Identity Orchestration — the recipe to tearing down identity silos?
Businesses need a multi-cloud strategy today. Most companies have discovered that by now, but they’re also discovering new identity challenges that go along with it. Multiple clouds mean multiple identity silos. These silos don’t talk to each other, creating fragmentation across the clouds.
When two or more applications need to work together across those silos, there’s no seamless way to share identity data between them. Orchestration provides a way for identities on multiple clouds to work seamlessly together between applications.
Let’s take a look at how identity orchestration works to resolve these complex multi-cloud identity and access management (IAM) issues.
Identity Fabric: connecting silos across multiple clouds
The first issue to resolve is identity silos. The more clouds your organization uses, the more your identity silos proliferate. An identity fabric takes those silos and weaves the various identity technologies together — for example, user information, attributes, places to authenticate users, and ways to do authorization.
Think of an identity fabric like your kitchen. Inside your kitchen, you have all of your ingredients for baking. Depending on what it is you want to bake, you’ll use specific ingredients — perhaps flour, yeast, salt, and water. By combining those ingredients, you can make artisan country bread. Combine other ingredients, and you can make rye bread or focaccia.
An identity fabric is a common layer of all of the previously siloed identity workflows across multiple clouds that you can integrate. They might include authentication, access control, authorization, encryption, identity providers (IdPs), proxies, and more. The identity fabric assembles all of those elements together in a cohesive way.
But assembling the identity silos is only the first step. Multiple clouds use different sets of standards from one another, which means that identity silos don’t play well together. So you need them to integrate in a cohesive way.
Related: Why SSO is Only Part of Multi-Cloud Identity
Abstraction layer: Integrating the right identity elements
Typically, making distributed identity silos work with one another would involve a great deal of custom integration. This kind of effort is extremely labor-intensive and lengthy, pulling your vital resources off of their core responsibilities for months at a time. Custom integration also requires ongoing maintenance, patching, and upgrading.
But with an abstraction layer, all of those elements of an Identity Fabric can work together, without having to re-code. An abstraction layer resolves these issues by bringing the various elements together and integrating them together, even when they use different technologies and languages.
If the Identity Fabric is like your kitchen, an abstraction layer is like the island in your kitchen. When you bake bread, you only want the ingredients you need for that recipe. So you bring them all together within easy reach. Bakers and chefs call it mise en place — “putting in place.”
By bringing all the ingredients together — and only the ingredients you need — you save time, reduce your workload, increase your efficiency and organization, and prevent errors. Once all of your ingredients are in place on your kitchen island, it’s easy to work with them and integrate them together.
The abstraction layer also integrates applications that expect different technologies and languages. Like translating between metric measurements and the Imperial standard, the abstraction layer allows you to use two or more disparate protocols — for example, SAML on an app but OIDC on the cloud IdP.
The abstraction layer translates between standards and languages so that distributed systems can work together. The value of an abstraction layer normalizes everything so that it doesn’t matter how the technologies are implemented — it acts as a common denominator for them.
So the Identity Fabric is the collection of common workflows and attributes from these identity silos. On top of that, they’re unified with an abstraction layer, which does the integration and the abstraction to normalize the languages. But you still need something to orchestrate the identity and access management process.
Orchestration layer: running IAM in the right sequence
If you’re a commercial bakery, you won’t have just one island for your entire baking process — you’ll use several stations that are distributed throughout your kitchen. You’ll have mixing stations, proofing rooms, walk-in refrigerators, and baking stations where your ovens are located. You’ll also have various people working each of those stations concurrently, preparing several types of bread at each station.
All of this activity across multiple locations means you need a way to communicate what each person is doing when they do it, and what comes after they do it. They need to seamlessly interact with each other so that everyone can be in multiple locations but making something together.
Identity Orchestration ensures that all the various steps of identity management occur in the right sequence. When baking bread, you combine your dry ingredients, add your wet ingredients, knead the dough, then let it proof. The order is critical. Likewise, orchestration ensures that the order of operations is followed properly so that you get the right outcome with consistent implementation.
Identity Orchestration takes the elements from the abstraction layer and does specific operations with them in a particular order.
Just as a recipe has a very specific order, so also Identity Orchestration follows a specific identity access flow for a user. It governs what happens to that user from the beginning to the end of a flow.
It starts with initial user authentication — you have to know who that user is, so you check their identity credentials with an on-prem or cloud identity store. The next step in the script is usually determining that user’s access. Is the user permitted to access this particular application or web page?This can be done through stepped-up authentication to further prove identity via MFA or Passwordless, say via a token or biometrics. After that, the process determines what that specific user is allowed to do within the application. And all of this needs to be done in a seamless fashion that doesn’t create undue friction in the user’s access experience.
Ultimately, Identity Orchestration is about moving a user through an experience. If you’re trying to control what applications and data users have access to, you need to run them through different routes that are based on specific rules.
When rules need to be repeated over and over, they become policies. In the case of a banking application, there may be two or three policies that need to be enforced, based on who the user is — an employee, a customer, or a government regulator, for example.
Unify your distributed identity silos
Strata’s Maverics platform lets you achieve a distributed identity management environment across multiple clouds through Identity Orchestration. Maverics handles all of the layers of multi-cloud IAM, without any coding. There’s no need to build a complex and costly system yourself.
Maverics builds Identity Orchestration Recipes that weave together authentication, access, auditing, authorization, conditional access, MFA, attributes, token transformations, and migration services. Save time and money while improving agility and security in these most crucial scenarios.
Connect with an Identity Orchestration expert