Hybrid IAM

Optimizing workload and data placement through a hybrid cloud strategy

As companies embark on application and data modernization, they should consider using a hybrid cloud, as it balances the application and data workload across both platforms.

Hybrid deployments include the benefits of both the cloud and on-premises. They bring innovation, speed, storage, and scalability of the cloud, and regulatory compliance, performance, and data gravity of on-premises in a single platter. Organizations that operate with workloads distributed among multiple data centers and the cloud need to keep pace with emerging trends in digital transformation and IT security. A hybrid cloud deployment can be beneficial as it can effectively enhance performance, flexibility, and security.

With the increased adoption of remote working, organizations are struggling manage IT services efficiently. Enterprises must strategically utilize their resources so that all infrastructures, applications, data, cloud and on-premise deployments are secure and optimized for business continuity. In these situations, global enterprises often prefer a hybrid application for optimizing data placement. The key factors to remember while deploying the hybrid cloud model are:

Closing the security gap in the cloud

The misuse of employee credentials and improper access controls accounts for 42 percent of unauthorized network access, according to research conducted by Cybersecurity Insiders. Unauthorized access is perceived as the single biggest vulnerability to cloud security, and that’s why it’s critical to deploy a comprehensive security management tool designed exclusively for hybrid cloud security. With the right tool, all cloud applications and gateways can be managed and monitored from a single console.

Managing identities, authentication, and access in on-premises infrastructures can be accomplished simply with Microsoft’s Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). However, in the cloud, it’s much more difficult for IT departments to monitor which users are accessing which applications and services. Therefore, most organizations take a practical approach and adopt more Software as a Service (SaaS) applications. Many organizations upgrade their existing applications to a cloud version, and retire obsolete on-premise and legacy versions when possible.

With a portion of the workload placed outside the on-premises data centers, hybrid enterprises should focus on ensuring secure access to every user, application, and device, irrespective of their location. This access should be contextual, which allows IT admins to create access policies for users based on location, IP address, device, etc. In other words, the only way you can succeed on your cloud journey is by deploying the right identity and access management (IAM) solution.

IAM providers can be classified into three categories:

• Legacy on-premises IAM: Organizations committed to on-premises IAM do not typically migrate their legacy technology to a cloud platform as it presents many challenges. Instead, many of these organizations initiate their move to the cloud through a hybrid option.
• Mix of legacy on-premises and cloud IAM: IAM vendors who started with on-premises solutions, are now trying to offer hybrid identity solutions. A hybrid cloud identity and access management solution includes both on-premises and cloud-based systems, and uses a common method for authorization. While these vendors have advanced solutions built for pure on-premises workloads, their equivalent hybrid cloud IAM functionalities, like multi-factor authentication (MFA), single sign-on (SSO), and social logins are integrated with their existing on-premises IAM solution. Addressing concerns such as data management and security, mid-size to large enterprises prefer to choose this approach.
• IDaaS: As the number of users increase rapidly, an Identity as a Service (IDaaS)-focused vendor helps to leverage cloud identity efficiencies, as well as the manage the network effects of the cloud. Organizations planning to transition to the cloud, and keep a minimal on-premises footprint, have to enable cloud-based authentication in their security architecture. Certain legacy applications cannot be re-engineered to modern standards. In such cases, organizations should be able to integrate the IDaaS benefits to their legacy applications. This approach, known as cloud-first hybrid, can reduce the burden of organizations performing workload-sizing before the initial deployment.

With varied cloud deployment models, organizations need to enforce proper access policies to ensure data security. Traditional IAM strategies are not enough in an ever-evolving hybrid environment. To address this challenge, organizations must build a unified security strategy with hybrid identity management at the center. Hybrid IAM should focus on three main objectives:

The best of both worlds: Hybrid IAM with a Zero Trust approach

Based on the notion "never trust, always verify", the Zero Trust principle addresses security concerns pertaining to remote work, cloud adoption, and bring your own devices (BYOD). Organizations need to monitor the network and verify every user trying to access the corporate resources. Zero Trust adds additional security with real-time contextual authentication where the user or entity is continuously monitored to assess risk against a benchmark (risk score). In case of an anomaly or malicious behavior, it can trigger re-authentication as necessary.

When sensitive applications and critical data are placed across systems, both on-premises and in the cloud, it is highly crucial to fragment data into micro-perimeters or micro-segments. This reduces the attack surface and protects organizational data from the risk of exposure to malware and vulnerabilities.

Cloud adoption boosts digital transformation for organizations embarking on a modernization program. It is crucial to decide which workloads move to the cloud and which stay on-premises. To ensure secure data access management, organizations must perform proper data valuation by assessing the criticality of the workload they are looking to migrate to the cloud. Exploiting workloads that contain sensitive data could wreak havoc if the organization fails to protect them during data breaches.

There are various stages of implementing the Zero Trust security model. A good place to start is enabling MFA along with strong password policies to all applications and devices. SSO ensures a seamless authentication experience by asking users to log-in with a single ID and password for multiple applications, thereby reducing the attack surface. As a best practice, a MFA-enabled VPN should be implemented to access the corporate network.

Balancing accessibility and security: Hybrid IAM best practices

• Defining the security perimeter: With data and workloads distributed between on-premises and the cloud, critical information is readily accessible to resourceful threat actors. This undefined security perimeter increases the entry points and attack surface giving hackers easy access to an organization's network. User and device identification should be in place to implement proper security and access controls.
• Using strong authentication methods: Various password attack methods are used to gain unauthorized access to user accounts. This is why it is crucial to enforce strong password policies based on recommendations from agencies, like NIST, to prevent bad actors from misusing user information and applications. An even better option is to implement a MFA policy which acts as a second line of defense if the first one is compromised.
• Utilize a centralized identity and access management system: In hybrid deployments, it is advisable to manage all user accounts and devices from a single console. This helps the IT administrators monitor their network and detect anomalies easily.
• Enforce a least-privilege principle: Least-privilege principle enforces minimal level of user rights to ensure that no application or user has unauthorized rights to business-critical resources.
• Monitor and protect hybrid environment using SIEM: To comprehensively monitor a hybrid environment, organizations must implement system information and event monitoring (SIEM) solutions that continuously log and analyze data, and identify risks pertaining to it.

Use the right tool: How ManageEngine AD360 can help build a hybrid identity management program

• Stream-lined user life cycle management: Easily provision, modify, and de-provision accounts and mailboxes for multiple users at once across AD, Exchange servers, Office 365 services, and G Suite from a single console. Use customizable user creation templates and import data from CSV to bulk provision user accounts.
• SSO and self password management for enterprises: AD360's SSO capability eliminates the need for end users to remember multiple passwords, which saves them from having to log in multiple times to different applications. AD360 enables users to securely access all their enterprise applications from a single dashboard, and provides MFA SSO for an additional layer of security.
• Securely audit AD, Office 365, and file servers: Gain insight into all changes happening in your AD, Office 365, Windows Servers, and Exchange Servers. Monitor user logon activities, changes to AD objects, and more in real time. Comply with IT compliance regulations such as SOX, HIPAA, PCI DSS, and GLBA using prepackaged reports.
• Intelligent threat alerts: Using AD360, IT admins can configure alert profiles to send customized messages to administrators when specific actions happen inside your Office 365 setup. These alerts can include information on the severity of the action that triggered the alert, who performed the action, the time it occurred, and more. This makes it easy to prioritize and act on alerts. With its user behavior analytics (UBA) capability, AD360 uses machine learning to create a baseline of typical actions specific to each user to accurately detect anomalous behavior and threats.