Shifting from physical data centers to virtualized, cloud data centers seemed impossible not long ago, and now, organizations are using the cloud in more ways than we thought possible a decade ago. As we have adopted virtualized data centers, we must begin to apply that same methodology to our identity complexes. In this article, we begin exploring governance, Identity as a Service (IaaS), and why decoupled identity structures should be the way forward for organizations.
Distribution is All Around Us
In today’s world, everything is distributed. We distribute technologies for redundancy, we distribute our workforce to comply with pandemic precautions, we build decoupled applications to distribute their strain on resources efficiently. Warehouses distribute products around the globe to bring their good closer to their consumers, in much the same way Content Delivery Networks (CDNs) bring digital assets to the edges of the Internet to decrease latency. The monies that we have in our retirement accounts are, generally, distributed among different assets, to provide us some balance of protection from market forces and growth potential.
Yet, there are some strings we have held onto tightly. Unlike many other parts of the world, until recently, mobile device-based payment transactions in the United States only accounted for a small percentage of the daily number of retail sales. Even as most of us carry mobile payment capable devices with us everywhere we go – in our hands, on our wrists, and in our bags – when given the option, we still prefer our wallets when the check comes.
In much the same way, as organizations, we continue to look at identity in ways that limit the potential of “what could be.” We seem to be comfortable leaving our identity complexes wrapped up in the package that it came in – even if that package is starting to look a bit worn. Identity is the single thread that weaves its way through nearly every piece of our infrastructure. Identity touches our users, our hardware, our clients, our guests – every single part of our infrastructure is a part of our identity complex.
Essentially, identity has become a “single pane of glass” through which we can view our infrastructure, and, as such, we have taken great strides to protect it. Multi-factor authentication (MFA), strong password policies, access restrictions, and other layered protections all play essential roles in the security of our environment. This hardening is the foundation of our secure infrastructure models, but it can also be the tether that holds us back.
Too Many Eggs, Not Enough Baskets
For many of us, Microsoft’s Active Directory is the heart and soul of our organization’s identity infrastructure. Active Directory is no longer a “pretty LDAP” that authenticates users and goes back to sleep until the next logon. Instead, for many of us, Active Directory has extended itself across our organizations and become the single basket (or resource) where we place all our eggs (or identities).
As our organizations grow beyond the Data Center and into the cloud, our identities must mature with us. Users expect Federated sign-on experiences in everything that we deploy. Gone are the days of accounts authenticating against a single resource; users of Application A and Application B no longer have application-scoped identities. The push toward Single Sign-On (SSO), coupled with the need and desire of Federated user experiences, has launched identity management up to the organizational level.
The transition from application-scoped identities to organization-scoped identities has introduced complexities that bring into question the secure foundation upon which we have all come to rely. The need to take additional measures to secure your identity infrastructure is essential, and many of us are familiar with implementing as Multi-Factor Authentication (MFA) and restricted access policies designed to help organizations address this need.
Recognizing Some Adoption Hurdles
As our organizations grow more comfortable with adopting cloud infrastructure and resources, being able to leverage our existing identity infrastructure against and within any new resources that we choose to take have become complex. Despite these growing complexities, efforts to distribute our identity infrastructures has remained complex, misunderstood and, all too often, ignored.
If we can easily distribute so many facets of our organization, why have we resisted where it matters most?
Trusting the intangible can be, well, difficult. It’s the first hurdle that organizations must overcome on their journey to the cloud. Shifting from physical data centers to virtualized, cloud data centers seemed impossible not long ago, and now, organizations are using the cloud in more ways than we thought possible a decade ago.
As we have adopted virtualized data centers, we must begin to apply that same methodology to our identity complexes.
Governance As Our Organizational Foundation
Extending identities to the cloud is complex. Where will they be stored? How will they be secured? What will prevail as the foremost, “system of record” within our organization? Outlining a governance framework should be the first step when looking at modernization of applications and infrastructure.
In a nutshell, governance can be defined by the following four steps:
- Establish a defined set of rules that must be agreed upon and can be operationalized across your organization.
- Invest in research to define what success looks like, how a solution will be implemented, how that solution will be regulated and how it will be maintained. Keep in mind, that the best governance strategies use principals that can be replicated throughout your organization. In the same way we have learned to write code that can operationalize repeatable tasks, any governance policy should be objective enough that the overarching themes can be applied to any, and hopefully all, projects in the future.
- Review your findings cross-functionally, obtain feedback from all stakeholders, and refine your plan to include any relevant changes.
- Commit your plan to paper and publish it within your organization. Know that you will need to revise this plan continually, and it will become a “living document” within your organization that will be continually updated to maintain relevancy, and that it should be applied wherever possible within your organization.
Organizations that have an on-premise Active Directory and extend that to Azure Active Directory (AAD) have, whether intentionally or not, enabled a hybrid-cloud approach – at least with respect to identities. Here, identities exist as whole objects on-prem and in the Azure, and we can use either for authentication in many instances.
Native Windows tools allow us to synchronize our on-premise Active Directory to a private, virtualized directory service within our own Azure tenants. Reasonably simple to setup and maintain, Azure Active Directory Sync is often the first step for many organizations towards identity modernization.
The same can be achieved using Amazon Web Service (AWS) tools to seamlessly extend your identity complex to AWS. AWS Directory Sync service will synchronize your on-prem identities from Active Directory to the AWS Directory Service using similarly native tools and is also easy to setup and maintain.
From physical infrastructures, to workforce empowerment, extending all the way into our organizations’ most coveted resources, the era of monolithic solutions to technical problems has passed. Running your Active Directory, or any other identity model, using an application-managed scale-out approach is no longer the bedrock on which we will achieve operational excellence.
Not long ago, in what is now a different world, we could deploy our directory infrastructures across several physical hosts in a pair of physically separate data centers, and that was all the innovation and security we needed to rely on it for it to meet the needs of our organizations. As with all great things, however, the sun has set on this single-homed approach; our identities need to be operationalized in the same way that we have modernized everything else.
We need to bring our identities to the platforms that we are using, and we need to be confident in our approach. The infrastructures upon which we have built our identity complexes, initially as a way to protect them, can no longer be a blocker for cloud adoption. Identity, in much the same way we transitioned compute resources from physical servers in a proprietary data center, must be viewed as an extensible platform or service that we can leverage on our journey towards achieving operational excellence. The use of one identity service should not prevent the use of tools and resources from different providers. By using tools that are available, tested, and relied upon by many organizations today, we can begin to architect our limitless journeys toward cloud adoption.
Are you interested in learning more about how you can take advantage of Identity as a Service models and products to help meet organizational needs? SPR can help you with that! Using technologists from our Cloud, Software Development, Data, and Modern Workplace practices, we can you understand, architect, test, and deploy your infrastructure and applications where you want and need them to run.