In this article:
- Legacy and on-prem applications often don't support modern identity standards, making them incompatible with IAM/IGA systems and forcing IT teams into manual, error-prone provisioning, offboarding, and access management.
- Disconnected apps create security and operational risks, including ghost accounts, overprivileged users, password-management gaps, lack of visibility, audit failures, and high costs associated with custom integrations.
- Cerby extends the reach of IAM/IGA solutions to legacy and on-prem apps through custom connectors, enabling automated provisioning, MFA enforcement, centralized monitoring, and cost-effective lifecycle management.
Automated
identity and access management (IAM) and
identity governance and administration (IGA) tools can govern most modern applications, yet legacy and on-prem software often lacks the APIs and provisioning standards that permit smooth, efficient governance and access management.
Such incompatibilities force IT teams to build custom workarounds or to manually onboard and offboard users, leading to inefficiencies, lack of visibility, and security risks. Fortunately, solutions exist that can broaden the reach of IAM and IGA tools to cover many outdated or on-prem applications.
"You want to have a good record of who has access to which applications and what sort of access," explains
Cerby CEO and Co-Founder Bel Lepe. "When you tie that into a centralized identity tool like an IGA tool or an access-management tool, we can see all of that access and you can govern it very cleanly."
Why it's hard to connect legacy and on-prem apps
Organizations are more secure when their applications are managed by IAM and IGA systems and can take advantage of best identity-security practices like
multi-factor authentication (MFA), least privilege, timely offboarding and permissions management. You don't want departed employees to still have access to your systems, and you don't want longtime staffers to retain the same sets of permissions they had when they first joined the company.
But nearly half of applications used in enterprises, according to a recent
Omdia survey, are "disconnected." They aren't able to connect directly to identity-management systems.
The problem is that older applications simply aren't built to be easily compatible with IAM and IGA systems. Many can't use the Security Assertion Markup Language (SAML) that lets users sign in with the single-sign-on (SSO) authentication scheme.
Nor can many applications, especially on-prem ones, use the cloud-based
System for Cross-domain Identity Management (SCIM) standard to enable identity providers and IGA solutions to easily provision, update and deprovision users.
"If the app doesn't support a standard such as SCIM," says Cerby Chief Strategy Officer Matt Chiodi, "then it makes it very difficult for the IGA vendors and the identity providers to send over a standard message to the app to say onboard an account, offboard an account, and update the account."
In many cases, an application vendor will provide a
custom-built API that works with top identity-provider systems like Entra ID, Okta, SailPoint or Saviynt. But in many cases, customers must upgrade to a premium licensing tier in order to use it.
"These vendors realize that they can charge a premium for having SAML and SCIM support," says Cerby Vice President of Marketing Bora Repishti. "The premium is oftentimes upwards of five figures, sometimes six figures."
If SCIM is not an option, an enterprise with sufficient developer resources can try to create its own user-management APIs, both for apps built in-house and third-party ones. Identity providers and IGA vendors can then build connectors to those apps.
But this approach can be costly and time-consuming. And by introducing more moving parts, it may also add complexity, technical debt and maintenance headaches.
"If the apps themselves do not support standards and every single app is a one-off, it becomes very expensive for identity providers and IGA vendors to try to build custom connections, if they can at all, to those apps," says Aaron Yee, Head of Product Marketing at Cerby.
What happens when apps are disconnected
Disconnected apps create a lot of extra work for IT teams, who often must provision new employees with accounts and login credentials app by app, and painstakingly perform a similar deprovisioning process every time an employee leaves.
"What tends to happen with these legacy and on-prem applications is because they don't support SCIM and oftentimes they don't have APIs, app administrators spend a tremendous amount of time onboarding and offboarding users manually," says Repishti.
Lack of
connectivity and oversight also means IT teams can't implement the normal identity controls used to protect other applications, such as automatically rotating passwords. This heightens the risks of identity compromise and undetected intrusions.
"These disconnected apps, when they're not connected, obviously the IT and security teams have no visibility," says Chiodi. "They don't know how many users are in these apps. They don't know who's using them."
Things can quickly become a mess as
disconnected apps are allowed to persist. Accounts may stay active long after their users have left the company, and excessive permissions can mount as individual users change internal roles.
These negative cycles raise the risks of compromise by an attacker who can break into dormant or overprivileged accounts and make it more likely that a highly regulated organization will not pass an audit.
"Over time, all of these ghost accounts tend to build up," says Yee. "Access is never cleanly revoked, and it's not done on time. That presents a real risk. There's no auditability. You don't know who has access. You can't be sure that you actually completely revoked access."
Plus, the repetitive human grunt work involved in provisioning accounts, modifying passwords and offboarding users tends to include errors that machines don't make.
"When you do things manually like that, you're bound to make mistakes," says Repishti. "You thought you deactivated access, but maybe you didn't. Or if you have to modify access and instead of giving a user this certain role in an application, you gave them this administrator role instead. That's added risk."
How to easily connect disconnected apps
To address these issues, Cerby has created an identity-authentication platform designed specifically to integrate disconnected applications, even those that do not support SCIM or offer user-management APIs. The platform includes more than 1,000 custom connectors for some of the most difficult apps; a partial list of connectors can be found
here.
"We'll simulate a user, an administrator, logging into the app, clicking through a series of buttons to the point where they deactivate the user or maybe onboard the user or make changes to the account," explains Chiodi.
With these connectors, organizations can now
fully automate and govern employee access and identities, from initial provisioning to final offboarding.
"When you've tied provisioning and deprovisioning into a centralized system that can automatically control that," Lepe says, "you offload your identity teams and your IT teams from having to manually log into an app every single time someone new joins the organization."
Cerby has just introduced two new tools,
Cerby Identity Lifecycle Management (IdLCM) and the Cerby On-Premises Agent (OPA), that further extend lifecycle management to disconnected apps.
The former automates account provisioning, updates and deprovisioning for SaaS apps that lack SCIM compatibility or user-management APIs. OPA, through the use of an on-premises agent, does the same for applications behind the on-prem firewall.
Because Cerby is a cloud-based service, it uses an on-prem agent to bridge cloud and on-prem environments, letting the Cerby platform connect to and manage on-prem applications.
Cerby says the agent "creates a secure, outbound-only tunnel from your private network to the Cerby platform" without the use of a VPN or architectural changes, although outbound firewall rules may need to be tweaked.
To be clear, Cerby itself is not an identity provider or IGA solution. Instead, it makes it possible to
extend those solutions to all your disconnected applications in the cloud or on-prem, not just those that come with SCIM support or include user-management APIs.
Lepe explains that for many Cerby customers, the effort and time saved by integrating disconnected apps with IGA solutions gives staff members the opportunity to focus on more immediate issues.
"We're able to automate this process for them, because they just can't automate it with their existing tools," he says. "They free up a lot of their IT teams' time to do other tasks instead."