Yes, you might have heard it in many places: "Cloud is the new normal". And this is surely true for many modern organisations, especially start-ups or companies doing all or parts of their native business within the cloud. But for many other organisations this new normal is only one half of normal.
A lot of enterprises currently going through the process of digital transformation are maintaining their own infrastructure on premises and are looking into extending their business into the cloud. This might be done for various reasons, for example for the easier creation of infrastructure allowing rapid scalability and the ability to replace costly infrastructure which is not mission-critical to be implemented within the traditional organisational perimeter.
For many organisations it is simply not an option to move completely to the cloud for various good reasons including the protection of intellectual property within the traditional infrastructure or the necessity to maintain legacy infrastructure which in turn is business critical. For this type of enterprises, typically large and with a decent history regarding their IT, of which many are in highly regulated sectors, the future infrastructure paradigm has to be the hybrid cloud, at least for the near or medium-term future.
Cloud service providers are required to offer standardized technological approaches for this type of customers. A seamless, strategic approach to extending the existing on-premises infrastructure into the cloud is an important prerequisite for this type of customers. This is true for the actual network connectivity basis and it is especially true for the administration, the operation and the security aspects of modern IT infrastructures.
For every company that already has a well-defined IAM/IAG infrastructure and the relevant maintenance and governance processes in place it is essential that Identity Management for and within the cloud is well integrated into the existing processes. Many successful, corporate IAM systems build upon the fact, that enterprise–internal data silos have been broken up and have been integrated into an overall identity and Access Management system. For the maintenance of the newly designed cloud infrastructure it obviously does not make any sense to create a new silo of identity information for the cloud. Maintaining technical and business accounts for cloud usage is in the end a traditional identity management task. Designing the appropriate entitlement structure and assigning the appropriate access rights to the right people within the cloud while adhering to best practice like the least privilege principle is in the end a traditional Access Management task. Defining, implementing and enforcing appropriate processes to control and govern assigned access rights to identities across a hybrid infrastructure are in the end traditional access governance and access intelligence tasks.
Providers of traditional, on premises IAM infrastructures and cloud service providers alike have to support this class of customer organisations to fulfil their hybrid security and hence their IAM/IAG needs. CSPs like Amazon Web Services embrace this hybrid market by providing overall strategies for hybrid cloud infrastructures including a suitable identity, access and security approach. The implementation of a concept for an "integrated identity" across all platforms, be they cloud or on premises, is therefore a fundamental requirement. Leveraging mechanisms like inbound and outbound federation, the deployment of open standards like SAML 2.0, the availability of APIs for integrative access to the AWS IAM/IAG functionality and the integration of existing policies into the AWS IAM policies implemented as JSON files are important steps towards this "integrated identity". For the access intelligence and access governance side the AWS CloudTrail component can provide detailed logs down to an API-call-per-user-level for the existing cloud infrastructure. Such extensive logs can then be evaluated by means of an existing Access Intelligence, an existing Real-Time Security Intelligence (RTSI) solution or by deploying the AWS analytics mechanisms like Lambda.
It is obvious that these are "only" building blocks for solutions, not a fully designed solution architecture. But we're one step closer to the design and implementation for an appropriate solution for each individual enterprise. Covering all relevant aspects of security and IT GRC inside and outside the cloud will be one key challenge for the deployment of cloud infrastructures for this type of organisations.
Hybrid architectures might not be the final target architecture for some organisations, but for the next years they will form an important deployment scenario for many large organisations. Vendors and implementation partners alike have to make sure that easily deployable, standardised mechanisms are in place to extend an existing on-premises IAM seamlessly into the cloud, providing the required levels of security and governance. And since we are talking about standards and integration: This will have to work seamlessly for other, probably upcoming types of architectures as well, e.g. for those where the step towards cloud based IAM systems deploying Azure Active Directory has already been taken.