IBM has been a leading proponent of the hybrid cloud. Today’s columnist, Eric Olden of Strata Identity, offers insights for how security teams can effective manage identifies in hybrid and multi-cloud environments. IBMResearch CreativeCommons CC BY-ND 2.0

Cloud adoption and migration, often consisting of multiple public clouds, has created shock waves in what has been the relatively stable world of identity management for the past few decades. The main culprit has been the new identity requirements for distributed, multi-cloud architectures.

In one recent study, 66% of respondents at enterprise organizations with an annual revenue of more than $1 billion said they use three or more on-premises and public clouds, while 32% use five or more clouds for their business.

Cloud, multi-cloud, and hybrid cloud environments are spawning new identities and apps very quickly and have become more fragmented every day. In fact, the number of cloud apps used by businesses grew 20% in 2020, with 83% of employees accessing personal apps on company devices. Even small businesses have an average of 258 applications at work, and the largest enterprises have an average of 1,265.

Today, there are more identities to manage, and they are distributed in more places. IT doesn’t just have to keep track of who’s who in the on-premises network and the cloud provider, it also needs to track identities across multiple clouds and apps. With the number of identities that need managing skyrocketing, so are the number of siloed identity systems, since each cloud platform uses its own proprietary, built-in version.

Securing the organization now depends on managing these stand-alone systems and the policies that govern access to applications. Security teams can't consolidate all of these identity systems into a single centralized one because they are baked into how cloud platforms work; using Azure Active Directory (Azure AD) has become required on Microsoft 365. If companies want the apps, they use the identity that goes with them.

Finally, many organizations must manage hybrid infrastructures where legacy identity systems are on-premises and others reside in different cloud platforms. None of which interoperate with each other. This hybrid identity scenario further complicates the explosive growth of identities and identity silos.

Tips for managing distributed identities

Security teams can’t solve the distributed challenge posed by this new world order through the traditional centralized model. Multi-cloud apps consist of multiple identity systems. And, multi-cloud users are complex, they exist in many different places and the data that makes up a user gets distributed across clouds as well.

This requires a new approach to identity management that embraces the distributed nature of modern cloud infrastructures. Security pros can accomplish this using orchestration concepts made familiar by container technologies like Kubernetes. Using an abstraction layer with orchestration capabilities can unify disparate identity platforms and automate operations across them behind a single pane of glass.

As a starting point, think incrementally about moving from on-premises to the cloud. Rather than migrating all the company’s apps at the same time, adopt the “lift-and-shift” approach to migration. That way, all those apps are not in peril if something goes wrong and the team doesn’t have to start from zero.

Next, manage distributed identities with orchestration rather than trying to force centralization. Centralizing distributed systems doesn’t work.

Orchestration allows the team to normalize identity and policy across different systems, without the need to create a centralized repository that’s a meta copy of all the organization’s other identity systems that are often impossible to keep consistent at scale.

To implement consistent identities across multiple clouds and identity systems, security teams will need to integrate various identity providers programmatically to create a composite identity profile using attributes from each.

Meanwhile, the team can use existing standards such as OAuth, OIDC, SCIM, and SAML to automate the configuration and management of users’ sessions across legacy systems and cloud service providers.

An orchestration architecture also lets identities remain distributed in their original repositories. This makes it possible for organizations to migrate applications incrementally over time to the cloud and/or new identity systems, and avoid big bang projects that cost millions, take years and often fail.

Organizations are recognizing the scope and scale of the challenge they face when it comes to managing distributed identities living across on-premises and multi-cloud applications. Because it’s not feasible to centralize identity in one system, embracing the distributed nature of identity can avoid resource-consuming rip-and-replace projects by creating a fabric that can orchestrate existing identity systems in a cohesive and loosely-coupled whole.

Eric Olden, chief executive officer, Strata Identity