Content of Figures
- Figure 1 Today’s Identity Services must support three major deployment scenarios of business services
- Figure 2 IAM spans multiple areas, from administering the identity to auditing the access – comprehensive solutions must support the full breadth
- Figure 3 IDCS Overview (figure reproduced with permission from Oracle)
Commissioned by Oracle
Cloud services have become a reality for most businesses over the past few years. For most businesses, “cloud first” has become the norm, not the exception. As a result, more and more of the business workloads are shifting to the cloud, into as-a-service deployment models. This has created hybrid business systems for most organizations.
This evolution requires other IT services such as IAM (Identity and Access Management) to follow this trend. This critical authentication service should run wherever critical applications run that need to be supported and protected. There is no way to split identity services into disparate services for the “old” and “new” IT. There is a need for a hybrid IAM. While this tended to be an on-premises IAM with some support for cloud services, it is about to shift to cloud IAM with strong support for existing on premises business services with more and more business workloads shifting to the cloud.
Over the past years, a growing number of IDaaS (Identity as a Service) solutions have appeared on the market. However, many if not most of these are focused on some part of IAM, which is supporting Single Sign-On (SSO) of users and adaptive authentication schemes. Unfortunately, IAM is not done by authenticating a user. It is about managing the identities and their entitlements, it is about authenticating, and it is about authorizing access. IDaaS services that are just SSO and authentication services lack the depth that is required for successfully securing and governing business applications.
However, as the shift of business workloads is a long-term journey for most businesses, moving from on-premises IAM to IDaaS while delivering comprehensive support for IAM capabilities across all target systems, independent of their deployment model, is a multi-step journey as well.
Many of today’s investments into IDaaS don’t follow a well-thought-out strategy but are tactical: there appear some new cloud services, thus connectors or SSO are added. However, when looking at the mid-term IT strategy (commonly a “cloud first” or “cloud preferred” approach) and the mid-term IT reality, which is hybrid for most organizations, a well-planned approach must be taken.
Part of this approach is to start with a clear focus on and acceptance of the hybrid reality of IT. While “cloud first” might be the strategy, the reality is different. Moving to an “IDaaS first” approach is a consequent in the shift to as-a-service models. Thus, businesses need to decide when to best make this step and how.
Oracle Identity Cloud Service (IDCS) provides, together with additional offerings in the field of security and identity, a broad range of options for customers on their journey to the cloud. A specific strength is the level of integration with Oracle business applications and databases, which make IDCS a strong fit for these organizations.
- IAM challenges in supporting the hybrid IT reality of today’s businesses
- Limitations of IDaaS solutions focused on Single Sign-On and run-time authentication only
- The need for shifting to a hybrid IAM approach for optimally supporting hybrid IT environments
- Approaches for integrating back to the on-premises IT environment
- Gateway approaches versus integration of IDaaS with existing on-premises IAM
- Supporting Identity Provisioning and Entitlement Management for SaaS applications
- Oracle Identity Cloud Service supporting multiple architectures for hybrid IAM
3 Hybrid Identity Services for Hybrid Business Systems
The hybrid reality of IT in most organizations requires a hybrid IAM that supports all business applications and services from a central point-of-control. With more and more critical workloads moving to the cloud, IAM is increasingly reaching the tipping point where this service is better run from the cloud as well, for optimized support of the workloads that need to be managed and protected.
Cloud services have become a reality for most businesses over the past few years. For most businesses, “cloud first” has become the norm, not the exception. As a result, more and more of the business workloads are shifting to the cloud, into as-a-service deployment models. This has created hybrid business sytems for most organizations.
This evolution requires other IT services to follow that trend. One such area are identity services, e.g. IAM (Identity and Access Management). IAM has traditionally been provided as on premises service. The wide-spread adoption of IAM in businesses had been driven by regulatory compliance and security requirements, with specific focus on the critical business workloads. When most of these were running on premises, implementing identity services as on premises was the logical choice. This critical IT capability should run where the critical services need to be supported and protected.
IAM as a critical IT capability should run where the critical business services reside.
With the unstoppable trend of shifting even critical business workloads to the cloud, businesses increasingly are reaching the tipping point where such identity services are better run as-a-service. The deployment model of IAM should follow the deployment model of business systems and workloads for optimally supporting the identity, compliance, and security requirements of such services.
Unfortunately, this is a long-term evolution. Shifting business services to new deployment models and, frequently, new types of applications is not a short-term process, but takes years, commonly even tens of years. Most businesses run hybrid IT today, and they will run hybrid IT for many years.
One could argue that many businesses, e.g. manufacturing sector, will remain hybrid forever. However, also in other industries such as the Financial sector, migration of workloads will happen over a long period.
The consequence of that evolution is that identity services need a hybrid element. This journey started several years ago by adding “cloud connectors” to traditional, on premises IAM systems. When shifting IAM workloads to the cloud, connecting to the new services becomes the new norm, but the ability of connecting back to the on-premises part of the IT infrastructure is an essential prerequisite for making the shift to cloud-delivered identity services. Hybrid IT mandates hybrid identity services.
Hybrid IT mandates hybrid identity services.
This requires the support of both different deployment models and different applications. IAM must support the “traditional” business applications that are run on premises. However, businesses might decide to leave such services functionally unchanged, but lift & shift the deployment model and thus the workload into the cloud. This helps in operating such services, while avoiding the complexity of migrating a business service such as HR, ERP, CRM, or others to a new application. Finally, there is the more radical change, where such services are migrated to a cloud-born service.
IAM must support all these models, in a consistent manner, and from an integrated set of identity services. Users must be able to access all services, regardless of the deployment model. Identity and Access Governance must span all services. There is no way to split identity services into disparate services for the “old” and “new” IT. There is a need for hybrid IAM. While this tended to be an on-premises IAM with some support for cloud services, it is about to shift to cloud IAM with strong support for existing on premises business services as more and more business workloads are shifting to the cloud.
4 Delivering Depth in Identity Services for Business Systems
Many of today’s IDaaS services are targeted on Single Sign-On and run-time authentication. However, without support for the administration of identities and their entitlements and without support for Access Governance, these services only serve a small portion of the IAM requirements. There is a need for a comprehensive IDaaS approach.
Over the past years, a growing number of IDaaS (Identity as a Service) solutions have appeared on the market. However, many if not most of these are focused on some part of IAM, which is supporting Single Sign-On (SSO) of users and adaptive authentication schemes. Unfortunately, IAM is not done with authenticating a user. It is about managing the identities and their entitlements, it is about authenticating, and it is about authorizing access. IDaaS services that are just SSO and authentication services lack the depth that is required for successfully securing and governing business applications.
IDaaS services that are just SSO and authentication services lack the depth that is required for successfully securing and governing business applications.
There are various schemes for structuring IAM services. A common way is following the 4A approach, which splits the services into:
- Administration: Managing the identities and their entitlements. This could also be named “deploy-time IAM”, happening when users are on-boarded or changes are made. It is about provisioning accounts and entitlements to target systems, but also providing the Directory Services that keep identity data.
- Authentication: These are the services for authentication, SSO, and federation to other services. They are part of “run-time IAM” and are used for every single access of a user to the systems that are supported by the IAM solution.
- Authorization: While authentication checks the proof of whether someone is who he or she claims to be, authorization is subsequently deciding about what the user is permitted to do. Authorization frequently happens in the target systems, based on defined entitlements. However, authorization also can happen during Access Management, when access policies are applied.
- Auditing: All this must be audited, and – beyond pure auditing – Access Governance capabilities must be applied. These specifically include regular access reviews and the enforcement of SoD (Segregation of Duties) controls.
For the hybrid reality of IT, all these capabilities must be provided supporting both on premises applications and cloud services.
When looking at these capability areas and the way of managing traditional on-premises applications in contrast to modern cloud services, there are some apparent differences:
- Provisioning identities and entitlements such as role or group membership to on-premises applications is solved for most established applications, including common business applications. While there are differences regarding both the breadth and depth of support for connecting such business applications and other services to on-premises IAM solutions, such functionality is at the core of this type of IAM services. When it comes to cloud services such as SaaS applications, but also to IDaaS, we face a completely different scenario. Identity Provisioning support to such services commonly is far weaker than what is the norm for on-premises applications. Standard, authentication focused IDaaS tools support Identity Federation for authentication but lack comprehensive support for Federated Provisioning, i.e. maintaining the user accounts and entitlements in the SaaS applications.
- For SaaS applications, basing authentication on standards for Identity Federation such as SAML and OAuth is the norm, even while a vast proportion of SaaS services lack such standards support. Creating an IDaaS solution with support for such standards is rather straightforward. However, the majority of on premises applications still lack support for these standards and never will have such support. This requires other ways of integration such as http header injection, where authorization payload, based on central access policies, is added to http requests. These approaches are well-established in traditional Access Management solutions but might lack or fall short in IDaaS solutions targeted at the “modern” SaaS services.
- Authorization is the most challenging area for all use cases. While both Identity Federation and traditional Access Management support coarse-grain access policies and can deliver additional information, fine-grain entitlements are commonly managed either via static entitlements and thus Identity Provisioning, or at the application and service level based on the internal authorization systems.
- Finally, there is the need for Access Governance across all these services. Authentication focused IDaaS lacks that support. This support commonly stays and falls with the level of integration at Identity Provisioning – IAM systems that can’t provision users and identities also fall short when it comes to the governance of identities and their access entitlements.
While most IDaaS services are strong in federating to SaaS (Software as a Service) applications, this covers only one of the four areas. Services that are centered around authentication and limited in the other areas are lacking the breadth and depth of capabilities that is essential for fulfilling the IAM requirements, not to mention the common lack of depth for integrating back to the on premises applications.
5 Supporting a Gradual Migration to the Future Cloud IT
There are different ways to migrate IAM to the cloud, supporting the future cloud IT. These need to be well-thought-out and can happen in different stages. Businesses need to understand which of these approaches work best for them.
The shift to IDaaS is a logical consequence of migrating business workloads to the cloud. However, as the shift of business workloads is a long-term journey for most businesses, moving from on-premises IAM to IDaaS while delivering comprehensive support for IAM capabilities across all target systems, independent of their deployment model, is a multi-step journey as well.
The shift to a hybrid IAM can be done in different ways, depending on the requirements and the IAM infrastructure that is already in place.
Basically, there are various stages and approaches such migration can take:
- Adding SaaS connectors to on-premises IAM: the initial step many organizations took and still do for supporting their journey to a hybrid IT is adding SaaS connectors to on premises IAM solutions. This allows for some baseline integration. However, most on-premises IAM solutions fall short when it comes to a comprehensive support of today’s SaaS applications. This is due to the rapid growth in numbers of such SaaS services, but also due to integration challenges with some of these services. Given that these do not run local, integration can only work via defined APIs – and not all SaaS applications are good at offering such APIs.
- Adding an IDaaS SSO/Access Management solution: another frequent initial step is adding an IDaaS solution that is focused on authentication support and SSO features for users, i.e. the run-time access management portion of IAM. However, while such solutions can improve the user experience, they fall short in addressing the more complex challenges of provisioning identities and entitlements to SaaS services and to implement a proper Access Governance.
- Implement a comprehensive IDaaS service: the alternative is opting for a more comprehensive IDaaS service that supports both the SSO/Access Management (or authentication and, to a limited extent, authorization) use cases and the IGA (Identity Governance and Administration) use cases of Identity Provisioning and Access Governance (or administration and auditing, in the 4A terminology). Such services then deliver a comprehensive set of IAM capabilities.
- Connect back via gateways: when IDaaS is used, there still remains the challenge of connecting back to the existing on-premises IT. One approach for addressing this challenge is by using gateways that provide integrations to this part of IT. Such approach is lean, specifically when these gateways for provisioning and run-time access are fully managed from the IDaaS console.
- Integrate with your existing on-premises IAM: on the other hand, most businesses already have an existing IAM infrastructure that is well-integrated with their established on-premises applications. Thus, integrating the IDaaS service with these services can provide more depth and breadth in supporting the existing infrastructure.
- The CASB (Cloud Access Security Broker) workaround: finally, there is also the option for adding a so-called CASB in front of cloud services, which route and control traffic to these services. This is done by configuring the cloud services to only accept incoming traffic from the CASB, where at least coarse-grain access controls can be enforced. However, such interception always is a workaround, not the strategic solution with direct integration and granular control.
Many of these investments don’t follow a well-thought-out strategy but are tactical: there appear some new cloud services, thus connectors or SSO are added. However, when looking at the mid-term IT strategy (commonly a “cloud first” or “cloud preferred” approach) and the mid-term IT reality, which is hybrid for most organizations, a well-planned approach must be taken.
Part of this approach is to start with a clear focus on and acceptance of the hybrid reality of IT. While “cloud first” might be the strategy, the reality is different. Moving to an “IDaaS first” approach is a consequence in the shift to as-a-service models. Thus, businesses need to decide when to best make this step, which depends on factors such as the need for renovating the existing IAM or the share of SaaS applications already in place.
6 Oracle Identity Cloud Service: Supporting the Hybrid Business
Oracle Identity Cloud Service is a comprehensive IDaaS offering with deep support specifically for Oracle business applications, but also beyond these. It supports a variety of integrations with both traditional and cloud-based business applications.
Oracle as one of the leading global software companies must cater for both ends of cloud migration. On one hand, Oracle provides a broad range of business applications on premises and in the Cloud, including e.g. the Oracle e-Business Suite, PeopleSoft, Hyperion, and many others, plus – at the platform level – the Oracle Database offerings. On the other hand, Oracle is also a provider of IAM solutions. The Oracle IAM solutions provide deep integration with the various other Oracle offerings, but also other business applications such as SAP.
Oracle customers have several options for their overall cloud strategy. They can stay with on-premises services, they can just lift & shift these to the Oracle Cloud or Microsoft Azure and run the unchanged services from these environments, or they can migrate to new, cloud-born business applications including the wide range of offerings Oracle provides. Regardless of which approach they take, they will need an adequate IAM. This is where Oracle Identity Cloud Service comes into play, delivering the IAM capabilities for the hybrid business.
Oracle Identity Cloud Service delivers the IAM capabilities for the hybrid business.
Oracle Identity Cloud Service provides a fully integrated service that delivers all the core identity and access management capabilities through a multi-tenant cloud platform. It provides a set of hybrid identity features to maintain a single identity for each user across the services that they use on-premises and in the cloud and to provide a seamless user experience.
Oracle Identity Cloud Service Overview
Oracle Identity Cloud Service (IDCS) is intended to meet the needs of organizations in a range of typical use-case scenarios. These include hybrid IT (allowing both on-premise and cloud resources to be secured from a single set of controls), mobile access (providing sign on for native or browser-based apps), employee-facing intranet and customer-facing extranet solutions.
The service is implemented using a microservice architecture that is aligned with Cloud principles of Scalability, Elasticity, Resilience, Ease of Deployment, Functional Agility, Technical Adoption and Organization Alignment.
Oracle Identity Cloud Service provides the functionality needed for several use cases including on premises apps as well as SaaS.
IDCS for SaaS
Identity Cloud Service provides single sign-on, adaptive multi-factor authentication and automated, role-based identity lifecycle management for a wide range of SaaS applications.
Oracle SaaS customers get pre-integrated and certified single sign-on and identity lifecycle management using IDCS. Oracle Fusion HCM customers can use the HR-driven identity on-boarding capabilities to on-board new hires. They can use the meta-directory capabilities to map attributes and use expressions to compute new values. They can define role membership rules based on user attributes and grant SaaS entitlements to these users. Administrators can automate the entire joiner-mover-leaver business process enabling users to get frictionless access to apps.
Role Administrators can configure role-based access by assigning apps to roles and configuring coarse and fine-grained access using entitlements synched from the SaaS App. SaaS Administrators can handle exception use cases by manually granting entitlements to users. Administrators can get full visibility into the overall process, success and failures.
Identity Cloud Service enables customers to implement zero-trust identity and access management for on premises and mainframe apps with the help of:
Application Gateway - this is a software appliance that can run in a virtualized or containerized environment. It enables resource-based authentication and authorization for web and programmatic (OAuth) resources. Customers can use the Gateway to secure access to on-premises workloads like PeopleSoft, Hyperion, SAP or custom applications that use HTTP Headers or cookies, as well as cloud-based workloads running on compute services that can support containers.
It provides in depth integration with Oracle Business Applications with pre-defined templates for JD Edwards, Retail, Peoplesoft, and the Oracle eBusiness Suite.
The Gateway leverages IDCS as the central authentication, authorization and policy definition point and acts as the policy enforcement point for one or more applications. It uses NGINX, one of most popular reverse proxy servers in the industry, and Oracle Linux as the platform. It makes use of a scalable cloud-based caching and policy engine which enables customers to define fine-grained authorization policies, and configure strong session controls to enable regulatory compliance. As part of the policy enforcement actions, customers can make use of IDCS Adaptive Multi-factor authentication to enforce strong, application-centric, context-based policies.
Provisioning Gateway - this is a lightweight agent that enables customers to:
- Integrate with over 60 enterprise applications including mainframes
- Develop custom integration using the Identity Connector and SCIM.
The Provisioning Gateway's security approach ensures that no firewall ports have to be opened for it to function and customers need only provide the minimum by way of credentials and permissions to ensure that IDCS is able to communicate with the target application and to provide administrators with a complete view of their on-premises and cloud-based workloads.
Pluggable Authentication Module (PAM) - Customers can use the PAM module to secure access to their on-premises and cloud compute. By integrating the PAM module with IDCS Adaptive MFA, customers can implement strong, context-based security to ensure that administrators can access the workloads while reducing the risk of credentials.
IDCS Integration with on-premises Identity Management
Customers with a hybrid IT service delivery model can use the pre-built integrations with Oracle Access Manager (SAML, Open ID Connect), Oracle Identity Manager (OIM) and Oracle Internet Directory. Customers can use OIM's access request and provisioning capabilities to manage cloud-based apps which use IDCS.
IDCS and Adaptive Authentication
All the previously described functionality can make use of the Adaptive MFA capabilities in IDCS. This makes use of a measure of risk that can be provided by external risk score providers, such as CASB, and can also be computed based on the user's past behavior, device information, geo-location and velocity and IP reputation. Additionally, customers can define policies that look at how the user authenticated (which IDP and level of assurance), network zones and users' group memberships.
In sum, Oracle provides, together with additional offerings in the field of security and identity, a broad range of options for customers on their journey to the cloud. A specific strength is the level of integration with Oracle business applications and databases, which make IDCS a strong fit for these organizations.
IDCS and API Security
APIs are the foundation on which customers implement digital business initiatives, develop modern business applications and open up new business opportunities. The success of these efforts depends on securing these APIs. IDCS provides customers an identity-aware, policy-based API security platform. Customers can use OAuth and Open ID Connect to define and secure APIs. They can define custom claims to enrich tokens for information exchange and token policies to control when tokens are issued, to whom and with what characteristics. IDCS integrates with API Gateways and API platforms like Oracle API Cloud Service, API Gateway and other 3-party API Gateways. Security administrators can monitor token issuance and revoke tokens with immediate effect when abnormal incidents occur. IDCS and Oracle Web Application Firewall can protect APIs against denial of service, botware and other threats providing a complete API Security solution.
7 Action Plan for Shifting Identity Services to the Cloud
A migration strategy for moving from an on premises IAM to a hybrid IAM can take multiple stages. It might specifically start with building on integrations with existing on-premises IAM tools and gradually replacing these by gateways.
When an IDaaS service is implemented, this service should – at least from a logical architecture perspective – support IAM use cases in a comprehensive manner, well-beyond SSO and including IGA. Businesses might need to serve this logical architecture by using two distinct IDaaS services, one for SSO and run-time authentication, the other for IGA, or opt for a single service. There are obvious strengths and challenges for both approaches. While two solutions are more complex to handle and integrate, and tend to be overall more costly, they might provide a broader and deeper set of capabilities than a single solution.
The other fundamental question to answer is about how to connect back to the on-premises applications. Just relying on gateways is the lean approach, while continuing to run full-blown on-premises IAM is more complex and costly. On the other hand, the latter approach provides a deeper integration, and if these tools are already in place, it might still be an efficient approach.
Thus, a migration strategy could work in few main stages:
- Add an IDaaS service to support both SSO/run-time authentication and IGA capabilities. This is the primary IAM service.
- Connect SaaS services to this new IDaaS service.
- Integrate with the existing on-premises IAM infrastructure for supporting the on-premises business applications and other systems.
- Connect on-premises systems with full federation standards support to the IDaaS service for SSO/run-time authentication.
- Gradually move other on-premises services to gateway-based approaches, until you can retire the on-premises IAM.
However, each and every organization needs to carefully revisit the state of infrastructure and its planned evolution as well as the IAM infrastructure and its specific security and compliance requirements to figure out the best way for such migration.