Notifications
Clear all
Topic starter
06/06/2026 2:07 am
TL;DR: When identity providers go down, applications tied to them can go dark, creating continuity risk across Epic EHR, DDIL missions, and other high-dependency environments according to Strata Identity. The governance problem is not availability alone: access, verification, and resilience assumptions all collapse at once.
NHIMG editorial — based on content published by Strata Identity: Identity continuity and uninterrupted access in always-on and degraded environments
Questions worth separating out
Q: How should security teams design identity continuity for critical applications?
A: Security teams should start by identifying which applications break when identity services are unavailable, then define continuity paths for those systems only.
Q: Why do zero trust controls struggle in disconnected environments?
A: Zero Trust struggles in disconnected environments because live verification is not always possible when networks fail or move out of reach.
Q: What breaks when an identity provider becomes a single point of failure?
A: When an identity provider becomes a single point of failure, application access, clinician workflows, and mission operations can all stop at the same time.
Practitioner guidance
- Map identity-dependent outage paths Identify which critical applications fail when the identity provider, federation service, or upstream network path is unavailable.
- Separate live verification from continuity controls Document which identity checks must happen in real time and which can be safely extended for a bounded continuity window.
- Test disconnected access for mission-critical systems Run outage exercises for applications where downtime has direct operational impact, including clinical, field, and mission environments.
What's in the full article
Strata Identity's full article covers the operational detail this post intentionally leaves for the source:
- How Maverics sits between Epic and identity providers during an IdP outage.
- The specific continuity model used to keep clinicians logged in when verification systems are unavailable.
- How Strata frames Zero Trust, DDIL, and mission resilience in the same identity continuity model.
- The product mechanics behind uninterrupted access in always-on and degraded environments.
👉 Read Strata Identity's article on identity continuity when identity providers fail →
Identity continuity in zero trust environments: are your controls ready?
Explore further
06/06/2026 3:37 am
Identity continuity is now a resilience control, not a convenience feature. When access depends on a live identity service, identity availability becomes part of the business continuity baseline. That shifts identity from a front-end login concern to a core operational dependency. Practitioners should treat identity service failure as a material outage scenario, not a peripheral IAM event.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable for identity continuity when access fails during an outage?
A: Accountability should sit jointly with IAM, security architecture, and application owners, because identity continuity is a shared control plane issue. Frameworks such as NIST SP 800-207 Zero Trust Architecture help define the policy model, but the organisation must still assign ownership for fallback access, session continuity, and outage testing.
👉 Read our full editorial: Identity continuity and zero trust when identity providers fail
