June 20
Richard Bird | Chief Customer Information Officer, Ping Identity


If only such a thing existed. The fact of the matter is that enterprises have far too much stake in their on-premises identity infrastructures to just turn them off and move everything into the cloud. A company that supports an app or two may be able to manage a quick cloud-first initiative, but that’s just not in the cards for large enterprises. If you’re one of the many enterprises with a cloud-first initiative, you’ve probably figured out that it’s a significant undertaking, to say the least.


First let’s tackle what “cloud-first” means. Initially, it centered around a mandate to rely on cloud computing, versus building costly data centers. Since then, the cloud has evolved. Enterprises, even large ones, are getting more comfortable offloading not just their infrastructure, but also the functionality they need, to enterprise SaaS applications. With that in mind, the meaning of cloud-first could vary from enterprise to enterprise. It could still mean a simple mandate to move everything to AWS, Azure or other private clouds. However, it’s becoming more commonplace to prioritize the use of SaaS applications.


Identity has a lot of overlap with other types of cloud-first initiatives. In fact, it’s usually tucked in underneath an umbrella enterprise initiative to move to the cloud. Like other pieces of software, it has options to deploy software in a private cloud or to deploy identity using a SaaS model—or identity as a service (IDaaS) as we in the identity space refer to it.


While there are similarities, a few things are unique to identity. First, identity is mission-critical software. It’s not the only type of software that can make that claim, but it does mean there’s more resistance when cloud-first initiatives ask that enterprise IT and security teams give up control of identity-related data, particularly when moving to an IDaaS solution. Still, slowly but surely, many enterprises are coming around.


If you consider every single app your enterprise has, you realize they don’t have much in common. However, more often than not, users need to sign on to them. That’s identity. Whether you use a centralized identity solution for things like single sign-on (SSO), multi-factor authentication (MFA), a user directory and other identity services, or you have a mix of different services depending on the app that’s using them, you have to think about every app your enterprise has if you want to move identity to the cloud.


So, we’ve got mission-critical software that touches every single app in your enterprise. There’s a good chance your identity solutions vary from app to app with different user stores, standards support and sign-on experiences. If you’re tasked with moving all of that to the cloud, it may be comprised of many separate migration projects with varying levels of difficulty. If you have a completely centralized solution, then you’re tasked with finding a cloud solution that can model the best aspects of the on-prem architecture you’ve spent so long building. To sum it up, identity is a hard thing to move.

Now, let’s answer our original question more succinctly. What does cloud-first mean for identity? It means that there’s no “cloud-first” switch that you can flip. Migration to the cloud could take years or even have no foreseeable end in sight. In other words, you can start a cloud migration, but you might not finish it for a very long time. That brings us to another staple trait of cloud-first with identity: coexistence.


The diversity in your applications standards, the identity solutions they use, the type of user data they store, the directories they’re tied to, and many other variables make it impossible to forklift all of your identity to the cloud. Cloud migrations may be relatively simple for some SMBs, but in reality, larger enterprises have to consider coexistence. Getting to the cloud is a marathon, not a sprint. Here are a few things to think about during this period of coexistence.


Whether you’re moving to an IDaaS solution or deploying identity software in a private cloud, your applications may have different sources of user data that need to be moved. That’s the case even within specific user types—customers, partners, employees, etc. Those could be LDAP directories, RDBMS repositories, CRMs or others. Among those data sources could be conflicting information about customers. That alone makes it difficult to move everything to the cloud at once. If a user repository can’t be moved, then on-prem applications may be dependent on them. Bottom line: Coexistence among your user repositories may be unavoidable.

That doesn’t mean you want to give your users different sign-ons or versions of their profile when they sign on to apps on opposite sides of the cloud migration. Thinking about where your user data is stored and how you’re going to synchronize that data to create a single, unified profile across that hybrid IT void is critical.


Moving to the cloud—especially to an IDaaS solution—can introduce different sets of identity capabilities than those you’re used to with your on-premises solutions. In addition to whether the solution can handle on-premises components to your user directory, you need to think about your identity use cases. You may have developed a number of use cases that rely on specific nuances of standards support. You may need to request inbound SSO tokens or assertions, think about apps that don’t support identity standards or consider other use cases that a cloud identity solution just can’t address. Although it’s ideal if an IDaaS solution supports all of your use cases, it can be okay if it doesn’t. In that situation, you just need to make sure it can integrate with your on-premises components that do. Sometimes standards support will do the trick, but that’s not a guarantee. It’s important to confirm the possibility of those integrations to support your period of hybrid IT coexistence.  


I know, cloud-first is about moving off of on-prem architecture. But still, there may be some components of your on-prem identity architecture that you want to keep. You probably spent a lot of time determining how to isolate different identity types, defining the exact schemas you need for each identity type, or enforcing the ability for administrators to control who has access to your users. If you’re moving to an IDaaS solution, it’s important to be able to model this type of architecture within that solution. If you ensure that it can isolate identities, delegate administration and support multiple schemas, you can have the best of both worlds: migrating away from your on-prem identity components while keeping the architectural fundamentals you’ve baked into them.


Finally, there’s a security scale. I don’t think you’ll find an identity provider on earth who doesn’t use words like secure and scalable in their marketing materials or documentation. The problem is that those terms are open to interpretation. Does scalable mean 10,000 users or 100 million? How many sign-ons per second? What exactly does secure mean? Do you know that passwords aren’t just encrypted, but hashed? Have you considered password policies? Is user data encrypted everywhere, or just when stored? Like I said, there’s a lot of room for interpretation with regard to what constitutes as secure and scalable. The best way to ensure that your cloud destination will meet your needs is to gather requirements from security teams and make sure you verify that your cloud destination can meet those requirements before you start your cloud-first journey.


The term “cloud-first” gets thrown around a lot. For large enterprises that want to move their identity infrastructures to the cloud, it’s a marathon, not a sprint. It’s not only important to confirm that your destination in the cloud is scalable and secure—based on your definition of the terms. It’s also important to ensure that you can maintain a cohesive identity infrastructure in the inevitable—and potentially lengthy—period of hybrid IT coexistence. It’s not an easy journey, but it’s possible to get your identity solutions above and beyond your on-premises data centers, and into the cloud!

View More Posts

Identiverse is the place to go for all things Identity!

— Anonymous