate from end of life to modern identity management systems, can be accomplished using an abstraction layer approach. By establishing an identity fabric, silos can be connected in a one-to-any, instead of a one-to-one fashion, as has been done in the past.