F5 Blog

Archive Search Articles

Managing Identity and Access in a Multi-Cloud World

Applications have broken free from the data center and are heading for the cloud, or more correctly, the clouds. In general, this is a good thing. The transition from a monoculture of applications hosted in data centers to the brave new world of public cloud, private cloud, and as-a-service offerings allows an enterprise to place applications in the best environment. Container technology has delivered even greater abstraction and mobility, which enables organizations to increase adaptability and agility.

However, when migrating your applications to this dispersed model, there are a couple of key challenges driven by the needs of users to have frictionless access to the applications they need to be productive.

How can IT balance the desire to host applications in the right place with the requirement to provide secure and seamless user access and authorization? When applications are dispersed, how should IT manage the user accounts? Using multiple sources of identity is cumbersome and prone to error, while forcing users to re-authenticate into every application leads to bad practices—such as the infamous password sticky note.

In addition, having to create and disable multiple accounts on different systems is an operational burden and a real risk in a fast-paced business. Failure to shut down all the accounts of employees who leave the business can result in data loss, compromised security, and regulatory penalties. It’s clear that managing multiple accounts creates a security risk, disrupts the user experience, and can have serious effects on the business.

What’s needed is a “single source of truth” to authenticate users wherever they are and giving them access to whatever apps they need. In most cases, this is the Microsoft Active Directory (AD) service, which provides a source of identity, as well as a source of authorization where membership in certain AD groups designates a user’s entitlement to access applications or other resources.

While AD services are relatively easy to use within a data center, they can be much harder to extend into other applications running in remote locations. This is especially true when you are lifting and shifting existing or legacy enterprise applications into public and private clouds, since the authentication methods they support are not designed for distributed cloud environments. Deploying a service that prompts a user once for login credentials, authenticates them, and then can replay or translate their authorized status into multiple applications can ease the transition to a dispersed application environment.   

The benefits of this model are clear: The corporate identity database remains the single source of truth, users don’t suffer from password fatigue, and the organization retains better control of application access. Simplified exit procedures—just disable the user account in one place—decrease errors and lead to operational efficiencies. As your application portfolio grows, and the places you host your apps multiply, systems that manage the complexity of identity and access authentication will help keep your users working as fast as your applications.