Choosing the right CIAM architecture: Navigating single-instance and multi-tenant SaaS solutions
When it’s time to buy a home, one of your first decisions is house vs condo or townhome. There’s a lot to consider – party walls, proximity to neighbors, HOA restrictions, and other things make a huge difference in whether a place fits your lifestyle.
The same principle applies when considering a cloud solution for customer identity and access management (CIAM). Cloud architecture plays a pivotal role in shaping the efficiency, security, and scalability of the customer experience and your business outcomes.
Because of this, the debate between single-instance SaaS and multi-tenant SaaS deployment architectures has now become an executive-level discussion.
Established players in the recently narrowed market, such as Okta and Ping Identity, have traditionally favored the multi-tenant approach – largely because they were designed for employee use cases and deployed on-premises.
But today, modern CIAM providers are offering a better choice for many brands: A single-instance SaaS approach that isolates customer data from threats and prioritizes the unique needs of customer identities. For a quick overview of how workforce IAM and customer IAM use requirements are different check out this blog post.
Before we dive into the advantages, let’s look at the differences between the two architectures.
What is multi-tenant SaaS?
Multi-tenant architecture is like living in an apartment building, where each unit represents a brand that uses the solution.
Just like tenants share a common entrance and commingle in the elevator, stairwell, fitness center, and parking lot for their building, brands on a multi-tenant CIAM product share the same infrastructure and resources provided by the vendor.
This comes with some important trade-offs and risks – chiefly security and performance.
For example, if your neighbor’s apartment catches on fire, at the very least you might be inconvenienced by the alarm. And when the gym is at capacity, your workout might be delayed.
Similarly, if one brand on a multi-tenant CIAM solution experiences a data breach, all the others are at risk. And they all compete for bandwidth, which can slow site performance during peak seasons or events. As more brands are added on a multi-tenant solution, the greater the risk.
What is single-instance SaaS?
A SaaS based single-instance architecture is like a single-family house: You have exclusive use of the yard, the driveway, and everything else. If someone breaks into your neighbor’s house, there’s no way they can get to your stuff.
On a SaaS based single-instance deployment, each brand has its own fully isolated and dedicated instance, with exclusive access to underlying resources at all times. Any data breaches are isolated – with zero impact on other brands who use that solution.
Prioritize your customer identity requirements
When it comes to managing customer identity, there’s a lot at stake. CIAM requirements vary by industry, market, business model, and other factors. There is no one-size-fits-all solution.
To help determine the architecture for your brand, first define your core requirements.
Five reasons to consider a single-instance SaaS deployment for CIAM
Multi-tenant architectures have their merits and can be cost effective. But customer identity management comes with unique requirements. Sensitive data, high traffic, branded sign-in experiences – these and other needs make single-instance isolation a better option.
And if cost is a driving factor (when isn’t it?), you might be surprised to learn some single-instance CIAM solutions cost less AND offer greater security and flexibility than multi-tenant workforce-centric CIAM providers.
Here’s why a single-instance architecture stands out:
1. Greater security
We covered this above, but it’s worth repeating. A single-instance architecture provides dedicated environments for each brand, minimizing unauthorized access and the risk of attackers compromising data. To establish and maintain the trust of customers, brands must make safeguarding customer data a top priority.
2. Performance and scale
Performance is critical for CIAM solutions since any outage can impact revenue. In a multi-tenant environment, resource contention can result in performance lags, especially during peak usage periods. Isolated tenancy minimizes the risk of performance fluctuations since resource allocation is specific to each tenant. And while multi-tenant architectures are known for scale, single-instance environments that employ microservices autoscale capacity even more reliably.
3. Brand customization and flexibility
For brands with unique sign-in flows or complex business models, multi-tenant architectures can limit your ability to customize, offering only standard features. Conversely, a single-instance architecture gives each brand greater control over configurations and branding policies.
4. Regulatory compliance and data residency
For brands in regulated industries, compliance and data residency standards often demand a single-instance CIAM solution. Unlike multi-tenant alternatives where data is commingled, a single-instance architecture ensures data isolation, aiding in meeting specific compliance requirements. This approach allows control over the physical location of customer data. For example, it enables serving multiple business units within the same global organization while keeping user data segregated to each unit. Data isolation also enhances control over audits and compliance reporting – crucial for regulated industries
5. More migration options
Unlike multi-tenant environments, single-instance architectures offer a high degree of customization and independence for each brand. This makes it easier to migrate customer identities in ways that are less disruptive to your customers. For example, single-instance architectures allow for a phased approach where one customer can be migrated at a time. Phased migration minimizes the risk of errors and enables you to roll back changes without affecting other tenants.
Buyer beware: “cloud-washed” vs. “cloud-native” deployments
I’ll leave you with a final thought: Some multi-tenant CIAM vendors may assert they offer data isolation to meet security and data residency requirements. However, this often means putting their on-prem version in the cloud, otherwise known as “cloud-washing.” That means more work on you when it comes to patching and maintenance. You’ll also be saddled with the cost of hosting the solution.
With a true cloud-native CIAM architecture (developed exclusively to operate in the cloud), you get data isolation with no additional cost to you. The ownership is on the SaaS vendor, meaning you don’t have to worry about the resources and skills needed to patch and maintain it. You’ll see improved performance and reliability. And you also get more control of your data and security – the best of both worlds when you deploy a SaaS based single-instance.
Taken together, the advantages of a single-instance SaaS architecture present a compelling case for any brand looking to modernize its CIAM – with a clear business case for your CISO, CTO, and compliance and marketing teams.
We know, because our clients tell us all the time.
If you’re ready to see how Strivacity’s approach to CIAM architecture (and so much more) can make a difference for your business, we’d be happy to give you the house tour. Come on by and ring the bell anytime.