How to Modernize Legacy and Next Gen Cloud Identity and Access Management

While the Covid-19 pandemic has sped cloud migration, some enterprises find their identity and security practices haven’t keep pace. One Identity’s Todd Peterson shares proven identity-centric ways to always keep apps, data and users safe.

Tags: access management, cloud, identity management, security, One Identity, PAM,

Todd Peterson, One Indentity
Todd Peterson
security evangelist
One Indentity

"No matter where an organization is on its cloud journey, IT teams need to bring the same level of identity security they have on-prem to their cloud operations."

Architecture Summit
Enterprise-Grade Integration Across Cloud and On-Premise
June 10, 2021
Online Conference

This past year challenged IT and security departments globally as the mass shift in the workforce sped up plans for cloud migration. In fact, a recent Gartner survey found that 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by COVID-19.

Although SaaS applications offer countless benefits, these benefits are lost without proper security.  Many current SaaS identity security solutions aren’t always built with security in mind leading to organizations having to compromise their identity-centric practices.


With more organizations deploying a cloud-first strategy, it’s critical that businesses have an efficient and secure cloud-based way to administer, authenticate, analyze, govern, and manage identities.


No matter where an organization is on its cloud journey—from implementing access management to fully migrating identity governance and administration or privileged access management in the cloud—IT teams need to be prepared to bring the same level of identity security they have on-prem to their cloud operations.

Organizations should not have to sacrifice their identity-centric security strategies as they adapt to cloud initiatives.

So, what makes these security processes so complicated in the cloud? Let’s look at the common challenges organizations face when implementing access management, identity governance and administration, and privileged access management in the cloud. 

Creating a ‘Unified Identity’ Model To Ensure a Single Source of Truth  

At its core, access management is how your organization controls and secures how employees are able to access systems, data, and resources on your network.


Access management can easily transition into a SaaS model and many organizations are already implementing their access management strategy in the cloud with applications from vendors like Okta, Ping, and Microsoft. However, the rapid shift to the cloud has created its own challenges for this transition, causing the creation of a siloed infrastructure that only addresses access management and not the rest of identity and access.


This fragmented access management approach makes it complicated for IT teams to execute governance principles and understand what resources users should have access to. This lack of visibility and control forces IT teams into error-prone manual identity governance processes that often cause holes within the security program. For example, without an automated process for provisioning and deprovisioning employees, IT teams could leave an admin account orphaned and therefore vulnerable to bad actors.


To eliminate the siloed nature of access management, organizations should focus on creating a unified identity model to ensure there’s a single source of truth that applies to every identity within the network (and this includes non-human identities such as service accounts and bots). 


A unified identity model offers greater control over users’ permissions to access applications across both the cloud and on-prem environments, simplifying identity management, and increasing IT admin efficiency. With a central definition of identity, organizations are able to better consolidate security tools and services in the cloud while bolstering productivity.

Adaptable Identity Governance Administration For Your Workflows

Identity governance and administration (IGA) enables and secures digital identities for all users, applications and data. The largest shift organizations need to make with IGA is that workflows should be driven by business goals rather than orchestrated by the IT team.


Every organization is unique and requires different workflows. A hospital will need HIPAA-specific workflows that a manufacturing organization wouldn’t need. Because of this, it’s important for organizations to find a SaaS-delivered IGA solution that is flexible, offers customization to their unique workflows and provides the depth and breadth to address all of their needs while providing room for growth.


That said, most available SaaS IGA options are limited in their capabilities and very rigid in their ability to adjust to customer needs, cloud strategy, or current state. Organizations often compromise security and functionality when cornered into the rigid, pre-set workflows that many SaaS-delivered IGA solutions offer.


As a result, many organizations find themselves building their own siloed solutions, sometimes coming from entirely different teams, in an attempt to replicate all the workflows, automation, and governance they previously enjoyed on-prem, in the cloud. Having to reinvent governance for the cloud is inefficient, costly, and can create holes in your security program that invites threats in. Organizations need to find solutions that allow them to be flexible and ensure they implement IGA both on-prem and in the cloud in the same way with no compromise.

The Power of APIs with Privileged Access Management

According to our survey, Privileged Access Management (PAM) has increased in importance for IT security professionals by 18% in the past year with 34% of respondents rating PAM as the most difficult operational task. This difficulty is created because of the unique challenges that businesses face when implementing PAM solutions in the cloud.

Many SaaS-delivered PAM solutions do not offer a full scope of control or the security needed to keep your company safe. Things like password vaulting, which is relatively simple to deploy in the cloud, become much more complicated with all the additional processes that interact with it such as session audits, analytics, and delegation. Because of this, many teams end up settling for an inferior solution or not implementing PAM in the cloud altogether.


When implementing PAM in the cloud, organizations should focus on using an Application Programming Interface (API) first strategy. APIs are responsible for a variety of functions and capabilities from automation to secure development operations (DevSecOps). Use of APIs maximizes the flexibility to implement the right functionality for your objectives and the right integrations to cover all your user types and security needs. REST APIs give a lot of the flexibility needed for successful PAM implementation.


By deploying PAM with an API-focused approach, organizations can create the complete, next-gen PAM solution. By providing teams with an audit trail of who accessed which system IT teams can better manage all privileged accounts in the cloud and on-prem to quickly identify unauthorized access or activity.


Organizations should never compromise security, scope, or functionality in order to pursue a cloud-first or cloud-only strategy, and there is no reason they need to. It’s critical that IT and security teams take the time to critically implement access management, IGA, and PAM in the cloud with the same level of security, control, and visibility that they have enjoyed on-prem.


By focusing on these three key aspects, organizations are able to enjoy all the benefits of SaaS-based identity security while never missing a beat on the most important aspects of the program – IGA and PAM.


Todd Peterson manages product marketing for the One Identity family of identity and access management (IAM) solutions. With more than 30 years of experience in security software. Todd is known as the “face of IAM” for his ability to make complex technical topics easy to understand.