Multi-Cloud Identity

Why SSO is Only Part of Multi-Cloud Identity

SSO Strata Identity blog post

Over the past couple of decades, single sign-on (SSO) has become the de facto security solution for most companies. One reason is that it’s convenient for users (so they actually do it). Also, it improves organizational security by reducing account and password proliferation. SSO is also a great way to roll out advanced identity capabilities like multi-factor authentication (MFA) and self-service user management. While there’s no doubt that it is a critical pillar of identity management, SSO is only part of multi-cloud identity management.

The pros and cons of SSO

The need for SSO grew out of the growing struggle to manage identities for multiple applications. Each application had its own authentication system with its own user IDs and passwords. This redundancy caused a lot of duplication for IT administrators and a lot of headaches for end-users.

SSO is built on trust. Users enter their credentials once and gain access to many applications without having to authenticate to each application. Solutions, such as Okta and Microsoft Azure Active Directory, have become well known for providing access management platforms that coordinate authentication across multiple SaaS applications.

Users authenticate once to the SSO portal and are presented with a menu of authorized applications. This solution has simplified authentication to multiple applications for both users and IT administrators.

However, the landscape for identity management has become more complex as the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) markets have exploded in recent years. Amazon Web Services (AWS), Microsoft (Azure), and the Google Cloud Platform (GCP) now work side-by-side with a company’s existing IT infrastructure. The result is that nearly all organizations have become multi-cloud. With this new multi-cloud reality come new identity management challenges requiring a multi-cloud strategy.

Multi-clouds present different challenges for identity management

We now have multiple silos of identity vendors and multiple cloud platforms. Each cloud comes with its own built-in identity system.

Multi-cloud identity silos

Imagine buying a new car and expecting it to start with the keys from your old car. It just doesn’t work that way. The new car (like your new cloud platform) has its own keys for access.

When companies adopt a cloud platform, most still have a mix of old on-premises apps and identities to work with. The conventional notion of centralized identity management doesn’t work across siloed multi-cloud environments. So the implementation of consistent policy and identity impossible.

Complex organizations often require specialized identity models that represent their user’s specific needs within the business. A one size fits all approach does not work and centralizing identities breaks that model. Additionally, mergers and acquisitions (M&A) often require specialized identity management use cases through the merger integration.

Technology constraints for multi-cloud identity

From a technical perspective, organizations often choose different technology platforms, like Java or .Net, that become deeply entrenched in the organization. Forcing developers to use one platform over another because of identity constraints is not practical. It can also introduce delays and additional costs to software development.

Another consideration is that legacy SSO predates many of today’s standards like SAML. This means there are many applications that are locked into their current legacy architecture.

We’ve seen that 75% of on-prem Java/.Net custom apps are integrated with CA SiteMinder or Oracle Access Manager (OAM). Applications that are hardcoded to use these identity systems must be rewritten if they want to use newer identity solutions.

The need for distributed identity management

Distributed multi-cloud architectures require distributed identity across multiple clouds. Apps that work across Azure and GCP, for example, need consistent identity across both domains to provide secure access to all users.

With so many identity silos and domains, it’s really hard to get a handle on the best approach for multi-cloud identity. The use cases are different for multi-cloud versus traditional SSO. There is a need to manage consistent identity and access policies across platforms. Yet, today’s SSO solutions are limited to the apps that have been integrated with a particular identity system. There’s no easy way to set policies across all identity domains, making multi-cloud identity management impossible.

The answer to this coexistence challenge lies in extending secure access from on-prem apps to the cloud by linking on-prem identity with cloud identity. The solution must span across SaaS applications to on-premises applications. Today, SSO only works in the cloud OR on-prem — not both. The solution must also gracefully migrate on-prem apps to the cloud without rewriting or touching them. In other words, an app must be decoupled from its old identity system and layered onto a new identity system — all transparently for users.

The solution is distributed identity via an Identity Fabric

An Identity Fabric is a distributed identity management framework. An identity fabric orchestrates, abstracts, integrates and discovers identity data across multiple systems (identity domains). It orchestrates identities and policies in distributed identity domains. Then, it presents that identity data consistently to hybrid identity Infrastructures and multi-cloud infrastructures.

SSO & multi-cloud identity: key points to know about Identity Fabric

Here are some other key points to remember. An Identity Fabric:

  • is an abstraction layer that lets you build and run your apps on the cloud of your choice using the identity system of your choice
  • isn’t another Identity Provider (IdP) or SSO solution
  • uses zero code integration that avoids custom coding

SSO is an important part of your multi-cloud operation. However, new challenges have come up when trying to manage multi-cloud and hybrid cloud environments.  This is because of the difficulties of succeeding with secure hybrid access. Each cloud platform has its own identity system. Each application has its own identity system. SSO was designed to help manage multiple identities for multiple applications and is still relevant and needed.

Yet, the challenge of consistently managing identities and policies across multiple cloud platforms exceeds the scope of SSO. A new solution that moves away from a centralized identity approach to a decentralized approach is needed. A decentralized (or distributed) approach is made possible through an Identity Fabric and gives you the flexibility to migrate and manage identities on your timeframe.

Learn more about Identity Orchestration.

[Updated, April 15, 2021]