“Hybrid” is everywhere today, whether it’s vehicles, work or infrastructure deployment – you can’t help noticing the rise of hybrid. Identity and Access Management (IAM) deployments are no different, but why is hybrid cloud and on-premises important for IAM, and when might you need a Hybrid IAM approach? In this blog we’ll take a brief look at these questions and give you our view on the state of IAM deployments today and where hybrid is heading.
The paths to hybrid
We’ve all got a pretty good idea of what we mean when we talk about a hybrid ‘thing’: a system that uses different (heterogenous) parts, a mixture of various items. Less immediately obvious is that we have two paths to transitioning to hybrid.
The first path is an evolutionary one, where new, different parts are added as part of a longer roadmap to achieve a specific end-state. A good example here is hybrid vehicles. Originally, internal combustion engines were the main power source. The value of electric power was easily recognised but battery technology lacked the convenience of ‘wet fuel’, so the hybrid vehicle was born. As battery technology improved, pure electric vehicles became more common. Here, hybrid is an evolutionary steppingstone.
The second path is a symbiotic one, where two differing things/approaches are combined to deliver a better, broader outcome. Let’s take the work example. Pre-pandemic, we had a global ‘in-office’ culture. Corporations would give many reasons for employees to be present, on-site each day. Then the pandemic hit. As a result, organisations were forced to transition to a home working approach. With the slow return to ‘normal’, it has become clear to many organisations that there are significant benefits (as well as some challenges) to various aspects of home working, and so are now adopting a hybrid approach to maximise the benefits of both options.
Hybrid IT deployments
The world of IT and infrastructure is no different to any other eco-system. The common element is the variety of systems and deployment models that exist.
Cloud deployments models are the norm, with many systems being consumed ‘as a Service/aaS’. Cloud deployments effectively outsource the physical infrastructure issues, and the ‘aaS’ layer further outsources the management and maintenance of the platforms. Combined, IaaS, PaaS and SaaS have massively lowered deployment costs and time to ‘live’.
Whilst the benefits of cloud deployments are well understood, there still exist disparate cloud platforms and legacy systems that are fundamental to the complete business needs.
From an evolutionary point of view, the majority of business began with on-premises platforms and, over time, replaced many of their systems with cloud-based platforms. The interim, and even final state in many cases, is hybrid combining multi-cloud and on-premises systems.
Hybrid Identity & Access Management
The IAM platform is no different to any other IT platform. IAM is commonly found at the core of Zero Trust initiatives and underpinning workforce and customer access to various systems. It is the breadth of integrations that shape the deployment models selected for an IAM platform.
Some IAM vendors offer IDaaS (Identity as a Service), with the IAM capabilities delivered as a service from a cloud. Some offer on-premises in the customers data centre. And some, such as Ubisecure, offer both options – known as Hybrid IAM.
We’ve already acknowledged that ‘aaS’ brings efficiency and timeliness, so why would an organisation want to continue with on-premises? The answer tends to fall into one of three categories:
The security category is always one up for debate. However there are organisations, typically governments and very large enterprises that, by policy, require deployments on-premises in their data centres, managed by their staff.
Regulation, typically national ‘data residency’ based, can require user attributes and data to be hosted in the user’s home country. Of course, this does not preclude a cloud deployment in that country, but there could be circumstances where that is not the most viable solution and so an on-prem solution is implemented.
Legacy integration can impact many architectures. And if the user directory itself originates from an on-prem legacy system, the IAM platform will have to be closely coupled to that system.
Hybrid solutions – a combination of cloud and on-prem components – can provide an effective architecture to the above situations. Placing the majority of the IAM features in the cloud and connecting to an on-prem IdP (user directory) can realise the benefits of both deployment models.
For organisations with multiple identity sources, using a cloud IAM deployment as a central brokering/integration point can simplify integration. This model also applies to multi-national companies operating across data residency boundaries (for example, EU-Russia-China-Brazil).
Some examples of hybrid IAM
We have written previously about the value of IAM for assisting integration following M&A activity. Running an evolutionary hybrid model that connects the various identity sources from the acquisitions provides an efficient mechanism to perform initial technical integration. With a suitable cloud deployed, fine grained access management platform, such as Ubisecure IDaaS, disparate systems can be quickly connected and securely accessed.
From a regulatory perspective, we need to be mindful of data storage vs data processing. An experienced Data Protection Officer is a must these days. However, the ability to connect a number of separate identity stores, manage the identities locally whilst managing the stores centrally, and provide a single standards compliant interface to the various relying parties within the organisation’s IT domain, delivers substantial savings to the organisation.
A typical example of this is a large multi-national with employees or customers spread over multiple regions with differing data residency requirements. Deploying local user directories, aggregated and accessed via a cloud deployment, provides a hybrid mechanism to centralise capability whilst distributing user data.
Finally, the ability to integrate user directories from legacy systems, often with non-standards-based interfaces, is key to an organisation’s evolution. Using a cloud-based IAM platform that supports custom interfaces with standard protocols like CIBA provides a lower risk alternative to a big bang replacement project.
Ubisecure Identity Platform
The Ubisecure IAM platform is available as IDaaS and on-premises from a single core set of software. The Identity Platform caters for all of the above scenarios and can be connected to third party on-prem systems, or even deployed as on-prem software, to encapsulate various use cases whilst still providing relying party connectivity via the cloud instance to achieve hybrid Identity & Access Management.