Hybrid identity training

Module Overview

Hybrid Identity
In the Real World

Modern enterprises don't live in a single cloud or a single datacenter. They live everywhere — and managing who can access what, across a patchwork of environments, is one of the most pressing security challenges today.

78%

of breaches involve privileged credentials

3.5×

more environments to manage vs. 5 years ago

62%

of orgs lack unified visibility across hybrid environments

What You'll Learn

🏛️ Governance Challenges

Why managing identities across on-prem AD and multi-cloud creates fragmented visibility, inconsistent policy enforcement, and audit blind spots.

🗺️ Hybrid Architecture

How AWS IAM, Azure RBAC, on-premises Active Directory, and Linux servers differ in their identity models and where gaps emerge.

🔐 PAM & Entitlement Policies

How to define and apply consistent Privileged Access Management and entitlement policies that work across all four environment types.

🎛️ Unified Control Plane

How Delinea provides a single control plane that spans all environments — centralizing policy, session monitoring, and audit trails.

Key Concept

A hybrid identity environment is any organization that manages user and system identities across at least one on-premises directory service (like Active Directory) and one or more cloud platforms. This describes the vast majority of enterprises today.

Section 2 of 6

The Governance
Challenge Stack

Hybrid environments introduce compound governance problems. Each challenge below layers on top of the previous, creating an increasingly complex security posture. Click each to expand.

🔍

Fragmented Visibility

CHALLENGE 01 · HIGH SEVERITY

▾

Each environment has its own logging, audit, and identity store. AWS CloudTrail records IAM activity. Azure Monitor captures RBAC events. Windows Event Log covers AD. Linux syslog/auditd handles local access. None of these talk to each other by default.

Security teams must query 4+ separate systems to reconstruct a single user's access path
Correlation between on-prem sessions and cloud API calls requires custom SIEM logic
Shadow admin accounts created in one environment are invisible to other platforms
Audit reports for compliance (SOX, HIPAA, PCI-DSS) require manual stitching across tools

Real-World Impact

The average MTTD (mean time to detect) for privilege abuse in hybrid environments is 197 days — nearly twice as long as cloud-only environments.

⚙️

Inconsistent Policy Engines

CHALLENGE 02 · HIGH SEVERITY

▾

Every platform ships its own policy language, enforcement model, and least-privilege semantics. AWS uses JSON-based IAM policies with ARN-scoped permissions. Azure uses RBAC role definitions with scope inheritance. Active Directory uses Group Policy Objects and ACLs. Linux relies on PAM modules and sudoers files.

A "least-privilege" standard written for AD Group Policy cannot be directly applied to AWS IAM
Policy drift is the norm — what's approved in one environment silently differs in another
Different teams own different policy engines: cloud ops, security, and sysadmins each maintain separate configurations
Role proliferation: the same identity concept (e.g., "database admin") is independently defined in 4 places

🪪

Identity Sprawl & Orphaned Accounts

CHALLENGE 03 · MEDIUM SEVERITY

▾

A single person—or service—often has distinct identity representations across each environment. A developer might have an AD user account, an AWS IAM user with access keys, an Azure service principal, and a local Linux account. These identities are rarely correlated.

When an employee leaves, deprovisioning one identity doesn't cascade to others
Service accounts created for projects are often never decommissioned
Access keys and certificates don't age-expire unless explicitly enforced per-platform
Non-human identities (CI/CD pipelines, automation scripts) have no unified lifecycle

📋

Compliance & Audit Complexity

CHALLENGE 04 · CRITICAL

▾

Regulatory frameworks don't care about your infrastructure topology. SOX requires separation of duties. PCI-DSS requires access review and session recording. HIPAA requires audit trails. These requirements apply equally to your Azure VMs, AWS RDS instances, and on-prem file servers.

Session recordings from different environments live in different stores with different formats
Access reviews must be conducted per-platform, multiplying auditor effort by 4×
Time-limited access grants ("break-glass" emergency access) are often implemented differently per environment
Proving "who accessed what and when" requires manual correlation across SIEM, CloudTrail, AD logs, and syslog

Section 3 of 6

The Hybrid Environment
Map

Four distinct environment types — each with its own identity model, access mechanism, and policy engine. Hover each platform for details.

DELINEA UNIFIED CONTROL PLANE

🎛️ Delinea Platform

Privileged Access Management · Secret Server · Connection Manager

|

☁️

AWS IAM

Cloud

🔷

Azure RBAC

Cloud

🏢

On-Prem AD

On-Premises

🐧

Linux Servers

On-Prem / Cloud

Identity Model Comparison

Platform	Identity Object	Auth Protocol	Policy Mechanism	Admin Model
AWS IAM	Users, Roles, Groups	SigV4, STS Tokens	JSON IAM Policies	Root → Admin → Delegated
Azure RBAC	Users, SPs, Managed IDs	OAuth 2.0 / OIDC	Role Definitions + Scope	Global Admin → Scoped Roles
Active Dir.	Users, Groups, Computers	Kerberos, NTLM	GPO, ACLs, OU Delegation	Domain Admin → Delegated OU Admin
Linux	Local Users, SSH Keys	SSH, PAM, LDAP	sudoers, PAM Rules, ACLs	root → sudo users → service accounts

Key Insight

No common identity abstraction exists natively across these four platforms. Each uses different vocabulary, different privilege escalation paths, and different audit mechanisms — making a unified governance policy effectively impossible without a dedicated overlay layer.

Section 4 of 6

Consistent PAM &
Entitlement Policies

Applying unified privileged access management across all four environment types. Each platform has different enforcement mechanisms — but the policy intent must be identical.

AWS IAM

Azure RBAC

Active Directory

Linux Servers

Cross-Platform

☁️

AWS IAM — PAM Controls

Enforcing least-privilege and just-in-time access for AWS workloads

PAM Requirement	Native AWS Mechanism	Delinea Enhancement
Password vault for IAM users	AWS Secrets Manager	Delinea Secret Server with auto-rotation + check-out enforcement
Just-in-time privilege escalation	IAM role assumption (STS)	Time-bounded role grants via Delinea PAM + session approval workflow
Session recording for admin access	CloudTrail (API only)	Full session recording for interactive console access via Connection Manager
Access key rotation	IAM key rotation (manual)	Automated rotation on schedule + on check-in via Secret Server
MFA enforcement for privileged roles	IAM policy condition	Enforced at Delinea layer; MFA required before secret checkout

Entitlement Scope

IAM Roles, Policies, Resource-based policies, Permission boundaries

Privileged Actions Requiring JIT

iam:*, ec2:*, s3:DeleteObject, kms:*, sts:AssumeRole on sensitive roles

Access Review Cadence

Quarterly for standing IAM users; continuous for assumed roles via CloudTrail

Emergency ("Break-Glass") Procedure

Delinea approval workflow → temporary STS role grant → auto-expire after 4h

🔷

Azure RBAC — PAM Controls

Governing privileged access across Azure subscriptions and resources

PAM Requirement	Native Azure Mechanism	Delinea Enhancement
Privileged Identity Management	Azure PIM (Entra ID P2)	Delinea PAM bridges Azure PIM approvals with enterprise PAM workflows
Service principal credential management	App registrations (manual rotation)	Centralized SP secret/cert lifecycle via Secret Server with auto-renewal
Just-in-time RBAC role activation	Azure PIM eligible roles	Unified JIT workflow across Azure and non-Azure resources
Managed Identity governance	Workload identity federation	Inventory and entitlement review of all managed identities via Delinea
Owner role containment	Conditional Access policies	Delinea enforces session recording + approval for all Owner-scope actions

Highest Risk Roles

Global Administrator, Privileged Role Administrator, Owner at Subscription scope

Entitlement Review Tool

Entra ID Access Reviews + Delinea entitlement inventory for cross-platform correlation

Session Recording

Azure Bastion for VM access + Delinea Connection Manager for centralized recordings

Non-Human Identity (NHI) Policy

All SPs rotated ≤90 days; managed identities preferred; all secrets stored in Secret Server

🏢

Active Directory — PAM Controls

On-premises privileged access governance and admin account hygiene

PAM Requirement	Native AD Mechanism	Delinea Enhancement
Admin account vaulting	None (manual process)	All DA/EA accounts in Delinea Secret Server with check-out + auto-rotation
Privileged Access Workstation (PAW)	GPO-restricted OU for admin systems	Delinea enforces PAW policy via session launch restrictions in Connection Manager
LAPS (Local Admin Password)	Microsoft LAPS / Windows LAPS	LAPS credentials ingested and managed via Secret Server for unified vault
Kerberos delegation abuse prevention	Disable unconstrained delegation; Protected Users	Delinea monitors and alerts on delegation configuration changes
AD Tiering Model enforcement	Organizational Unit design + GPO	Delinea enforces tier-0/1/2 separation for all privileged sessions

Tier Model

Tier 0: DC/PKI/ADFS · Tier 1: Server admins · Tier 2: Workstation admins

Highest-Risk Groups

Domain Admins, Enterprise Admins, Schema Admins, Backup Operators, Account Operators

Password Policy (Admin)

25+ chars, auto-rotated every 30 days, unique per system via Secret Server

Orphan Account Detection

Delinea reconciliation job flags AD accounts with no recent check-out activity

🐧

Linux Servers — PAM Controls

Securing root access, SSH keys, and sudo privilege on Linux infrastructure

PAM Requirement	Native Linux Mechanism	Delinea Enhancement
Root credential vault	None (manual /etc/shadow)	Root passwords stored in Secret Server with per-system rotation
SSH key lifecycle management	~/.ssh/authorized_keys (manual)	Centralized SSH key provisioning and deprovisioning via Delinea; ephemeral keys for JIT
sudo privilege control	/etc/sudoers (manual, version-controlled)	Delinea grants time-bounded sudo rights; all commands logged to central audit store
Session recording for root sessions	auditd / syslog (text logs)	Full video session recording for all root sessions via Delinea Connection Manager
AD-joined Linux authentication	SSSD / Winbind with Kerberos	Delinea bridges AD identity to Linux PAM — consistent policy for domain users on Linux

High-Risk Accounts

root, oracle, postgres, apache, backup — all vaulted with unique per-host passwords

SSH Key Rotation Policy

90-day maximum key age; immediate revocation on role change; ephemeral keys for production

sudo Policy Pattern

No standing sudo for production servers; JIT grant via Delinea with peer approval for root-level commands

Audit Integration

auditd rules + Delinea session logs forwarded to SIEM in unified format alongside AD and cloud events

Universal PAM Policy Requirements

These principles must be consistently enforced regardless of the underlying platform. They form the baseline of a hybrid identity governance program.

Universal Requirement	AWS IAM	Azure RBAC	On-Prem AD	Linux
No standing privileged access	STS Role	PIM Eligible	Time-bound GPO	JIT sudo
MFA for all privileged sessions	IAM Condition	CA Policy	Smart Card/FIDO	PAM Module
Session recording required	CloudTrail+CM	Bastion+CM	CM Full Video	CM Full Video
Secrets rotated ≤90 days	Auto via SS	Auto via SS	Auto via SS	Auto via SS
Access requires approval workflow	Delinea WF	Delinea WF	Delinea WF	Delinea WF
Access auto-expires	STS Expiry	PIM Expiry	Secret Expiry	Ephemeral Key

SS = Secret Server · CM = Connection Manager · WF = Workflow Engine · JIT = Just-in-Time

Section 5 of 6

The Delinea
Control Plane

Delinea provides a single governance layer that spans all hybrid environments — translating universal PAM policies into platform-specific enforcement without requiring separate tools per environment.

🔑

Secret Server

Centralized vault for all privileged credentials — passwords, SSH keys, API tokens, certificates — across every platform. Automated rotation, check-out enforcement, and secret dependency mapping.

🖥️

Connection Manager

Browser-based and native launchers for RDP, SSH, and cloud console sessions. Full keystroke and video recording for all privileged sessions, stored centrally regardless of target platform.

⏱️

Just-in-Time Access

Request → Approve → Grant → Expire workflow for all platforms. No standing privileges. Time-bounded access with automatic revocation — consistent whether the target is AWS, Azure, AD, or Linux.

🔄

Privilege Manager

Endpoint least-privilege management. Removes local admin rights and enforces application control policies on Windows and macOS endpoints joined to the enterprise environment.

📊

Audit & Reporting

Unified audit trail across all connected environments. Compliance-ready reports for SOX, PCI-DSS, HIPAA. Session replay, activity forensics, and SIEM integration via syslog or webhook.

🧩

Directory Integrations

Native connectors to Active Directory, Azure AD / Entra ID, AWS IAM, and LDAP. Single source-of-truth for user identity, with Delinea as the policy overlay that governs access across all of them.

How JIT Access Works Across Platforms

A single workflow, regardless of target environment:

Step 01

User requests access via Delinea portal or ITSM integration

→

Step 02

Manager / security team receives approval request with justification

→

Step 03

Delinea grants time-bounded access in target system (IAM role, PIM activation, AD group, sudoers entry)

→

Step 04

Session launched via Connection Manager — full recording begins automatically

→

Step 05

Access auto-expires at end of time window — no manual cleanup required

→

Step 06

Unified audit log + session recording available in Delinea and forwarded to SIEM

Key Deployment Architectures

🏠 On-Premises Deployment

Delinea Secret Server and Privilege Manager hosted in your datacenter. Connects directly to AD via LDAP/Kerberos, Linux servers via SSH, and cloud via API. Suitable for highly regulated environments requiring data residency.

☁️ Cloud-Hosted (Delinea Cloud)

SaaS delivery of the full Delinea platform. Lightweight Distributed Engine agents in each environment (datacenter, AWS VPC, Azure VNet) relay connections back to the cloud control plane. Reduced infrastructure overhead.

🔗 Distributed Engine Model

Regardless of deployment model, Delinea Distributed Engines serve as secure relay points inside each network segment. They handle credential retrieval, session proxying, and heartbeat reporting to the central vault.

🔌 ITSM & CI/CD Integration

ServiceNow, Jira, and PagerDuty for approval workflows. Jenkins, GitHub Actions, and Azure DevOps for secret injection at pipeline runtime. Delinea SDK and REST API for custom integrations.

Bottom Line

Delinea doesn't replace AWS IAM, Azure RBAC, Active Directory, or Linux PAM. It sits above them — providing the unified policy language, approval workflows, credential vaulting, and audit trail that none of them can provide independently. Security teams manage one governance framework. Delinea translates it to each platform's native enforcement mechanism.

Section 6 of 6

Knowledge
Check

Test your understanding of hybrid identity governance. Select the best answer for each question.

Question 01 of 05

Which of the following best describes why "fragmented visibility" is a critical governance challenge in hybrid environments?

A

Each cloud provider charges separately for logging services, increasing costs.

B

Each environment has its own logging and audit system, making it impossible to reconstruct a user's full access path without manually correlating multiple data sources.

C

Hybrid environments don't support SIEM integration at all.

D

On-premises Active Directory doesn't generate any audit logs by default.

Question 02 of 05

What is the primary policy enforcement mechanism for privileged access in on-premises Active Directory?

A

JSON-based IAM policies attached to user objects

B

OAuth 2.0 token scopes and Conditional Access

C

Group Policy Objects (GPOs), ACLs, and OU-based delegation

D

sudoers rules and PAM module configuration

Question 03 of 05

In a Delinea JIT (Just-in-Time) access workflow, what happens automatically when the approved time window expires?

A

The user receives an email asking if they need more time

B

The session is terminated but the privilege remains active until manually revoked

C

Access is automatically revoked in the target system — no manual cleanup required — and the action is logged to the unified audit trail

D

The secret is rotated immediately and the session log is deleted

Question 04 of 05

Which universal PAM requirement is enforced consistently across AWS IAM, Azure RBAC, Active Directory, and Linux — and how does Delinea implement it?

A

Mandatory daily password changes — via LDAP synchronization to all systems

B

No standing privileged access — implemented via platform-native time-bound grants (STS roles, PIM eligible assignments, Secret Server expiry, ephemeral SSH keys)

C

Mandatory VPN for all privileged sessions — enforced via Delinea network policies

D

Centralized password storage only — secrets are not rotated by Delinea automatically

Question 05 of 05

Which statement best describes Delinea's architectural role in a hybrid identity environment?

A

Delinea replaces AWS IAM and Azure RBAC with a single proprietary access control system

B

Delinea is only applicable to on-premises Active Directory environments

C

Delinea acts as a SIEM, aggregating all logs from cloud and on-prem sources

D

Delinea sits above existing platform identity systems, providing a unified policy layer, credential vault, approval workflow, and audit trail that translates to each platform's native enforcement mechanisms

—

Your Score