In hybrid environments, users, their profile data and attributes span multi-cloud and on-premises systems. This is a distributed management challenge that identity orchestration can help address. Here, Strata CEO Eric Olden explains how identity orchestration can help harmonize the old and the new.Â
One of the biggest adaptations businesses had to make in the last year was a massive shift to remote work. All of a sudden everyone was working remote, logging on to their home computers, and moving work around with the help of cloud-based apps.Â
This really drove home the need to secure identities in the cloud, especially hybrid cloud environments that combine on-premises and cloud-based apps and identities. According to one survey, businesses went 23% over budget on cloud services on average in 2020 and expect to increase their cloud spend by 47% in 2021.Â Almost 6 out of 10 enterprises said they used the cloud more than expected.Â
This expansion means many companies may be mixing and matching old, legacy systems they have in-house with multiple cloud platformsâ€”each with their respective identity systemsâ€”and finding those old, on-premises apps need to be rewritten to mesh with the new cloud platforms.
In hybrid environments, users, their profile data and attributes are distributed across the cloud and on-premises systems. You can have legacy systems that are decades old managing identities in multiple silos like HR systems and databases, while cloud providers use modern tools that manage users and policies their own way.Â
Identity orchestration can address these challenges in the following ways:Â
1. Serving as a cloud ID provider
Users in the cloud can access on-premises apps through their browser by signing in with an identity service instead of a VPN. Using Azure Active Directory, Okta, or similar cloud directory services, the user signs on with a single authenticated identity and can securely access all the apps they are authorized to use.Â
In this use case, identity orchestration serves as a doorman, holding the different keys and enforcing the different access policies. Imagine a hallway of doors, some which open with keys and others with keycards, and some won’t open at all. An orchestration system will know what it takes to authenticate the userâ€”whether it’s a cookie or an authentication protocol like OpenID Connect or HTTP header.Â
When you ever need to change the locksâ€”say, an orchestrator comes in handy after a data breach. If you have hundreds of applications (the average companyOpens a new window uses over 1,295), you’ll need time, a large budget, and access to their source code. Use Identity Orchestration instead.
2. Bridging hybrid identity systems
Most companies don’t perform a wholesale migration from legacy on-premises systems to the cloud; instead, they use a gradual migration path that can take 10 yearsOpens a new window for some. Modern cloud and legacy on-premises identity systems have to co-exist, and users don’t care where their apps are as long as they are available. And they don’t need to know if Azure AD or SiteMinder is handling their identity; they just want to get their jobs done.Â Â
They may not care about the infrastructure, but the identity team does. An orchestration system can automate identity management across different cloud and legacy systems and bridge gaps between them. Orchestration software can figure out if 10% of the apps use cloud identity and the rest are in the on-premises system and handle them accordingly. That ability helps migrations, as well, because as 10% becomes 20%, 30%, or 40% over time, it simply requires a new configuration, not application re-coding. This gives companies the flexibility to migrate incrementally to the cloud instead of making a disruptive big bang.
3. Combining people and packets
Using identity attributes and network activity data to establish composite user profiles can help enforce more granular security controls. The problem with a network security mindset is it deals in data packets, not people. That worked when users were all connected via the network, but now many of them are in the cloud. So identity is the new perimeter.Â
That means companies can’t rely on network data alone anymore. A more powerful and granular approach is based on authenticating users using multiple identity sourcesâ€” including packet data. This model considers user attributes such as whether they are connecting via a trusted device, their IP address, and identifiers such as their email address, and matches them to infrastructure information contained in directories, identity systems, or databases, whether they are on-premises or on the cloud. It pulls all of these attributes to enrich user profiles for enforcing user access policies.Â
Creating an environment where authenticated users can only gain granular access to the resources they need is a true zero-trust model. Many enterprises confuse zero trust with zero access and shut off access to their on-premises system by cloud users. In today’s business environment, that’s a mistake. With so many businesses now using the cloud and often using multiple cloud vendors, they need to learn to integrate cloud-based identity with on-premises identity to build zero-trust with zero limits.Â
How to Get Started With Identity OrchestrationÂ
To get started, you’ll need to:
- Incrementally adopt new cloud services to avoid big bang migrations
- Develop a plan for moving applications to the cloud, including which apps you will â€œlift and shift,â€ which applications should you replace with a SaaS product, which ones do you want to build cloud-native? You’ll also need to develop an identity strategy that works in all those scenarios.
- Analyze the applications you have and understand dependencies between each of them and identityâ€”specifically how identity is integrated with the application.
- Group your applications by the level of difficulty in terms of how they are integrated (proprietary vs standards-based) to understand the level of effort and risk.
- Map out which capabilities you’ll need to enforce your identity and access management policies, including authentication, attributes, access control, authorization, token translation, and what kind of tokens your applications and identity providers require: SAML OIDC, HTTP Headers, Cookies, etc. Also, plan what systems will be used for onboarding.
- Adopt DevOps across your application and identity infrastructures so you can manage your cloud infrastructure programmatically through APIsÂ
Supporting hybrid and multi-cloud application environments also means simultaneously supporting legacy and cloud-native identity systems. You can have legacy systems that are decades old managing identities in multiple silos like HR systems and databases, while cloud providers use modern tools that manage users and policies their own way. Identity orchestration can help resolve this challenge and help IT teams manage distributed identity in the multi-cloud landscape. Â