How to Tame Cloud Identity Sprawl

Sprawl happens

Most cities deviate from their original urban plan due to natural and evolutionary forces. For example, homes and businesses spread to areas that offer the resources they need, like water, open spaces, transportation, etc. The same type of sprawl applies to identity management in enterprises. And, as much as we don't like to admit it, most companies' identity management systems aren't "planned." This is especially true when it comes to the cloud.?

It’s a familiar story. Early on, a company typically doesn’t need much in identity management. Maybe they use Active Directory wired to their email or even just Gmail. The payroll system uses its own view of the employees and their data, and Slack has a whole other list of users. Eventually, more teams add their silos; the engineering team wants to control access to source control, and the IT department starts to validate access to compute resources.

Each team has different needs; the IT department needs to concentrate on security and access via keys and certs. The human resources department is more concerned with the employees’ attributes like their home address and tax information. They likely don’t coordinate, as they are each responding to pressures and constraints. Since nothing is connected, it doesn’t matter much. This is the company’s natural reaction to various stresses and pressures.

Orchestrate, don't consolidate

Yet the resulting entity is considered anything but natural. “One identity to rule them all” is often the rallying cry for re-architecting identity infrastructures. The goal is to rip, replace, and redesign the entire working (but usually not ideal) system to replace it with a new centralized alternative.?

While there is value in having coordinated systems, the idyllic prospect of bending disparate identity systems in an organization is riddled with problems. The rip-and-replace to centralize approach is expensive, time-consuming, adds little value, and often creates a loss of control and efficacy for each implementing group.

In addition, it doesn’t address the fact that existing identity systems have their rationales that led to the situation as it stands in its current state.

Meanwhile, implementing an overarching identity infrastructure rules out using “best-of-breed” solutions. For instance, maybe the IT group has been using multi-factor authentication (MFA) technology that best suits their needs, and they spent months researching, evaluating, deploying, and customizing.

The applications group may have spent years building a redundant, replicated, highly-resilient directory for serving customer traffic. All of these efforts will be laid to waste, often for a solution that is ideal for one or two groups but is a regression for the rest organization.

Identity Orchestration and Pitfalls to Avoid

A more rational alternative to identity consolidation is identity orchestration. Instead of rewriting well-functioning applications and identity integrations and taking away the autonomy of individual groups provided by their preferred solutions, orchestration allows existing identity systems to work as a whole. Orchestration uses an abstraction layer between incompatible identity systems that allows them to interoperate by handling the protocol transactions and directing traffic for authentication and access requests, and policy enforcement.

There are several pitfalls to avoid when deploying identity orchestration:

1. Don’t confuse identity consolidation with orchestration:?Since every cloud platform uses its identity system, standardizing one technology will require rewriting applications that currently don’t support the one you choose.
2. Avoid focusing on a single immediate problem:?A good example is implementing YubiKey for authentication. Performing the work to integrate a solution with one identity system is time-consuming and costly. If requirements change, the whole process must start in six months or a year. Instead, take an abstract view of identity orchestration.
3. Consider the complete identity stack when planning your orchestration architecture:?This includes applications, identities, data sources, and networking. To be effective, orchestration requires an abstraction layer that exists above identity infrastructures, identity data silos, and identity domains.?

Sprawl for Growth

While sprawl is inevitable and irreversible in cities, it has produced some of the most dynamic and diverse places globally, including New York, London, Paris, Rome, and more. In the cloud, sprawl is also expected. Yet, just because it can be changed does not mean its replacement will avoid the same outcome over time. Identity orchestration provides the opportunity to knit together systems that are proven and working while offering the flexibility to easily make infrastructure adjustments when needed to respond to evolving business requirements.

Topher brings deep experience with cloud-scale identity and security architectures to Strata. Prior to Strata, Topher was Chief Cloud Architect for Oracle’s cloud identity and security portfolio globally. Topher was a Product Owner at Auth0, co-founder of JumpCloud, a venture-backed identity company, Symplified’s lead architect, and got his start in identity at Ping Identity.

Follow Topher on LinkedIn. Go to Strata.io for more about Identity Orchestration.

(Article originally published on IT Toolbox on April 14, 2022.)