The Return on Investment of Identity Modernization & Legacy IDP Migration
Strata Identity interviewed 50 leaders at Fortune 1000 companies about their application identity migration and IDP modernization strategies. The report outlines key takeaways from the interviews and real customer data that can help organizations achieve better and more expedient results from their modernization efforts.
Today’s enterprise computing infrastructures consist of a complex mix of public cloud, private cloud, and SaaS apps. Typically, each of these systems has its own built-in identity and access management (IAM) implementation.
Organizations increasingly have multiple public clouds (AWS, GCP, or Microsoft Azure to name the big players), which leads to identity silos to manage. Migrating apps from a legacy identity provider to a cloud Identity provider requires the associated identity to migrate as well.
Traditional approaches to identity migration and modernization require recoding all legacy apps to be able to work in the cloud. It is an expensive process that takes a long time. Often, the ability to custom code/refactor each app, the expertise of the IAM infrastructure, and the knowledge of how the apps are integrated is a painful discovery process.
Apps require identity (login, SSO, and password management, etc.) which has likely been custom coded to work with older identity systems. One to one customization leads to pervasive lock-in between the apps, the legacy IDPs, and the platforms/vendors the apps run on. Lock-in forces millions of dollars in IT spend — managing, upgrading, and maintaining legacy identity infrastructures.
Identity management challenges to modernization
The organizations represented in this report identified the many obstacles their identity teams face:
Most organizations are actively adopting public clouds for their business activities. In fact, many are moving to three or more public clouds to achieve their business and technology goals. Additionally, many continue to implement private cloud technology on-premises utilizing products from companies such as VMware, Red Hat, and Microsoft.
New identity silos to manage.
Each new cloud platform creates another silo of identities. This can be quite challenging for network and security administrators. There is a lack of visibility with no single pane-of-glass for managing identities, access, and policies.
Legacy identity lock-in.
Applications that are were hardcoded into an older identity systems are locked in. An application would traditionally need to be refactored before it can use a different identity system or move the cloud.
Legacy applications may be five or more years old and the people who wrote them are no longer with the company. The individual who integrated the identities with the application are also gone. Finding talent to address these challenges is scarce and expensive.
Infrastructure, identity systems and apps in use
|What infrastructure do you run?||Typical|
|On-Premises Identity Systems||3|
|% of Apps Migrated To Cloud||10%|
Technical debt and refactoring
With the majority of apps integrated with legacy identity using custom ‘last mile’ code, each app must be rewritten or refactored to work with the new identity system. Manually refactoring or rewriting apps is expensive, time consuming, drudge work that often results in throwing good money after bad.
Companies need to become more agile and have indicated are looking for ways to improve their development processes. This means that manual migration approaches must give way to automated approaches.
It also means that developers, who are often pressed for bandwidth, are better utilized to work on leading edge projects rather than trying to retain and get them excited about a legacy identity migration project. A developers’ time is better spent on innovation and building new customer experiences and digital products than doing tedious migration work.
FIGURE 1 Migrating to a new identity system requires rewriting the apps to accept the new form of SSO. And, identity data and policies must be translated from old to new.
Standards-based and non-standards-based applications
Most applications fit into two categories: standards-based and non-standards-based. Standards-based apps are newer and can accept modern authentication, such as SSO and MFA or passwordless, to SaaS apps by leveraging identity protocols like SAML (Security Assertion Markup Language) or OIDC (OpenID Connect).
Non-standards-based applications (also called legacy apps), such as those reliant on cookie-based sessions, cannot consume modern authentication methods. These apps are the most common still today in organizations, but also put the most strain on resources to recode.
Organizations that Strata interviewed reported a range of complexity for how difficult app identity migration based on the complexity, age and build of the app. They ranged from simple standards-based apps that use SAML or OIDC to complex apps that use the proprietary cookie sessions popular with first generation web access management (WAM) platforms.
TABLE 2 Most common ways that apps and identities are integrated to this study
|How are your apps and Identity integrated? (multiple response allowed)||Typical|
|SiteMinder Cookies (SMSESSION)||78%|
|Oracle Access Manager Cookie (OAMSESSION)||72%|
Identities are distributed across multiple systems
Organizations are managing identities across many identity systems. Below are the most common on-premises and cloud based identity management systems in use today.
TABLE 3 On-prem identity providers in use
|What on-prem identity do you run? (multiple response allowed)||Typical|
|Oracle Access Manager||29%|
|IBM Tivoli Access Manager||26%|
TABLE 4 Cloud identity platforms in use (by organization using more than 1 identity service)
|What cloud identity do you run? (multiple response allowed)||Typical|
|AWS Identity, Cognito||34%|
|Google Cloud Identity||21%|
Legacy identity systems limitations
The leaders in our study shared whether they felt their legacy identity systems were adequate for today’s challenges and which use cases are not being met with first generation identity software. They shared 5 common limitations:
1ST MAIN LIMITATION:
End of life (EOL)/end of service (EOS):
The mega legacy identity system vendors have publicly announced their mandate to focus on the cloud, consequently redirecting resources away from on-prem software. This reprioritization has led on-premises legacy software to reach end of life (EOL)/ end of service (EOS) as resources are redirected, draining away technical and support resources.
2ND MAIN LIMITATION:
Outdated versions of identity software:
The EOL/EOS problem is compounded by the fact that over 50% indicated they’re running two or more releases behind the current release. Companies usually lack budget and resources to upgrade at every release and, once behind, it’s hard to catch up. Getting on the current release often requires sequential upgrades which is time-consuming and difficult.
3rd MAIN LIMITATION:
Compliance and security risks:
Running older versions of software not patched and continually updated by vendors, creates additional new security risks. Legacy identity built before the notion of zero trust was conceived does not work in the cloud. The assumption of a secure perimeter — used by older technology — cannot be assumed in the cloud. Compliance is also a key concern because many mission-critical applications cannot run if they’re outside of vendor support.
“Without Strata, Kroger could have been spending hundreds of thousands of hours redeveloping applications.”
Cloud Information Security Manager, Kroger
Watch Kroger Customer Story >
4TH MAIN LIMITATION:
Incompatible with hybrid multi-cloud:
Our interviews corroborated that legacy identity architectures do not support the needs of distributed multi-cloud architectures. These older identity systems don’t work in cloud-native platforms with their microservices and ephemeral architectures. Additionally, legacy identity systems extensively utilized proprietary cookies for sessions as they were released before standards such as SAML, JWT, OIDC were available.
5TH MAIN LIMITATION:
Complex and expensive:
A big challenge is the cost of maintenance to support multiple legacy identity applications. Each application is integrated with its own identity session system. Legacy identity software often runs on dozens of servers (sometimes hundreds) and requires complex infrastructure like networking, storage and integration with web tier. Retaining developers who want to work on legacy systems is difficult and expensive.
Enterprise IT Environments are more complex and distributed than ever before.
Strata provides a simple and cost effective way to address these challenges with modernization and migration.
The Maverics Identity Orchestration Platform by Strata
Strata created Maverics, the first Identity Orchestration platform—it is natively engineered to work seamlessly across multiple clouds and integrate legacy on-premises systems with modern cloud-based identity.
Maverics enables app identity to be migrated from one identity system to another quickly through the use of an identity abstraction layer without any app rewrites. Figure 2 illustrates the Maverics abstraction layer.
Strata’s software-based approach eliminates the need to rewrite apps and allows for moving the application authentication from a legacy IDP to a modern cloud one without the need to refactor the apps.
Measuring ROI using Strata’s Maverics Identity Orchestration Platform
With Strata’s distributed multi-cloud architecture, organizations can confidently migrate and accelerate their move to the cloud, while realizing significant hard-cost savings and faster migration project completions.
Using Strata’s software, organizations see significant ROI both immediately and ongoing. A detailed analysis of an identity migration experience is found in the following section.
Figure 3 below shows potential cost savings when using identity modernization software instead of rewriting apps. The graph also illustrates the before and after cost savings that can be achieved from skipping rewrite/refactor apps.
Savings from identity modernization without rewriting apps using Strata’s ROI methodology
Strata ROI calculation for 100 non-standard Apps + 50 standards-based apps breaks down like this:
- Total money saved from avoiding app rewrites = $17.5M
- Total infra costs saved from retiring legacy IDP = $7.5M
- Total for Maverics investment for the 150 app count = $510K
To calculate ROI, we take the cost difference, over the Maverics investment.
- $24,490,000/$510,000 = 4802% ROI
Strata modernization ROI analysis worksheet
Infrastructure Description Costs Infrastructure and support costs Annual legacy app support and license $5,000,000 Infrastructure and support costs Annual Legacy Identity Infrastructure $2,500,000 Total infra costs Total for app support and infra of legacy identity $7,500,000 App rewrite costs One standards based app $50,000 App rewrite costs One non-standards based app $150,000 Total app rewrite costs Cost to rewrite all apps $17,500,000 Opportunity costs Weeks to rewrite an standards based 12 weeks Opportunity costs Weeks to rewrite a non-standards based app 24 weeks Total opp costs Week to rewrite both types of apps 3000 weeks Maverics Investments Price per month per App $250 Maverics Investments Price per month per IDP $2,500 Total Yearly Maverics Investment Based on per App and IDP pricing $510,000
Infra support costs + Total app rewrite costs = Total current costs
(Total current costs – Maverics Investment) / Maverics Investment = ROI
|ROI||Return on Investment||4,802%|
Let’s run the numbers: Identity Orchestration impact for app identity modernization
Using software to automate the migration and modernization of identity greatly improves a business’ hard-cost savings, reduces opportunity costs, and provides the foundation to enable new, modern security capabilities in the future.
Additionally, these organizations saved considerable time performing migrations and modernization initiatives. The range in cost savings account for the number of environments an organization has and legacy app complexity. As shown in the table below, organizations that move from legacy to modern cloud identity systems can realize significant hard-cost savings.
Average hard cost savings
Achieving cost savings through legacy IAM cost avoidance
|Avoided Cost||Est. Savings|
|Rewriting apps to work with a new identity solution||$50,000-$150,000/app|
|Ongoing support and maintenance for legacy identity software||$5,000,000|
|Maintaining compute infrastructure used by legacy identity||$2,500,000|
Achieving time savings through automation
Benefits of migration & modernization with Maverics Identity Orchestration
The traditional way to modernize identity requires significant budget and time, driving classic identity migrations to be complex and expensive multi-year endeavors.
Strata’s Maverics Identity Orchestration Platform can yield an ROI of almost 5000%. The savings are realized in weeks to months rather than years — the amount of time it would have taken to manually rewrite and migrate a handful of apps. With Strata, organizations can modernize for good and see the following benefits:
✔ Identity that supports distributed architectures running natively on multiple clouds.
✔ Modernize in weeks, rather than years and never have to rewrite an app.
✔ Use of modern cloud identity capabilities like MFA, passwordless, and mobile.
✔ Access to a modern cloud-native platform with capabilities like microservices, containers, like auto-scaling, and DevOps.
✔ Improved security from using continually updated software vs. old, outdated, non-supported software.
✔ Improved compliance by running on modern identity platforms that support GDPR and other regulations.
✔ Freedom from vendor lock-in by decoupling apps from IDPs or multiple cloud services.
✔ Coexistence to incrementally migrate and avoid the risks of a big bang migration approach.
Benefits of migration & modernization with Maverics Identity Orchestration
A thoughtful, integrated identity modernization strategy is perhaps more critical than ever to save costs by retiring legacy infrastructure, manage risk, and drive an efficient project that sets your business up for success.
Strata’s Maverics Identity Orchestration Platform empowers identity architects and business teams to create seamless and secure identity experiences across multi-cloud and hybrid-cloud environments and modernize legacy applications — without any rewriting apps.
With Maverics, organizations have realized an average ROI of 4800%, saved more than seven million dollars (US) in hard costs, and completed migrations in months instead of years — approximate time saved for migrating 50 standards based and 100 non standards based apps equates to 57 years in developer hours!
Strata built our software to solve the challenges of distributed identity infrastructures. It’s a new approach to migrating applications and modernizing identity for multi-cloud and hybrid environments.
Maverics easily enables organizations to migrate identity to the cloud, use multiple clouds, and supports hybrid deployments. The Maverics abstraction layer eliminates the need to write custom code to integrate each application.
In addition to the monetary savings, businesses realize the benefits of increased agility, improved security, and future-proofing with Strata’s Maverics Identity Orchestration platform.
Kroger Customer Modernization Story
Kroger needed to modernize the authentication and authorization of their mission-critical applications in a short amount of time. The retail grocery giant had both consumer-facing apps and internal apps that every person at the company relied on daily.
With 400 applications spanning from in-house built using a variety of technologies and programming languages, to commercial off-the-shelf applications, Kroger estimated that migration could take years and cost millions of dollars.
Strata immediately saved Kroger millions of dollars in custom coding, manual testing, and validation work — plus, years-worth of migration projects. They also slashed legacy infrastructure expenses by retiring legacy identity software and related infrastructure.
|Before Strata||After Strata|
|✔ Fortune 25 retailer - $140B annual revenue||✔ Fabric in place - permanent flexibility to innovate and |
|✔ Massive SiteMinder footprint with expensive maintenance||✔ Off of SiteMinder in 12 months and for |
|✔ Inability to support modern authentication an MFA||✔ Self-service IT initiative accelerating|
|✔ Legacy tech debt was ||✔ |
|✔ Facing ||✔ Kroger identity team will |
Now you’ve modernized. What’s next?
Strata brings a new generation of identity management capabilities for organizations operating in the hybrid, multi-cloud world. Identity Orchestration with Strata future-proofs your organization by keeping you permanently modern and allows you to make the most of your existing identity investments. With Strata’s Identity Orchestration platform you can experience:
Increased flexibility – Freedom from lock-in allows you to choose cloud platforms and identity platforms independently.
Faster project completion – Using software instead of manual effort to significantly reduce cycle times.
Improved security – Integrated identity silos for easier management of different infrastructures across multiple cloud providers.
Enhanced development – Modernized developer access to identity, reduced dependency on legacy development and upgrades.
Time & cost savings – Retiring legacy software and related infrastructure, avoiding manual work services, and avoiding training on legacy technologies.
Multi-cloud readiness – Ability to move to the cloud and from one cloud to another and natively manage identity across distributed clouds.
Increased revenue – Better customer experience enabled by digital transformation that leads to increases in gross profits from online channels, powered by identity modernization.
Improved agility – Ability to mix-and-match infrastructure, such as moving to Google Cloud from AWS or swapping identity domains from SiteMinder to Okta, for example.
Modernize any app with any IDP in minutes. Join the 'Orchestration Kitchen' workshops.
This report is the result of survey data and actual statistics from existing Strata customers. The field and primary research conducted in conversations with 50 leading innovators at Fortune 1000 organizations. These organizations are concentrated in regulated industries subject to compliance including financial services, insurance, healthcare, and global technology enterprises.
What would be your return on investment?
Download our free calculator to model your ROI
Strata is pioneering the concept of Identity Orchestration for distributed, multi-cloud identity. Strata’s Maverics Identity Orchestration Platform enables companies to seamlessly unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments. Strata’s unique distributed approach to identity enables organizations to break decades-old vendor lock-in that has prevented a broader transition of enterprise workloads to public cloud infrastructures.
Strata’s founders co-authored the SAML open standard for identity interoperability, created the first cloud identity services, delivered the first open-source identity products, and are now building the first distributed identity platform — Maverics.
To learn more, visit us at Strata.io