Securing Systems in the Cloud and Simplifying the Complexity

It is two in the morning. Your phone buzzes. The production system is down. Customers cannot log in. The culprit is simple: an expired certificate buried deep in an authentication system. A small date that someone forgot to renew has just brought an entire digital business to its knees.

If this story feels familiar, you are not alone. Identity is now the front door to every modern business. But the front door has many locks, keys, and confusing jargon. Our aim in this article is simple: to explain, in plain language, what the main approaches to authentication and authorisation are, and then to show what a modern, simplified, consistent strategy looks like in 2025.

Glossary in Plain English

• Authentication: Proving you are who you say you are. Like showing your passport at the airport.

• Authorisation: What you are allowed to do once inside. Like whether your ticket says economy or business class.

• Identity Provider (IdP): The bouncer at the door checking your ID. Microsoft Entra ID (Azure AD), AWS IAM, and Google Identity are examples.

• MFA (Multi-Factor Authentication): Using more than one proof. For example, password plus a phone code.

• JWT (JSON Web Token): A digital boarding pass. Compact, signed, and can be read by systems without calling home.

• SAML (Security Assertion Markup Language): An older XML-based boarding pass. Still in use but being phased out.

• OIDC (OpenID Connect): The modern standard for user logins built on top of OAuth 2.0.

• Federation: Two organisations agreeing to trust each other’s passports.

The Three Journeys

Think of identity like travelling through an airport. Every flow is a journey.

1. People logging in

This is the check-in desk. A person shows ID and boarding pass, and gets allowed onto the plane. In IT, this is employees, customers, or partners logging into systems with a username, password, and increasingly MFA.

2. Servers and applications

This is the cargo system. Boxes do not carry passports. Instead, trusted barcodes and seals prove authenticity. In IT, this is services talking to other services. They authenticate using certificates, client secrets, or managed identities.

3. External systems

This is the transfer desk between airlines. Your Qantas boarding pass also works with Emirates because the airlines have a federation agreement. In IT, this is business-to-business trust: SAML, OIDC federation, or cross-cloud trust.

Why It Feels Complicated

Because it is. Every system, every vendor, every cloud has its own take on identity. Certificates expire. Secrets are rotated. Standards overlap. Old systems like SAML refuse to die. And as organisations grow across multiple clouds and multiple domains, the problem multiplies.

A Consistent Playbook for 2025

The good news is that cloud platforms have converged on common standards. Here is the simplest way forward:

For people

• Use OpenID Connect (OIDC) wherever possible.

• Enable Multi-Factor Authentication (MFA) for all users.

• Delegate to a central Identity Provider (Entra ID, AWS IAM Identity Center, or Google Identity).

For servers and apps

• Use managed identities or workload identities. This avoids storing secrets.

• Automate certificate and secret rotation using cloud services (Azure Key Vault, AWS Secrets Manager, Google Secret Manager).

• Prefer short-lived tokens (JWTs) issued per request.

For external systems

• Use federation through OIDC when possible.

• If stuck with SAML, plan a migration path. Wrap old apps with gateways that translate SAML assertions into JWTs until the app is modernised.

Common Pitfalls and Outage Causes

Checklist of frequent identity outages

• Expired certificates or secrets nobody owned

• Hardcoded credentials in old applications

• JWT tokens accepted without validation of issuer or audience

• Forgotten test apps left in production with weak policies

• Local storage of tokens in browsers

Migration from Legacy to Modern

Most organisations still carry baggage from older systems. Here are practical strategies:

• Incremental wrapping: Place an API gateway or identity proxy in front of a legacy SAML app. The gateway handles OIDC and issues JWTs, while the old app still consumes SAML.

• Phased rollout: Start with new applications using OIDC, then migrate legacy apps as they are upgraded.

• Dual support: Run SAML and OIDC side by side during transition, but track and shrink SAML usage each quarter.

Security Considerations

Developers should avoid these anti-patterns:

• Do not store tokens in local storage or cookies without proper flags.

• Do not skip audience (aud) or issuer (iss) validation on JWTs.

• Do not hardcode secrets in code or config files.

• Do not issue long-lived refresh tokens without rotation.

Cost Considerations

Identity is not just about security, it is about money.

• Native cloud identity features (Entra ID, IAM, Google Identity) are usually included.

• Extra add-ons, third-party brokers, or SAML connectors can add cost.

• Simpler architectures with fewer moving parts reduce both support cost and risk.

Developer Examples

Example: Using Azure Managed Identity to access Key Vault

var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
KeyVaultSecret secret = client.GetSecret("DbPassword");

This code requires no hardcoded credentials. The token is issued automatically by Azure.

Example: JWT structure

{
  "iss": "https://login.microsoftonline.com/{tenantid}/v2.0",
  "aud": "api://your-api",
  "exp": 1699999999,
  "roles": ["Reader", "Writer"]
}

The header and payload are signed, so consumers can verify authenticity without calling the issuer.

Example: Configuring OIDC in AWS

resource "aws_iam_openid_connect_provider" "example" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da0afd10df6"]
}

References

• Microsoft Entra ID: https://learn.microsoft.com/azure/active-directory

• AWS IAM Identity Center: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

• Google Cloud Identity: https://cloud.google.com/identity

• OAuth 2.0 and OIDC: https://openid.net/connect

• JWT introduction: https://jwt.io

Closing Thoughts

Identity should not be a maze of acronyms. In 2025 the best practice is to use OIDC and JWT for people and systems, automate certificate and secret rotation, and centralise trust with your chosen identity provider.

The midnight outage call can be avoided. With the right approach, identity becomes not a pain, but an enabler of trust across every system you run.