Why Cloud-First Hybrid IAM is Too Important to Ignore

Although the benefits of cloud efficiencies are well-understood, most large companies recognize it’s not easy to convert thousands of apps across the enterprise to take advantage of the cloud. So, most organizations take a pragmatic approach: let’s adopt more SaaS applications where we can. Then, we’ll gradually modernize existing apps and retire the legacy ones that are too expensive to re-architect. For the foreseeable future, these organizations perceive themselves as being in a hybrid state.

Going hybrid? Here are your options

In this hybrid state, it’s critical to secure access to every app and workload (wherever they may be) to ensure a seamless experience for users. This access should be based on policies and context. In other words, your identity and access management (IAM) solution will have a huge impact on the success of your cloud journey. Looking at the major IAM vendors today, you can classify them into 3 categories, each based on their approach to solving this hybrid challenge:

1. Legacy on-premises IAM with no cloud/hybrid options
2. Legacy on-premises IAM with a hybrid option
3. Cloud-born IDaaS, like Okta

Legacy on-prem IAM with no cloud/hybrid options

This first category is obviously in a state of decline. Analysts have been saying this for years, and the market has also spoken. In 2020 it’s unlikely a customer would stay with a legacy on-prem IAM with no credible path to the cloud. Lifting-and-shifting your legacy IAM technology to an IaaS makes no sense—who would opt to convert on-prem maintenance challenges to the cloud? Without a hybrid option, customers can’t adapt toward a cloud journey with a vendor from this category.

Legacy on-prem IAM with a hybrid option

If you look back, a lot of the IAM vendors in the second category were born in the on-prem world, and have tried to pivot to cloud identity. While they have mature offerings built for pure on-premises workloads, their equivalent IDaaS offerings are typically immature and not on feature parity with their existing on-prem products. They may offer a single cloud capability like multi-factor authentication (MFA), but the remaining functionality is delivered through on-prem components. Furthermore, these vendors are often dealing with on-prem technical debt (bug-fixes, enhancements), which greatly reduces their ability to focus on their IDaaS offerings or make investments in their IDaaS infrastructure. This results in frequent outages of their IDaaS—and a sub-optimal experience for end users.

Interestingly, some of the vendors in this category don’t even offer true IDaaS, packing their existing on-prem products in what’s called a private cloud tenant. Some are even more creative, marketing their product as an Identity Platform as a Service (IdPaaS). On paper, they can still claim support for hybrid IAM. But in truth, their deployments are heavily reliant on their decades old, legacy, on-prem products. These offerings are not optimized for true cloud scalability. This approach is called an on-premises first hybrid.

On premises-first hybrid with legacy IAM, where the center of gravity is still on-premises

Cloud-born IDaaS

Now, contrast this with the third category, a cloud-born IDaaS like Okta. Over the last decade, Okta has stayed maniacally focused on building out its IDaaS, investing in a globally scalable, highly redundant architecture. This includes the creation of the Okta Integration Network, one of the largest catalogs of pre-configured app and service integrations. Since it supports modern standards like OAuth, OIDC and SAML, all custom apps that are built on these standards can leverage Okta—immediately. An IDaaS focus helps Okta to leverage cloud identity efficiencies, as well as the network effects of the cloud, as the number of users explode.

Okta started with a philosophy of keeping a minimal on-prem footprint. With IDaaS as the center of its architecture, Okta views the hybrid IAM problem very differently from the legacy IAM vendors described earlier. When customers are moving away from managing their own data centers, It doesn’t make sense to add more on-prem clutter.

This idea is what drove the initial decision to create a lightweight LDAP/AD agent. This allowed for the synchronization of users from on-prem identity stores. And the SCIM-based Java agent could provision any on-prem app, directory or database, from the cloud. This approach has allowed Okta customers to successfully shift their momentum towards cloud identity and computing. It’s with this philosophy that Okta introduced the lightweight Okta Access Gateway (OAG) last year. OAG allows customers to extend the IDaaS value of Okta to legacy apps that cannot be quickly rearchitected to modern standards. The center of gravity is already in the cloud, and we call this approach a cloud first hybrid.

Cloud-first hybrid with Okta—where the center of gravity is already in the cloud

This is a very important distinction, as it’s easy to get lost in the barrage of marketing speak.

A cloud-first hybrid architecture is the right way to solve the challenge of a hybrid IAM. And, It’s the choice every vendor would make if unencumbered by legacy, on-prem deployments and the associated tech debt. Unfortunately, that’s not an option for legacy IAM players, tied to an old revenue stream.

More reasons to choose a cloud-first approach

Over my next few blog posts, I’ll provide the details of how a cloud-first hybrid approach offers advantages in:

• Customer scalability and reliability
• TCO and operations
• Security and compliance posture
• Agility and speed of innovation

I’ll also dispel the myth often pushed by legacy IAM players—that going with an on-premises first hybrid approach is a “safer bet”. In fact, it’s the opposite: these approaches leave companies constrained by their legacy tech debt, and unable to invest in a truly scalable, reliable, and feature-complete service. Cloud-first IDaaS platforms have the advantage of mass customer adoption, driving influence toward cloud identity, while allowing for the development of lightweight on-prem connectivity.

Need more details? Take a deeper dive by checking out our 3 Reasons for Choosing Cloud-First Identity for Hybrid Environments whitepaper.