Tradeoffs of using Open-Source CIAM

Keith Graham
Keith Graham
  • Feb 9, 2021
  • 3 min read

Open-source Customer Identity and Access Management (CIAM) offerings can be perceived to be an accelerator and seemingly advantageous for organizations that are evaluating options for building their own capabilities.

However, the disadvantages of using an off-the-shelf, all-encompassing open-source solution without careful consideration can be less effective than home-growing a CIAM solution from scratch. While some open-source IAM vendors provide support and services around their open-source offerings, this often comes with a price tag (and operational costs) that can be comparable or greater than simply purchasing a commercially available CIAM Platform.

Our guidance here is simple - evaluate the total cost of ownership when considering the use of an open-source CIAM offering. Here are some of the pitfalls to watch for:

Little or no control over direction or destiny of open-source projects

The reality is that any organization, especially one starting out with a new open-source project will not have any control over the destiny or direction of the project. Organizations could find themselves marooned supporting features/components that are no longer maintained.

The community may not be able to help (or fix all of the things a developer needs)

While any open-source project, and the community supporting it, may be well intentioned, any organization depending on the use of open-source CIAM projects shouldn't assume the community will be able to help or help in a timely manner that's in fitting with an organization's SLAs to its customers. Placing revenue, brand reputation and customer trust on uncertain levels of support can be a source of risk that many organizations may not want to burden.

Deployment challenges and complexity

Even with the right open-source technology selection and support, the project itself will still require deployment and hosting – requiring some assumed level of skills not just with the open-source project, but with the hosting provider, as well as hosting/compute costs.

Free doesn't mean free

Mission critical applications or a customer facing portal on which revenue and the reputation of your brand depends must have rigor and formality around its service level commitments. This applies to both the business and to the brand's customer base, especially if they're paying to use it. It is strongly recommended that the use of any open-source project or product in this mission critical role should be supported with the backstop of some level of support services, if commercially available. Free doesn't always mean free!

License compliance

Not all open-source licenses are created equal, or friendly. Watch out for which open-source license obligate changes to be returned to the community. Consideration should be given to not expose any 'special sauce' or intellectual property that development teams may have developed by extending the open-source project to your own applications or portal.

Open-Source ≠ Developer Focused

The low learning/ramp up time, less invention, and ease of use & integration with existing applications - and most importantly the support - is arguably what makes a commercially available CIAM platform valuable, and developer focused.

In essence - so that developers can spend less time focused on CIAM integration and development and more time focused on features of their applications that drive their business. CIAM developers do not necessarily have the time, desires, or priority to traverse the development learning curve of owning and operating a product based on an open-source project.

This blog is an excerpt taken from the whitepaper, "An Evaluator's Guide to Buying or Building CIAM" and discusses the top reasons to consider using a CIAM platform.

More articles from this author