{"id":1357,"date":"2022-10-05T06:00:59","date_gmt":"2022-10-05T13:00:59","guid":{"rendered":"https:\/\/www.strata.io\/?p=1357"},"modified":"2023-10-06T08:23:51","modified_gmt":"2023-10-06T15:23:51","slug":"hybrid-identity-fragmentation-across-on-prem-and-azure","status":"publish","type":"post","link":"https:\/\/www.strata.io\/blog\/identity-access-management\/hybrid-identity-fragmentation-across-on-prem-and-azure\/","title":{"rendered":"Addressing hybrid identity fragmentation across on-prem and Azure AD"},"content":{"rendered":"

[vc_row][vc_column][vc_column_text]<\/p>\n

How Strata and Microsoft work together to solve the user provisioning and sync problems across hybrid identity environments<\/em><\/h2>\n

\"Addressing-Identity-Fragmentation\"[\/vc_column_text][\/vc_column][\/vc_row][vc_row el_id=”s1″][vc_column][vc_empty_space height=”30px”][vc_column_text]<\/p>\n

Introduction<\/h2>\n

Chances are pretty good that you’re right in the middle of a cloud migration or hybrid identity plan of some sort. The recent Flexera State of the Cloud Report found that 93% of enterprises have a multi-cloud strategy, and 87 percent have a hybrid cloud strategy<\/a>. Fifty-nine percent of enterprises expect cloud usage to exceed prior plans due to COVID-19.<\/p>\n

Meanwhile, during this transition, users, apps, and data spread across on-premises and cloud platforms. Enterprises are squeezing the last bit of life from legacy identity systems before they reach end-of-life. Each cloud platform brings its built-in identity system to the party. The legacy identity systems aren’t flexible enough to solve cloud identity challenges. Unless rewritten, often at a high cost, on-premises apps don’t support the standards used by cloud identity systems. Siloed, fragmented identity<\/a> is the unanticipated result of running hybrid infrastructures.<\/p>\n

Building i<\/a>nteroperability between on-premises identity systems, which tend to be proprietary, and cloud systems, which support open standards, is complicated, labor-intensive, hard to maintain, and manual. Additionally, ownership of the hybrid identity solution is unclear at most companies, and politics get in the way of effective and efficient implementations. The bottom line is that identity fragmentation holds back cloud migration and digital transformation, and companies are in great need of a solid hybrid cloud strategy. <\/span>[\/vc_column_text][\/vc_column][\/vc_row][vc_row el_id=”s2″][vc_column][vc_empty_space][vc_column_text]<\/p>\n

Challenges Managing Hybrid Identity<\/h2>\n

Delving further into the management of hybrid identities<\/a> and hybrid cloud and on-prem strategy, we see that users, profile data, and attributes are duplicated or scattered across on-premises and the cloud.<\/span> Specifically, decades-old tools and processes manage the allocation of on-premises identities across disparate systems: LDAP directories, databases, in-house HR systems, and Active Directory. Cloud providers manage identities using modern practices, standards, and APIs, but each cloud provider’s APIs expose unique ways to manage users, attributes, roles, and policies.[\/vc_column_text][vc_empty_space height=”12px”][vc_column_text]<\/p>\n

Let’s look at what happens when three different users (Alice, Bob, Carly) and profile attributes are created and managed in different identity systems spread across on-premises and the cloud.<\/h4>\n
    \n
  1. Attributes for Alice are mastered on-premises and synced up to the cloud. (Figure 1)<\/li>\n
  2. Changes made in the cloud to Alice’s attributes are not reflected in on-prem systems. (Figure 1)<\/li>\n
  3. Bob is created and managed in the cloud as a “cloud-only” user. (Figure 2)<\/li>\n
  4. Bob is not synced with on-premises systems. (Figure 2)<\/li>\n
  5. Carly is created in the cloud but needs access to on-premises applications. (Figure 3)<\/li>\n
  6. Some attributes are mastered in the cloud and others on-premises, with no clear guidelines on how to keep Carly’s identity consistent. (Figure 3)<\/li>\n<\/ol>\n

    [\/vc_column_text][vc_row_inner][vc_column_inner][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner][vc_column_text]\"azure-identity-fragmentation-user-challenges\"[\/vc_column_text][vc_separator][vc_empty_space][vc_column_text]<\/p>\n

    Now let’s look at this from the perspective of the applications.<\/h4>\n
      \n
    1. The Accounting app is locked on-prem, written to use the proprietary authentication and session of a legacy on-prem identity system. (Figure 4)<\/li>\n
    2. Unless rewritten, the Accounting app cannot work with cloud identity systems that use standards such as SAML, OAuth, OpenID Connect, and SCIM. (Figure 4)<\/li>\n
    3. The Expenses app was developed as a cloud native app running on a cloud platform and uses OpenID Connect. (Figure 5)<\/li>\n
    4. The Expenses app is not accessible to those users without extending or deploying new on-premises capabilities or migrating on-premises users to the cloud platform. (Figure 5)<\/li>\n
    5. The Docs Management app is a SaaS app that uses SAML to integrate with an identity as a service (IDaaS) platform. (Figure 6)<\/li>\n
    6. Users must be provisioned to the Docs Management app, attributes kept in sync, and policies rationalized. (Figure 6)<\/li>\n<\/ol>\n

      [\/vc_column_text][vc_column_text]\"azure-identity-fragmentation-app-challenges\"[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner][vc_empty_space][vc_column_text]These are the characteristics of a fragmented identity system. This fragmentation leads to confusion for administrators, poor user experiences, a lack of executive visibility into access policies and how they are enforced, and a weakened security posture.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][\/vc_column][\/vc_row][vc_row el_id=”s3″][vc_column][vc_empty_space][vc_column_text]<\/p>\n

      Secure Hybrid Access with Strata and Azure AD<\/h2>\n

      Strata and Microsoft work together to transition on-premises applications to use Azure AD as the principal identity repository and provide authentication and access control for on-prem apps. Strata extends Azure AD to protect these on-prem apps with no app rewrites and no user experience changes enabling secure hybrid access<\/a> which is far more enterprise user-friendly. <\/span><\/p>\n

      Microsoft Azure AD is the identity system of choice for many enterprises as they transition to the Azure cloud. Microsoft provides Azure AD Connect<\/a> to sync user identities from on-prem Active Directory to Azure AD. Additionally, Azure AD manages cloud-only users to provide access to applications and services registered with an Azure AD tenant.<\/p>\n

      As a complement, Strata builds complete user profiles from attributes gathered from any identity system, including directories, databases, and any API-exposed system that holds identity profile attributes. Strata provides an aggregation of disparate profile information, giving your users a complete experience across hybrid environments. Specifically, for Azure, Strata provides the following capabilities:<\/p>\n