What is an identity fabric?

In the age of digital transformation, most enterprise organizations manage hybrid and multicloud environments that contain on-premises assets, legacy applications and various cloud-based services. It is common for each of these systems to have its own IAM solution, which means organizations must juggle multiple user directories and identity systems.

The proliferation of disconnected identity systems can degrade the user experience and create visibility and security gaps that malicious actors can take advantage of. According to the IBM® X-Force® Threat Intelligence Index, identity-based attacks are one of the most common attack vectors, accounting for 30% of intrusions.  

An identity fabric helps unify disconnected identity systems across an organization’s digital ecosystem. This unification makes it easier to monitor activity and apply consistent identity governance, authentication and authorization measures for all users across every application and platform.

This centralized approach improves visibility into user activity, strengthens the organization’s security posture and operational efficiency and supports a more streamlined user experience.

Identity fabrics enable organizations to integrate the disparate identity systems of different apps, assets and services. The organization can enforce unified access policies, monitor user activity, address vulnerabilities and implement consistent security controls across all systems. 

Identity and access management systems are critical identity security tools. They help protect digital identities, block unauthorized activity and ensure that the right people can access the right resources for the right reasons.

However, most organizations find themselves managing multiple IAM solutions connected to multiple user directories. At the least, most organizations use one IAM solution for internal users and a separate customer identity and access management (CIAM) solution for customers and other external users.

But many organizations deal with more than just two identity systems. Each legacy app, cloud provider and on-premises system might have its own IAM solution and directory service.

These identity silos provide an inconsistent user experience, as each system might require separate credentials, permission levels and security measures.

Moreover, disconnected identity systems pose significant security risks. User identities are a top target for cyberattacks. The X-Force Threat Intelligence Index reports that credential theft is the most common impact faced by victims of breaches.

Without a centralized approach, it can be challenging to apply strong cybersecurity measures, such as passwordless authentication with FIDO passkeys, risk-based authentication (RBA) and real-time identity threat management. Some IAM systems might not even support some of these measures.  

An identity fabric solution offers a unified layer for managing and securing digital identities across apps, assets and cloud providers. It provides organizations with greater visibility into user accounts and activity, and more consistent control over the policies and processes that protect users across every system, application and platform.

Consider how a healthcare provider might use an identity fabric architecture to create a more secure and efficient system for medical professionals.

A typical healthcare provider relies on a number of technology tools—for example, a scheduling system, a patient records system, a telehealth platform and a system for sharing data with other healthcare providers.  

An identity fabric would allow practitioners to access all of these systems through a single identity. Not only is this more convenient than requiring multiple logins, but it also enables the organization to enforce the same access levels and security controls across all platforms. For example, a doctor would be able to access all of their patients’ data in each system—but not the data of patients who aren’t theirs.  

Centralized policy enforcement helps ensure compliance with data privacy laws and prevent unauthorized access, including situations where legitimate users have more permissions than they really need.

An identify fabric works by integrating and synchronizing the many disparate identity services that exist in an organization’s network into a unified IAM infrastructure.

Many identity fabrics rely heavily on application programming interfaces (APIs). APIs enable disconnected systems to securely communicate, exchange identity data and enforce consistent identity and access management policies. Some fabrics also use standardized communication protocols such as OAuth or Security Assertion Markup Language (SAML) to connect IAM systems.

There are different options for implementing an identity fabric. Some vendors offer identity fabric platforms that provide organizations with complete capabilities for connecting identity systems out of the box. Other organizations take a best-in-class approach by integrating various point solutions. Organizations with specialized needs might build their own identity fabrics with custom code and APIs.

Although the nature and structure of identity fabrics can vary, most organizations use some combination of these elements to create their fabrics:

Identity orchestration software coordinates disparate IAM systems to create cohesive, frictionless identity workflows—such as user logins, onboarding and account provisioning—that span multiple systems.

Identity orchestration platforms can act as central control planes for all the identity systems in a network. Every identity tool integrates with the orchestration platform, creating a unified fabric.

Identity orchestration tools are often used to create single sign-on (SSO) systems that allow users to access multiple applications with a single set of credentials.

Identity threat detection and response (ITDR) solutions monitor systems to discover and remediate identity-based threats, such as privilege escalation and account hijacking, that can lead to data breaches and other problems. 

When an ITDR solution detects potentially malicious behavior, it alerts the security team and triggers an automated response, such as immediately blocking account access to sensitive data.

Legacy applications don’t always support modern security measures such as multifactor authentication (MFA) or zero trust architectures. Many identity orchestration platforms and identity fabric solutions offer low-code and no-code tools to bring these applications up to speed. These tools provide visual drag-and-drop interfaces for configuring identity workflows on top of legacy apps. For example, if an app doesn’t support MFA, an identity orchestration tool can connect that app to a separate MFA solution, creating a streamlined workflow between the two systems. 

Also known as adaptive authentication, risk-based authentication (RBA) assesses in real time the risk level of each user trying to access organizational assets. RBA dynamically adjusts authentication requirements based on these risk assessments.

RBA evaluates user behaviors such as typing rates, device usage and physical location to determine a user’s risk level. A user displaying typical behaviors—using a known device, logging in from the same location—is considered lower risk. They might only need to enter a password to confirm their identity.

Alternatively, a user logging in from an unknown device or a new location might be considered higher risk. The RBA system might subject the user to additional access control measures, such as a fingerprint scan.

Directory services are repositories that store and manage information about the users of systems and applications. Synchronizing directory services across an organization’s IT environment gives the organization a single, authoritative view of every user. This enables the organization to apply uniform identity security policies to every user across every system, instead of needing separate policy sets for each directory. 

Identity governance and administration (IGA) tools help manage user identities throughout their lifecycles, from onboarding through deprovisioning and offboarding. The aim of IGA is to ensure that access policies and user activity comply with regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).

IGA tools help automate and streamline activities such as user provisioning, implementing access policies and conducting access rights reviews. 

Privileged access management (PAM) tools govern and secure privileged accounts (such as admin accounts) and privileged activities (such as working with sensitive data).

Privileged accounts require stronger protection than standard accounts because they are high-value targets that hackers can use to cause serious damage. PAM enforces advanced security measures—such as credential vaulting and just-in-time access—to strictly control how users obtain elevated privileges and what they do with them.

Fragmented IAM systems and user directories can create identity silos, leaving organizations to manage different identities and access controls for each distinct system. Implementing an identity fabric can help knock down these silos and streamline identity and access management. 

An identity fabric architecture unifies disconnected identity services, creating a single digital identity for each user. This enables the organization to set and apply uniform permissions and policies that follow each user access cloud environments, legacy systems and applications. This helps ensure a consistent user experience, regardless of the application or system the user accesses.

Identity fabrics also support system scalability. Organizations don’t need to worry about whether introducing new tools or assets to a network might disrupt their identity systems. Each new resource is integrated into the same fabric.

Organizations often use an identity fabric as a centralized point of control for implementing the latest cybersecurity technologies and practices. For example, an organization might want to enforce multifactor authentication (MFA) or apply a zero trust approach, in which there is no inherent trust for any user.

Amid a fragmented system of multiple IAM solutions and user directories, it would be difficult for the organization to consistently implement these cybersecurity measures. But with an identity fabric, the organization gains unified visibility and control of identity security policies. It can centrally enforce secure access to resources, and track and analyze user behaviors across systems to detect potential threats. 

Organizations often take advantage of a centralized identity fabric to simplify data protection and compliance initiatives. They can apply access policies for sensitive data based on user roles, track what users are doing with that data and ensure the principle of least privilege is followed.

By managing digital identities with a unified system, organizations are able to enforce compliance standards and log user activity across all systems and applications simultaneously. This capability makes it easier to provide audit trails and compliance reports to regulatory agencies.