The Case for Identity Modernization
Published 06/14/2021
Written by Eric Leach, Co-founder and Chief Product Officer of Strata Identity
Companies have been deploying on-premises identity products for over two decades. It worked pretty well for the most part — managing accounts, provisioning, and authenticating users — when everything was inside the enterprise firewall.
But businesses are now using cloud providers (often multiple cloud providers) to handle their workloads. Software as a service (SaaS) has taken over many of the functions handled by on-premises apps in the past. In fact, more than 87% of companies now use a hybrid cloud, multiple cloud providers, or both.
When enterprises started adopting cloud platforms and applications, legacy identity products weren’t able to keep up. These products didn’t do a good job of adopting new standards as they emerged and so couldn’t integrate with cloud systems and meet the unique requirements of users accessing resources that were no longer inside the firewall.
But today’s workplaces are adapting to a future of remote work, leveraging SaaS applications and using multiple public cloud platforms. It’s time to modernize identity to match the way we work today. Unlike the past when organizations could rely on a centralized identity system, distributed infrastructures, distributed workloads, and distributed data requires a distributed approach to identity.
The Challenges of Modernizing Identity
When modernizing identity, organizations face two challenges. On-premise identity systems don't talk to cloud identity systems, and vice versa. Meanwhile, cloud-based platforms each have their own identity systems, leaving the enterprise with multiple identity silos and no way to manage them beyond superficial single sign-on (SSO) integrations.
Identity Ownership
And the turf wars don’t end there. The question of which organization within an enterprise owns identity in the cloud is more of a political issue than a technical one. Figuring out who should own what isn't clear and it's hard to resolve because there are a lot of gray areas.
If you have multiple clouds, often the enterprise identity and security teams don't own the cloud infrastructure, the various cloud teams do. They're creating and managing their own identity outside of the purview of the identity and security world; getting control of it is a political nightmare.
Mismatched Technology
Mismatched technology can be another sticking point. Many legacy identity systems deployed over the past two decades are still running because the costs incurred and disruption created by migrating them to the cloud is simply too high. This leaves enterprises living on borrowed time. Having reached their end-of-life, most vendors have stopped supporting these identity systems, and even those that are still supported don’t have the critical capabilities to handle the new reality of hybrid and multi-cloud environments.
Still, a typical enterprise isn't going to magically transition to the cloud all of the applications that run their business. Meanwhile, they are also running cloud systems that don’t adapt well to the on-premise world. This turns into a sandwich of challenges: Do I try to adapt on-premise identity to the cloud, or adapt cloud identity to its on-premise counterpart. But neither of them is well suited to handle all the needs of the organization.
The Solution: Identity Orchestration
Identity orchestration, which abstracts the way applications integrate with various identity capabilities, can bridge this gulf. It eliminates the need to rewrite each application to work with a new identity system or to add new features so that you can, for example, add MFA to an app that was developed to only work with usernames and passwords. Not only does this allow on-premises and cloud identity to coexist but also allows enterprises to be more secure and support newer concepts like zero-trust access to apps.
When considering an identity orchestration architecture to modernize applications you need to be aware of these common pitfalls to avoid creating speed bumps and compromising security:
Don't attempt big bang migrations
Organizations have been trying to perform large-scale migrations for years, and their failure rate is shockingly high. So don't try and do a big bang, because it won't work. Using identity orchestration allows you to do incremental migrations as apps and identity systems are modernized. Incremental migrations have a much higher success rate because you can identify low-risk cohorts of users to initially migrate, run A/B tests to make sure migrations are transparent and successful, and roll back incrementally rather than having to back out an entire migration all at once. Depending on the results, returning to a recoverable state is much easier and more agile, because you're taking things in small chunks.
Don't centralize again
As you're modernizing, embrace the distributed nature of the platforms that you have and the realities of the hybrid and zero-trust world we have to support. Trying to centralize identity works against the grain and diminishes the value you get from a distributed architecture. Avoid the mindset of your existing vendors, which is similar to the traditional identity mindset: “Put all of your identities into one platform and everything's going to work out great.” For example, it’s not even possible to replace one cloud identity platform with another cloud provider’s. Instead, use identity orchestration to make them play well with each other and don’t try to shoehorn everything into one identity system; you’ll just create a whole host of new problems for your organization.
Don't tie your apps to your new identity system
One of the disadvantages of the legacy, centralized approach to identity was how tightly coupled applications had to be when integrated with your identity system. Avoid repeating that mistake in your identity modernization project and decouple your applications from any one identity system by integrating them through an identity fabric. This gives you the ability to choose different products and services for things like authentication, authorization, multi-factor authentication, or risk scoring. And you gain the ability to swap in and out identity services as the needs of your business change and your requirements evolve. This abstraction layer and decoupling will provide flexibility and choice for implementing a truly distributed identity architecture.
Identity needs to evolve from the old world when everything was inside the firewall now that enterprises are moving infrastructure, workloads, and data to multiple clouds. If you don't modernize identity, you're holding back the organization from realizing the benefits of the rest of your infrastructure and application modernization efforts.
Eric Leach has more than 20 years of experience in leading product strategy, go-to-market and innovation for identity management, application security and data protection products at Apcera, Salesforce, Oracle and Sun. Eric has applied his passion for solving customer problems to products such as Salesforce Shield, the fastest growing product in that company’s history, the OpenSSO project, the industry’s first open-source enterprise identity product, and Oracle’s market-leading identity management product.
Related Articles:
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024
Zero Standing Privileges (ZSP): Vendor Myths vs. Reality
Published: 11/15/2024