As more organizations embark on their cloud/digital transformation journey; identity, security, infrastructure, developer technologies are rated as priority workloads to design, plan & deploy. One of key success metrics being assessed happens to be user experience. This implies users are accessing some applications, resources, data Or at least we presume so.
Are our IT teams focussed OR should we say, STILL focussed enough on integrating applications to cloud identity platforms? Going by experience, Nah!!
Some of the key reasons for reduced focus being operational complexity, lack of ownership, an increased need for collaboration and stakeholder management. Most of the cloud identity/security projects work on integrating one or few applications to prove the concept, deploy and move on. One usually misses out on passing that baton.
Though not statistically proven, I am fairly confident this would closely resemble reality.
About 50% of the organizations with one or more cloud identity platforms would probably have less than 10 applications integrated. I wouldn’t be surprised if a few amongst them are test/staging instances.
Let’s review the reasons behind my emphasis on integrating applications to Cloud identity platforms-
- Single Sign on for users. This being one of the obvious benefits to ensure users can sign to all applications regardless of where they are hosted using one set of credentials. Enable something as simple as SSO & users return the favour by enrolling & leveraging a second factor of authentication. Great trade off, one would imagine!!
- Reduction in number of identity/authentication platforms being managed. Most organizations favour one or more of either an Active directory, LDAP Services, Federations services & other identity providers. Consolidation being the current theme, application integration to a single cloud identity platform would pave way for cost savings. These would present themselves in the form of reduced infrastructure & support spend.
- Improvised/Automated User provisioning to various applications. Every application, be it internal OR vendor supplied would demand some kind of user information. Most of them tend to utilize a number of custom scripts or scheduled tasks to fulfil this requirement. If an organization has 100 applications, we are probably executing those many operations on a regular basis. This is certainly an overkill and often leads to instances where we unknowingly build dependencies on individuals.Catering to provisioning requirements using SCIM or native methods would alleviate these challenges.
- Increased uptime and ease of feature rollout. As business owners procure applications, they would like users to be onboarded to these platforms in the most efficient way possible and start deriving business benefits. On the other hand, IT teams would like this to be secure and comply to all regulations. Strategically, settling on a single cloud identity platform would aid in striking a balance between business units & IT. Most cloud identity vendors provide a pre-defined list of applications for quicker integration.
- Access from anywhere & securely. Once business applications are integrated, one can benefit by maximizing their investments on their cloud identity/security platforms. Securing access to these applications, protecting underlying data, device security and identity based security become prevalent only if there are applications. Any discussions about remote access, cloud security features could be irrelevant without users consuming them via integrated applications.
Moving on to the next set of obvious questions – How do we get there & what could be the potential challenges along the way ? Let’s begin with some stumbling blocks
- As IT organizations mature, so does complexity & the term *Cloud* brings about the responsibility of dealing with vendor(s). Sometimes not just the cloud identity provider, but application vendors/developers too.
- Understanding & navigating through the application landscape with organizations in itself is a formidable task. Most conversations, unsurprisingly end with open questions – Do we have tools OR should I rely on some kind of magic wand ? In most situations, *magic wand* tends to be replaced by a set of tools, operational interviews & long forgotten inventory.
- Organizations tend to face another significant decision, choice of who owns this experience and work. Is it operations OR BAU as some say OR is it a Project/Program ? This could be pretty interesting depending on the dynamics between these teams. Based on experience, project OR a partner/vendor followed by training/handover to operations would prove beneficial.
- Training of the appropriate team members on the cloud identity platform of choice & application integration specifics is often ignored. There is an underlying expectation on the team members to work on procedures as documented & learn on the job. This leaves the team self-learning to understand some of the basic concepts about protocols & standards like SAML, OAUTH etc. Sometimes, learning about the application, configuration of authentication requirements.
- Lack of automation for the end to end process from request through to deployment, testing & production. There are certain elements which could be automated, there would remain a certain element of human interaction.
Let’s now laydown an optimistic approach to leverage all the benefits listed above and more, resolve some of the blockers along the way-
- Discover and evaluate the application landscape. Shadow IT discovery management is highly recommended during this phase. These can be accomplished by using existing tools, custom scripts to query current federation providers and feeding the information to the next phase.
- Plan & Prepare – Often overused terms in project management, this implicates a lot of importance in our current scenario. Once there is application specific data , a common recommendation is to prioritize and prepare based on criteria like usage, complexity, compatibility, test patterns, provisioning, budget, resourcing, integration timelines & other significant dependencies.
- Then comes the most awaited phase, Deploy! Let’s encourage integrating new applications for single sign on from the very outset as an organization-wide strategy. Collating a list of initial set of applications of varied shapes & sizes is desired. This could serve as an important tool to test patterns when we have engineers, vendors pushing towards our common goal. At Cloudneo, We have encountered organizations selecting least impactful applications initially and seen some extremely brave teams who decided to migrate the high usage ones first. Take your pick based on the organization’s risk appetite.
- Operationalize & keep deploying, implementing , integrating! Feedback to various cloud vendors is an essential step in this journey. Not only do they benefit by reducing the integration burden for other customers, your time to market reduces for newer business applications. Application owners tend to absorb the risks and own company-wide communications.
As one can observe from the thoughts above, apart from having a technical acumen, being quite passionate about documenting, automating some of the operational workload achieves significance. A Program/Project Manager, who is equally passionate about process & technology would prove beneficial ? Perhaps, an interactive session with CloudNeo architects ?
We don’t see an end to Integrating applications to cloud identity providers.it’s rather an ongoing process. Let’s plan, prepare & deploy !
Ananth is the co-founder & innovation lead at Cloudneo with extensive experience in Identity, Security, Devops and Infrastructure solutions for more than 15 years. He has worked for Microsoft in various roles, the latest being a Program Manager in the Azure Active directory Product Group. He has architected & implemented digital transformation projects across most industrial vertical across multiple geographies. He believes in consulting with purpose,absolute clarity,automation & maps business requirements to technical excellence.