Why SSO is Only Part of Multi-Cloud Identity
Single sign on (SSO) is a critical pillar of identity management and many companies have implemented this solution which provides convenience for users and improves security by reducing account and password proliferation. SSO is also a great way to roll out advanced identity capabilities like multifactor authentication (MFA) and self-service user management.
SSO grew out of the need to manage identities for multiple applications. Each application had its own authentication system with its own user ids and passwords. This redundancy caused a lot of duplication for IT administrators and a lot of headaches for end-users.
SSO is built on trust and enables users to enter their credentials once and gain access to many applications without having to authenticate to each application. Solutions such as Okta and Microsoft Azure Active Directory, have become well known for providing access management platforms that coordinate authentication across multiple SaaS applications.
Users authenticate once to the SSO portal and are presented with a menu of authorized applications. This solution has simplified authentication to multiple applications for both users and IT administrators.
However, the landscape for identity management has become more complex as the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) markets have exploded in recent years. Amazon Web Services (AWS), Microsoft (Azure) and the Google Cloud Platform (GCP) now work side-by-side with a company’s existing IT infrastructure. The result is that nearly all organizations have become multi-cloud. With this new multi-cloud reality come new identity management challenges.
Multi-cloud presents different challenges for identity management
As you might suspect, we now have multiple silos of identity vendors and multiple cloud platforms. Each cloud comes with its own built-in identity system.
Imagine buying a new car and expecting it to start with the keys from your old car. It just doesn’t work that way. The new car (like your new cloud platform) has its own keys for access.
When companies adopt a cloud platform they most still have a mix of old on-premises to work with. The conventional notion of centralized identity management doesn’t work across siloed multi-cloud environments, making the implementation of consistent policy and identity impossible.
From a business perspective, complex organizations often require specialized identity models that represent their user’s specific needs within the business. A one size fits all approach does not work and centralizing identities breaks that model. Additionally, mergers and acquisitions often require specialized identity management use cases through the merger integration.
Technology constraints for multi-cloud identity
From a technical perspective, organizations often choose different technology platforms, like Java or .Net, that become deeply entrenched in the organization. Forcing developers to use one platform over another because of identity constraints is not practical and can introduce delays and additional costs to software development.
Another consideration is that legacy SSO predates many of today’s standards like SAML and so there are many applications that are locked into their current legacy architecture.
We’ve seen that 75% of on-prem Java/.Net custom apps are integrated with CA SiteMinder or Oracle Access Manager (OAM). Applications that are hardcoded to use these identity systems must be rewritten if they want to use newer identity solutions.
The need for decentralized identity management
Distributed multi-cloud architectures require distributed identity across multiple clouds. Apps that work across Azure and GCP, for example, need consistent identity across both domains to provide secure access to all users.
With so many identity silos and domains it’s really hard to get a handle on the best approach for multi-cloud identity. The use cases are different for multi-cloud versus traditional SSO. There is a need to manage consistent identity and access policies across platforms and yet today’s SSO solutions are limited to the apps that have been integrated with a particular identity system. There’s no way to easily set policy across all identity domains, making multi-cloud identity management impossible.
The answer to this coexistence challenge lies in extending secure access from on-prem apps to the cloud by linking on-prem identity with cloud identity. The solution must span across SaaS applications to on-premises applications. Today, SSO only works in the cloud OR on-prem, but not both. The solution must also gracefully migrate on-prem apps to the cloud without rewriting or touching them. In other words, an app must be decoupled from its old identity system and layered onto a new identity system – all transparently for users.
The solution is decentralized identity via an identity fabric
An Identity Fabric is a distributed identity management framework. An Identity Fabric orchestrates, abstracts, integrates and discovers identity data across multiple systems we call Identity Domains. It furthermore orchestrates identities and policies in distributed Identity Domains and presents that identity data consistently to hybrid and multi-cloud infrastructures.
Here are some other key points to remember:
- An Identity Fabric is an abstraction layer that lets you build and run your apps on the cloud of your choice using the identity system of your choice.
- An Identity Fabric is not another Identity Provider (IdP) or SSO solution.
- An Identity Fabric uses Zero Code integration that avoids custom coding.
SSO is an important part of your multi-cloud operation but as we have discussed, new challenges have come up when trying to manage multi-cloud and hybrid cloud environments. Each cloud platform has its own identity system. Each application has its own identity system. SSO was designed to help manage multiple identities for multiple applications and is still relevant and needed.
But, the challenge of consistently managing identities and policies across multiple cloud platforms exceeds the scope of SSO and calls for a new solution that moves away from a centralized identity approach to a decentralized approach. A decentralized approach is made possible through an Identity Fabric and gives you the flexibility to migrate and manage identities on your timeframe.