So you're thinking of using an open-source CIAM provider...

Keith Graham
Keith Graham
  • Aug 18, 2021
  • 5 min read

If your team’s considering baking customer identity and access management (CIAM) capabilities into your offering, using an open-source CIAM tool (and saving some money on tech!) sounds pretty appealing.

We get it. Right now your top priority is getting your product out to the market so that you can start acquiring customers … and fast.

But let’s pump the brakes for a moment. Before making a decision about whether to buy a vendor-supported product or rely on an open-source one, make sure you understand the pros and cons of each to determine which will work best for your org not just today but over the long term. (Psst: We talk at length about the pros and cons of open-source CIAM solutions in our handy guide, An Evaluator's Guide to Buying or Building CIAM.)

Let’s take a closer look at open-source CIAM. We’ll highlight several things to consider as you’re evaluating solutions and deciding which is right for you.

#1: Consider how much control you need to have over your CIAM solution.

The reality is that any organization that’s using open-source technology will never have full control over the destiny of the project.

For example, you might find yourself using certain features or components of the tech that the provider later decides they don’t want to maintain. (Cue the dev team scramble.)

And maybe that doesn’t send you into a panic because you’re one of the lucky ones who has a bajillion developers on your team and the bandwidth to, for example, quickly re-create a feature you need in your CIAM tool if the open-source feature suddenly disappears, or address a security issue that pops up.

But if you’re like most engineering teams out there, you’re short on resources and won’t always be able to spare a few of your developers to focus solely on your CIAM tech at a moment’s notice. That’s something to take into consideration as you’re deciding which path to take.

Don’t forget that as your org scales, you’ll have different (and more!) priorities to juggle. Because once you get past the “let’s get this thing out into the wild” phase, you’ll inevitably have more requests and requirements to consider from your sales and marketing teams, or even new partners. Make sure you’ve got enough control over your solution to be able to pivot quickly when those requests from other stakeholders start rolling in (because they will, and you’ll get to that point faster than you think).

#2: Think about how much technical support you’ll want (or need).

While open-source projects and the communities supporting them always have good intentions, relying on the community to help when you run into the inevitable technical hiccups can be tricky – especially if you’re on a tight timeline. When it exists, open-source product support can be inconsistent.

Again, this boils down to a resource issue. Got lots of developers on hand who are pros when it comes to writing golang or JavaScript? Cool. If not, think about how you’ll handle your technical support needs when you run into some speed bumps with the tech.

#3: Determine your total cost of ownership.

While an open-source CIAM tool may seem less expensive than a vendor-supported one at first glance, spend some time thinking about additional costs that you may encounter along the way.

Potential costs to consider include hosting and compute hosts to run CIAM tech, not to mention you might need to hire (and train and retain) new engineering team members – or a few consultants – to help deploy and maintain your CIAM tool.

#4: Decide what kind of service level commitments you want, if any.

Having rigorous service level commitments with tech providers is important, especially when your customers have to use them to access your products.

If you decide to use open-source tech for your CIAM needs – or frankly if you’re using open-source tech for anything – we strongly recommend that you have some kind of service level commitment in place with the provider.

Take this one step further and go talk with another security or product leader who is already using the same provider. Ask about their service level commitments. Are they useful? Did the provider offer support when that team needed it? When it comes to your customers’ experience, the stakes are high..

#5: Review the licensing requirements offered by open-source tech providers.

Not all open-source licenses are created equal, and they don’t necessarily work in your favor.

Keep an eye out for open-source licenses that require any changes or customizations you make to be shared with the broader community. If you’d be required to do this, think about whether you’d be at risk of exposing any special sauce or IP that your team developed. Adopting a “sharing is caring” mantra is sometimes fine, but not necessarily a good thing when it comes to all the magic your engineers are constantly creating. Think through the potential risks to your brand before committing to any open-source licensing agreements.

What to consider when evaluating a CIAM solution

Whether or not you’re still interested in exploring an open-source CIAM solution or are thinking of choosing a vendor-supported one, we created an entire guide for you that’ll make your decision-making process easier.

The best part? It’s completely free. Grab your copy of An Evaluator's Guide to Buying or Building CIAM today.

Have more questions for us about CIAM solutions? We’d love to chat. Send us a note.

More articles from this author