Identity Orchestration

The Return on Investment of Identity Modernization & Migration with Strata

ROI Identity Modernization & Migration

Executive summary & key findings

Executive Summary

Migrating applications from legacy IdPs to cloud platforms — or from one cloud to another — is a necessary evil for companies needing to modernize, but it is expensive and complicated.

Today’s enterprise computing infrastructures consist of a complex mix of public cloud, private cloud, and SaaS apps. Typically, each of these systems has its own built-in identity and access management (IAM) implementation

Apps require identity (login, SSO, and password management, etc.) which has likely been custom integrated on older identity systems. Customization leads to pervasive lock-in between the apps, the legacy IdPs, and the platforms/vendors the apps run on. Lock-in forces millions of dollars in IT spend — managing, upgrading, and maintaining legacy identity infrastructures.

Additionally, organizations increasingly have multiple public clouds (AWS, GCP, or Microsoft Azure to name the big players), which leads to new identity silos that must also be managed. Migrating apps from legacy IdPs to cloud platforms requires the associated identity infrastructure to migrate as well.

Traditional approaches to identity migration and modernization require recoding all legacy apps to be able to work in the cloud. It is an expensive process and it takes a long time (around 12 to 24 months). Often, the ability to custom code/refactor each app, the expertise of the IAM infrastructure, and the knowledge of how the apps are integrated simply isn’t available.

Strata’s Maverics Identity Orchestration Platform (Maverics) empowers architects and business teams to create seamless and secure identity experiences across multi-cloud and hybrid-cloud environments and modernize legacy applications without rewriting applications.

Our software is built for the distributed approach to migrating and modernizing identity for multi-cloud and hybrid environments that eliminates the need to custom code each app. Maverics easily enables organizations to migrate to the cloud, use multiple clouds, and supports hybrid deployments.

Maverics is the only Identity Orchestration solution that uses a distributed, multi-cloud-native architecture. With Maverics, organizations have realized an ROI of 556%, saved more than one million dollars (US) in hard costs, and completed migrations in weeks instead of months — 85% less time than traditional manual efforts.

In addition to the monetary savings, organizations realize the benefits of increased agility, improved security, and future-proofing with Strata’s Maverics Identity Orchestration solution.

ROI of Identity Orchestration

Migration to a new identity system is difficult. It requires rewriting each legacy app to work with the new technology of the cloud identity platform, which can be expensive, time-consuming, and labor-intensive.

Modern infrastructures are complex

The average enterprise has:

  • 3+ public clouds
  • 1+ private clouds
  • 3 on-premises identity systems
  • 50 on premises apps

Limitations of legacy identity systems

  • Approaching or has reached end of life/end of service
  • Outdated versions of identity software
  • Lock-in is pervasive
  • Architecturally incompatible with modern cloud identity
  • Complex and expensive to maintain

Top identity migration & modernization challenges

  • Costs upward of $1M
  • Takes 12-24 months to complete
  • Lack of skilled expertise
  • Building and maintaining custom code
  • Familiarity with IAM infrastructure and how apps integrate
  • Ability to access to the application source

Identity modernization solution requirement ranked in order of importance

  • Automated
  • Non-disruptive to apps
  • Non-disruptive to users
  • No Code / Low Code
  • Work seamlessly

Top desired outcomes from an identity modernization & migration solution

  • Save time and money
  • Multi-cloud ready
  • Increase revenue
  • Improve agility

Identity modernization & migration with Strata

With Strata, organizations can realize:

  • 100%+ return on investment in hard costs
  • 95% less time to migrate to the cloud
  • $1M+ saved over manual efforts


An organization modernizing its identity infrastructure and migrating 10 apps can save $1,450,000 in hard costs and 96 weeks of dev effort by eliminating costs to rewrite apps, perform manual discovery, maintain legacy IAM, code, and compute infrastructure.

Modernizing identity infrastructure ROI

Report framework

Strata interviewed 50 leading innovators at Fortune 1000 companies about their identity migration and modernization strategy.

This paper summarizes the field and primary research conducted in conversations with those leaders. These organizations are concentrated in regulated industries subject to compliance including financial services, insurance, healthcare, and global technology enterprises.

The report outlines key takeaways from our interviews that can help you better prepare for multi-cloud and streamline your migration to the cloud. A few important points about our analysis of the interviewed companies:

  • Strata performed a broad and deep analysis of 50 enterprise organizations looking at both quantitative and qualitative aspects of their identity management.
  • We interviewed these companies to understand how they are moving to the cloud and how the role of identity is evolving in the multi-cloud era.
  • Strata’s analysis discovered that these organizations were using multiple identity systems including Microsoft Active Directory, CA SiteMinder, Oracle Access Manager, Ping, ForgeRock, and other IAM systems.
  • They have three or more public cloud platforms and many used IDaaS (Identity-as-a-Service) with tools such as Okta.

Migration challenges in multi/hybrid cloud

Big identity management challenges

Our discussions with the organizations interviewed for this report identified the many challenges they face when trying to move their businesses to the cloud, while straddling their extensive existing on-prem infrastructure.

These interviews revealed classic examples of people, processes, and technology all being impacted by antiquated identity deployments. Here are their top challenges:

#1. Increasing cloud adoption

Most organizations are actively adopting public clouds for most of their business activities. In fact, many are moving to three or more public clouds to achieve their business and technology goals.

Additionally, many continue to implement private cloud technology on-premises utilizing products from VMware, Red Hat, and Microsoft

#2. New identity silos to manage

Each new cloud platform creates another silo of identities. This can be quite challenging for network and security administrators. There is a lack of visibility with no single pane-of-glass for managing identities, access, and policies.

#3. Legacy identity lock-in

Applications are locked into older identity systems such as CA SiteMinder or Oracle Access Manager. Decoupling from these identity solutions requires that an application be refactored to use a different identity system.

#4. Skills shortage

Legacy applications may be five or more years old and the people who wrote them are no longer with the company. The individual who integrated the identities with the application are also gone. Finding talent to address these challenges is scarce and expensive.

The following tables (3-5) identify the types of infrastructures, on-prem identity, and cloud identities in use at the companies interviewed for this study. These organizations typically have at least 50 on-prem apps and they’ve only migrated 10% of them to the cloud. The results are an indicator that many companies are still early in their cloud migration journey.

TABLE 1 Infrastructure, identity systems and apps in use

What infrastructure do you run?Typical
Public Clouds3.5
Private Clouds1.5
On-Premises Identity Systems3
On-Premises Apps50
% of Apps Migrated To Cloud10%

TABLE 2 On-prem identity providers in use

What on-prem identity do you run? (multiple response allowed)Typical
Active Directory89%
Oracle Access Manager54%
Broadcom/CA SiteMinder42%
IBM Tivoli Access Manager11%

TABLE 3 Cloud identities in use at the interviewed companies

What cloud identity do you run? (multiple response allowed)Typical
Azure AD32%
AWS Identity, Cognito12%
Google Cloud Identity9%

Legacy identity systems are inadequate

We asked the leaders in our study if they felt their legacy identity systems were adequate for today’s challenges and which use cases are not being met with first generation identity software. They shared six main limitations:

  1. End of life (EOL)/end of service (EOS): The mega vendors have publicly announced their mandate to focus on the cloud, consequently redirecting resources away from on-prem software. This reprioritization has led on-premises legacy software to reach ‘end of life’ (EOL)/ end of service (EOS) as resources are redirected, draining away technical and support resources.
  2. Outdated versions of identity software: The EOL/EOS problem is compounded by the fact that over 50% indicated they’re running two or more releases behind the current release (e.g. running SiteMinder v12.5 when the last release was v12.8). Companies usually lack budget to upgrade every release and, once behind, they never catch up. Getting on the current release often requires sequential upgrades which is time consuming and difficult.
  3. Lock-in: Identity is the strongest form of lock-in between a platform and apps. The extensive integration between apps and identity means apps need to be rewritten to move onto a new identity system. This is especially challenging because rewriting legacy apps is expensive and requires hard-to-find expertise.
  4. Compliance and security risks: The leaders interviewed in this study understand that running older versions of software not patched and continually updated by vendors, creates additional new security risks.
    Legacy identity built before the notion of Zero Trust was conceived does not work in the cloud. The assumption of a secure perimeter — used by older technology — cannot be assumed in the cloud. Compliance is also a key concern because many mission critical applications cannot run if they’re outside of vendor support.
  5. Incompatible with hybrid multi-cloud: Our interviews corroborated that legacy identity architectures simply do not support the needs of distributed multi-cloud architectures. These older identity systems don’t work in cloud-native platforms with their microservices and ephemeral architectures. Additionally, legacy identity systems extensively utilized proprietary cookies for sessions as they were released before standards such as SAML, JWT, OIDC were available.
  6. Complex and expensive: A big challenge is the cost of maintenance to support multiple legacy identity applications. Each application is integrated with its own identity session system. Legacy identity software often runs on dozens of servers (sometimes hundreds) and requires complex infrastructure like networking, storage and integration with web tier. Retaining developers who want to work on legacy systems is difficult and expensive.


Unique migration challenges today

Our research also highlighted that recent public health and corporate mandates to work from home have accelerated the need to move apps to the cloud and provide secure access to previously hard-to-access apps that reside behind firewalls. Moving an app to the cloud usually requires replacing a legacy identity system with a modern cloud identity system.

Additionally, moving an app to the cloud must be seamless to end-users to avoid any confusion (or the introduction of phishing and other security concerns) into the login process.

Companies may have dozens (sometimes hundreds or thousands) of apps that must be analyzed to understand how they need to be migrated to the cloud. Compounding this problem is keeping up with the scale and change that happens across any organization. Understanding dependencies between apps and identities requires detailed analysis and a deep understanding of how the infrastructure works, which can take months and it’s a continually changing picture.

Perhaps the biggest challenge these companies face when moving apps to the cloud is addressing the fact that their apps are locked into the on-premises world because of the way the apps and identity were originally integrated.

These organizations are representative of many who have spent the last 10-15 years integrating their on-prem apps with identity from legacy providers like CA SiteMinder and Oracle (e.g. customer identity profile and login process through custom code, using cookie-based sessions). Migration to a new identity system requires refactoring the app to work with the new session technology of the cloud identity platform. This is not a simple or inexpensive proposition.

Refactoring is expensive in both developer time and dollars and must be done for each app that is to be migrated to the cloud. Organizations that Strata interviewed reported a range of complexity for how complex this integration is, ranging from simple standards-based apps that use SAML or OIDC to complex apps that use the proprietary cookie sessions popular with first generation web access management (WAM) platforms like OAM or SiteMinder. Additionally, migrations and upgrades have required significant investments in time, usually 12-24 months for a typical identity system migration.

FIGURE 1 Migrating to a new identity system requires rewriting the apps to accept the new form of SSO. And, identity data and policies must be translated from old to new.

Figure 1 Migration Challenges

Manual identity migration approaches don’t scale

Two big identity migration challenges organizations are facing today:

  1. Analyzing a complex app and identity infrastructure’s technical details including mapping out dependencies, network topologies, app stack and other such details cannot be done manually because of scale and constancy of change.
  2. With the majority of apps integrated with legacy identity using custom ‘last mile’ code, each app must be rewritten or refactored to work with the new identity system. Manually rewriting apps is expensive, time consuming, drudge work that often seems like throwing good money after bad.

Companies need to become more agile and are looking for ways to improve their development processes. This means that manual migration approaches must give way to automated approaches. It also means that developers, who are often pressed for bandwidth, are better utilized to work on leading edge projects rather than trying to retain and get them excited about a legacy identity migration project. A developers’ time is better spent on innovation and building new customer experiences and digital products than doing tedious migration work.

Migrating an app to a new identity solution is a very tedious process. First, it can take months to analyze dozens (or possibly hundreds) of apps. Refactoring an app to work with a new identity system requires additional months to rewrite and test the apps. Any infrastructure modernization project is complex, driving the need for comprehensive skills in project and program management.

While cookie-based sessions are the most common and most difficult to recode, even apps that support standards — like SAML or OIDC — require time and effort to refactor, retest, and deploy.

The bottom line is that manual approaches are very expensive:

  • App and infrastructure analysis can cost $50,000-$250,000 depending on scope
  • Rewrite of an app can cost $50,000 – $250,000 per app depending on scope
  • Custom integration with new apps requires more ongoing investment often leading to 20% of the initial project cost.

Our study identified the most common ways that apps and identities are integrated as displayed in the following table.

TABLE 4 Most common ways that apps and identities are integrated to this study

How are your apps and Identity integrated? (multiple response allowed)Typical
SiteMinder Cookies (SMSESSION)78%
Oracle Access Manager Cookie (OAMSESSION)72%
HTTP Headers24%

Identity modernization & migration solution requirements

Our respondents provided a “wish list” for solution characteristics that deal with the challenges associated with managing legacy identity systems. This list includes the following modernization and migration requirements:

  • Automated – Migrations must happen quickly with minimal human intervention.
  • Non-disruptive to apps – Does not require re-writing of apps.
  • Non-disruptive to users – No change to a user’s login experience.
  • No Code / Low Code – Must be easy to configure rather than using complex code.
  • Work seamlessly – Must bridge existing legacy and modern cloud identity systems.

The Identity modernization & migration solution requirements

Key results desired

Looking at other characteristics of a powerful and flexible identity migration solution, the surveyed companies believe that the following benefits are necessary when considering this type of solution.

Our subjects stated the following results were the most desired in an identity modernization solution:

  • Save time and money – Retiring legacy software and related infrastructure, avoiding manual work services, and avoiding training on legacy technologies.
  • Multi-cloud ready – Ability to move to the cloud and from one cloud to another and natively manage identity across multiple clouds.
  • Increase revenue – Better customer experience enabled by digital transformation should lead to substantial increases in gross profits from online channels, powered by identity modernization.
  • Improve agility – Ability to mix-and-match infrastructure, such as moving to Google Cloud from AWS or swapping identity domains from SiteMinder to Okta, for example.

The Maverics Identity Orchestration platform for multi-cloud by Strata

Strata created Maverics, the first Identity Orchestration platform natively engineered to work seamlessly across multiple clouds and integrate legacy on-prem systems with modern cloud-based identity. Strata’s software solves the discovery and analysis of apps and identity infrastructure problem.

It also enables apps to be migrated from one identity system to another quickly through the use of an identity abstraction layer. Figure 2 illustrates the Maverics abstraction layer.

FIGURE 2 Strata’s software-based approach eliminates the need to rewrite apps and automatically discovers, replicates, and synchronizes identity data and policies.

Figure 2 Identity Orchestrataion for Multi-cloud Strata Identity

Measuring ROI using Strata’s Maverics Identity Orchestration Platform

Strata is changing the way we manage identity infrastructure by making distributed identity management possible. With Strata’s distributed multi-cloud architecture, organizations can confidently migrate and accelerate their move to the cloud, while realizing significant hard-cost savings and faster migration project completions.

Using Strata’s software, organizations see significant ROI both immediately and ongoing. A detailed analysis of an identity migration experience is found in the following section.

Model your potential ROI with Strata’s free calculator

“Without Strata, Kroger could have been spending hundreds of thousands of hours redeveloping applications.

Rob Lenhof
Cloud Information Security Manager, Kroger
Watch Kroger Customer Story >


The ROI of Maverics Identity Orchestration Platform

Business impact of Identity Orchestration

Using software to automate the migration and modernization of identity greatly improves a business’ hard-cost savings, return on investment (ROI), and ability to add new, modern security capabilities. The following is based on a scenario of 10 apps being migrated.

Hard cost savings

TABLE 5 Achieving cost savings through legacy IAM cost avoidance

Avoided CostEst. Savings
Rewriting apps to work with a new identity solution$50,000-$250,00/app
Manually analyzing identity infrastructure and supported apps$100,000/analysis
Ongoing support and maintenance for legacy identity software$200,000
Maintaining custom code20% of annual cost
Maintaining compute infrastructure used by legacy identity$150,000

As shown in the above table, organizations that move from legacy to modern cloud identity systems can realize significant hard-cost savings.

TABLE 6 Achieving time savings through automation

Avoided Time ExpensesEst. Savings
Not rewriting apps to work with new identity solution4-14 weeks/app
Save time manually analyzing the identity infrastructure4-12 weeks

Additionally, these organizations saved considerable time performing migrations and modernization initiatives as shown here. Ranges above account for the number of environments and legacy app complexity.

ROI for migration automation

Interviews revealed a strong ROI* is realized from investing in migration and modernization automation software.

Figure 3 below shows the potential cost savings when using identity modernization software instead of rewriting apps. The graph also illustrates the before and after cost savings that can be achieved from not having to rewrite/refactor apps.

FIGURE 3 Savings from identity modernization without rewriting apps

Figure 3 Savings identity modernization without rewriting apps Strata Identity


FIGURE 4 Cost savings comparison (10 apps)

Figure 4 Cost savings comparison applications Strata Identity

New capabilities for multi-cloud identity

In addition to the quantitative benefits of using Strata’s Maverics Platform, there are qualitative considerations that should not be overlooked. These include:

Greater agility and lock-in avoidance

  • Increased flexibility – Freedom from lock-in allows you to choose cloud platforms and identity platforms independently.
  • Faster project completion – Using software instead of manual effort to significantly reduce cycle times.
  • Improved security – Integrated identity silos for easier management of different infrastructures across multiple cloud providers.
  • Enhanced development – Modernized developer access to identity, reduced dependency on legacy development.
  • Cost optimization – Using software enables organizations to shift migration costs from an operating expense (OpEx) to a capital expense (CapEx) with greater precision.

New capabilities for the hybrid multi-cloud world

Strata also brings a new level of identity management capability for organizations operating in a hybrid, multi-cloud world:

  • Identity that supports distributed architectures running natively on multiple clouds.
  • Use of modern cloud identity capabilities like MFA, passwordless, and mobile.
  • Access to a modern cloud-native platform with capabilities like microservices, containers, like auto-scaling, and DevOps.
  • Improved security from using continually updated software vs. old, outdated, non-supported software.
  • Improved compliance by running on modern identity platforms that support GDPR and other regulations.

*ROI varies based on the number of apps migrated and the costs associated with rewriting each app.

Summary & conclusion

Identity Orchestration overview

Strata’s software yields ROI of more than 500% — realized immediately. In addition to cost and time savings, Strata also improves agility, provides freedom from lock-in, and delivers faster project completion.

Strata’s Identity Orchestration Platform:

  • Provides an ROI of 500% realized immediately
  • Is automated
  • Improves agility and scalability
  • Requires low code
  • Delivers faster cloud migration
  • Frees companies from vendor lock-in

Platform capabilities:

Agility & freedom from vendor lock-In

  • Increased flexibility
  • Faster project completion
  • Improved security
  • Enhanced development
  • Cost optimization

Facilitates hybrid & multi-cloud adoption

  • Identity for distributed architectures
  • Modern cloud identity capabilities
  • Modern, cloud-native platform
  • Improved security
  • Improved compliance


Connect with an Identity Orchestration expert


Summary & conclusion

We have learned through this study that companies are reaching a breaking point in how they manage security and identities across cloud and on-prem applications. The tired, manual approaches to identity migration and management cannot continue because of the time, cost and security concerns associated with this approach. It is simply unsustainable.

The time required to analyze and understand each app that needs migration from a legacy identity system is significant. Once an analysis is completed, IT and development resources must be allocated for multiple weeks to rewrite an application’s security and identity functions. These two core migration use cases require significant budget and time, driving classic identity migrations to be complex and expensive multi-year endeavors.

There is an alternative — using specially engineered software to abstract and integrate multiple identity systems using Identity Orchestration. This approach, created by Strata, is a breakthrough technology that automates manual tasks — such as discovery and migration — while eliminating the need to rewrite/refactor apps during migration.

Strata’s software yields ROI of more than 500%, realized immediately, while providing additional flexibility regarding CapEx and OpEx accounting. In addition to cost and time savings, Strata also improves agility, provides freedom from lock-in, and delivers faster project completion. New capabilities are also unlocked including support for distributed identity management and multi-cloud architectures, improved security, and future-proofing existing investments.

Contact your Strata representative today to learn more about how you can get started with your identity modernization and migration journey.