Addressing Hybrid Identity Fragmentation Across On-Prem and Azure
How Strata and Microsoft work together to solve the user provisioning and sync problems across hybrid identity environments
Chances are pretty good that you’re right in the middle of a cloud migration or hybrid identity plan of some sort. The recent Flexera State of the Cloud Report found that 93% of enterprises have a multi-cloud strategy, and 87 percent have a hybrid cloud strategy. Fifty-nine percent of enterprises expect cloud usage to exceed prior plans due to COVID-19. No wonder that Microsoft continues to see massive growth for Azure.
Meanwhile, during this transition, users, apps, and data spread across on-premises and cloud platforms. Enterprises are squeezing the last bit of life from legacy identity systems before they reach end-of-life. Each cloud platform brings its built-in identity system to the party. The legacy identity systems aren’t flexible enough to solve cloud identity challenges. Unless rewritten, often at a high cost, on-premises apps don’t support the standards used by cloud identity systems. Siloed fragmented identity is the unanticipated result of running hybrid infrastructures.
Building interoperability between on-premises identity systems, which tend to be proprietary, and cloud systems, which tend to support open standards, is complicated, labor-intensive, hard to maintain, and manual. Additionally, ownership of the hybrid identity solution is unclear at most companies, and politics get in the way of effective and efficient implementations. The bottom line is that identity fragmentation holds back cloud migration and digital transformation.
Challenges Managing Hybrid Identity
Delving further into the management of hybrid identities, we see that users, profile data, and attributes are duplicated or scattered across on-premises and the cloud. Specifically, decades-old tools and processes manage the allocation of on-premises identities across disparate systems: LDAP directories, databases, in-house HR systems, and Active Directory. Cloud providers manage identities using modern practices, standards, and APIs, but each cloud provider’s APIs expose unique ways to manage users, attributes, roles, and policies.
Let’s look at what happens when users and profile attributes are created and managed in different identity systems spread across on-premises and cloud.
- Attributes for Alice are mastered on-premises and synced up to the cloud. (Figure 1)
- Changes made in the cloud to Alice’s attributes are not reflected in on-prem systems. (Figure 1)
- Bob is created and managed in the cloud as a “cloud-only” user. (Figure 2)
- Bob is not synced with on-premises systems. (Figure 2)
- Carly is created in the cloud but needs access to on-premises applications. (Figure 3)
- Some attributes are mastered in the cloud and others on-premises, with no clear guidelines on how to keep Carly’s identity consistent. (Figure 3)
Now let’s look at this from the perspective of the applications.
- The Accounting app is locked on-prem, written to use the proprietary authentication and session of a legacy on-prem identity system. (Figure 4)
- Unless rewritten, the Accounting app cannot work with cloud identity systems that use standards such as SAML, OAuth, OpenID Connect, and SCIM. (Figure 4)
- The Expenses app was developed as a cloud native app running on a cloud platform and uses OpenID Connect. (Figure 5)
- The Expenses app is not accessible to those users without extending or deploying new on-premises capabilities or migrating on-premises users to the cloud platform. (Figure 5)
- The Docs Management app is a SaaS app that uses SAML to integrate with an identity as a service (IDaaS) platform. (Figure 6)
- Users must be provisioned to the Docs Management app, attributes kept in sync, and policies rationalized. (Figure 6)
These are the characteristics of a fragmented identity system. This fragmentation leads to confusion for administrators, poor user experiences, a lack of executive visibility into access policies and how they are enforced, and a weakened security posture.
Secure Hybrid Access with Strata and Azure AD
Strata and Microsoft work together to transition on-premises applications to use Azure AD as the principal identity repository and provide authentication and access control for on-prem apps. Strata extends Azure AD to protect these on-prem apps with no app rewrites and no user experience changes.
Microsoft Azure AD is the identity system of choice for many enterprises as they transition to the Azure cloud. Microsoft provides Azure AD Connect to sync user identities from on-prem Active Directory to Azure AD. Additionally, Azure AD manages cloud-only users to provide access to applications and services registered with an Azure AD tenant.
As a complement, Strata builds complete user profiles from attributes gathered from any identity system, including directories, databases, and any API-exposed system that holds identity profile attributes. Strata provides an aggregation of disparate profile information, giving your users a complete experience across hybrid environments. Specifically, for Azure, Strata provides the following capabilities:
- Strata “live migrates” users from on-prem identity systems to Azure AD during login and access to on-premises applications.
- Strata provides attributes to Azure AD Connect, which then syncs those attributes up to the cloud.
- Strata requests user authentication from Azure AD, collects attributes from claims sent by Azure AD, and enriches those claims with attributes from other directories and databases. This mainly includes group memberships used for granular access controls.
- Strata automatically builds the HTTP headers including those attributes and sends them to upstream on-premises apps. Apps can now work with any identity system, making it possible to lift and shift them to Azure where they work seamlessly through Strata with Azure AD, without any costly rewrites.
- Strata ensures consistent identities and policies are managed and enforced across Azure cloud and on-prem.
Strata manages hybrid identities by:
- Migrating and provisioning users to Azure AD
- Detecting when on-premises attributes from LDAP, databases, or Active Directory exist and then syncing those users to Azure AD Connect or Azure AD.
- Detecting when user attributes have changed in Azure AD and syncing those changes down to the on-prem LDAP directories and databases.
- Building orchestrated identities from using profiles and identities supplied by multiple identity systems running on different clouds.
The following graphic shows how Strata’s Maverics Platform can provision consistent access policy from on-prem directories and databases to the Azure Cloud platform.
Provision Consistent Access Policy Across Cloud and On-Premises
- Strata helps move users and apps to Azure.
- Strata’s Maverics Platform solves the challenging problems of provisioning users and keeping attributes in sync across hybrid environments, no matter where users are created, or attributes are mastered.
- Whether users/attributes are created and updated on the cloud or are created and updated on-premises, Maverics can keep those identities consistent.
- Once identities are consistent, Maverics can extend Azure AD Conditional Access Policies to on-premises apps to consistently enforce policies across cloud and on-prem.
- Strata enables legacy apps that don’t support SAML or OIDC to integrate with Azure AD with no rewrites.