Debunking Open Source IAM Myths

It’s been more than 30 years since the open source was initiated and now it has become the biggest theme in technology. Some of the highlights in 2018 that emphasize this fact are: Red Hat is being acquired by IBM for $32 billion; Microsoft completed its $7.5 billion GitHub acquisition; MuleSoft was acquired after going public for $6.5 billion; MongoDB is now worth north of $4 billion. This is only a portion of the list and it’s clear that open source adoptions are on its highest and open source software are winning the overall software market.

But, been working in identity and access management domain for years I experience that open source penetration into the IAM (Identity and access management) domain is quite limited, compared to other domains. Even the people who love open source find it hard to convince their upper management to use open source IAM solutions. Lack of awareness and FUD (Fear, uncertainty, and doubt) around open source IAM solutions prevent open source IAM adoption. Hence I thought of providing facts which reveal the truth, so you can experience the freedom of open source without any hesitant. Since my roots are in WSO2 Identity Server all these facts are taken from WSO2 Identity Server, but I’m confident that all other open source IAM solutions out there will convey the same message. Here I list down 10 most common myths I encountered working with many individuals around the world and the facts that easily debunk those.

Myth #1 : Less secure than proprietary IAM solutions

From the Inception of the open source concept this is a myth which hung around open source software and tried to prevent industry adoption. More than any other software components this is crucial for IAM solutions / components since those are the security gate in the overall solution. But in reality there is nothing to do with software distribution mode but the security practices follow in software development life cycle (SDLC) matters.

In WSO2 Identity Server we follow, following security practices to ensure the product meets relevant security measures.

Secure software development life cycle (SSDLC)

• WSO2 platform security team is dedicated to researching and defining security principles, training, act as security quality gate and specially security incident response handling.
• Under WSO2 SSDLC practice security is not an afterthought but its baked into requirement gathering and design phase. Further open discussion help any individual to join in the initial phase and find any issues before hand.
• Static and Dynamic security analysis are conducted before any product release or for any updates. Industry leading tools such as Veracode, Qualys are used for this purpose.
• Identity server production recommendation make sure WSO2 Identity Server is secure in production.

Timely incident handling support and security fixes

• WSO2 24x7x365 support team is ready to attend any type of security issues immediately and development team deliver fixes immediately if needed.

Community engagement in security concerns

• WSO2 is part of EU bug bounty program
• Customers do share their security reports against the product with WSO2, which covers a variety of angles.

Myth #2 : Behind the trends

IAM solution must meet the functional requirements to be used in the industry. Over the years open source IAM solutions have been evolved in such a way that functional depth has improved to rival commercial alternatives and sometimes innovation cycle is leading to commercial products.

Being an open source IAM solution some of the recognition WSO2 Identity Server received on its capabilities are.

• 2019 : Product leader in KuppingerCole Leadership Compass: Access Management and Federation
• 2018 : Innovation leader in KuppingerCole Leadership Compass: CIAM Platforms
• 2018 : Forrester named WSO2 API Manager as a leader in Forrester Wave™: API Management Solutions and WSO2 Identity Server provides the API security.

WSO2 Identity Server publicly available product roadmap will show where this product leads to and open room for community discussion on the roadmap items and its improvements.

Further open source nature does not prevent you from contributing improvements and features that makes WSO2 Identity Server on top of innovations.

Myth #3 : Not scalable or robust

Scalability and robustness are key factors when selecting software components in any enterprise solutions. Especially in customer facing solutions or CIAM solutions scalability is crucial to accommodate customer demand and growth. Most of the leading open source IAM solutions nowadays scale enough and robust enough to handle millions of user needs.

With WSO2 Identity Server

• Manage 100+ million user identities globally
• 90% of our deployments are customer facing
• Customer base spread over number of verticals including, Banking and finance, Health care, E-commerce, Governments and many more.

Myth #4 : Integration hassle

No one thought of IBM acquisition of RedHat since those were in opposite business directions, but that has become a reality which means acquisition and mergers reshape the business in a way that no one can imagine and with the improvements of SaaS offerings more and more organization used to adopt SaaS applications. With all these cases no longer we can limit organizations IAM requirements within the organization boundaries, Integration has become a key differentiator in any IAM solutions.

There is a concern that open source IAM solutions were developed with limited industry requirements in mind and integration is minimum. This is how WSO2 Identity Server baked integration in to product and invalidate this claim.

• WSO2 Identity Server is based on open standards and open source principles.
• Comes with seamless, easy to use integration capabilities that help connect applications, user stores, directories and identity management systems.
• WSO2 connector store contains plenty of free connector for Identity integration.
• Extensible architecture allows to implement connectors to integrate with non open standard based (proprietary / custom) external systems.

Myth #5 : No professional support

Availability of the community support does not guarantee that enterprise can get the adequate support it needs. Implementing in house development and support team may only be a temporary solution where economic conditions and other factors may make in house support unsustainable over the long term. This heightens the importance of professional enterprise grade support for any IAM solutions.

No longer we need to wary on this fact most of the open source IAM solutions provide high quality professional support. In WSO2 we believe that critical enterprise projects need enterprise-grade support and we are more than happy to provide it.

• A WSO2 Subscription gives you direct access to world-class experts fluent in the WSO2 platform as well as on enterprise architecture.
• 24x7x365 expert incident-level WSO2 Support with aggressive response and resolution times.
• Priority support option with on or off-site dedicated Technical Account Manager.
• Support chat system with improved turnaround time for customers.
• Community support with public mail lists, Stack Overflow, Slack channels, Meetups ..
• Global footprint, WSO2 offices are located in the US, UK, Germany, Brazil, Australia and Sri Lanka, with partner network across the world

Myth #6 : Maintenance nightmare

Software maintenance equally important as software development to keep solution healthy to deal with changing business and technical requirements. Solutions development take 1 or 2 years but maintenance is an ongoing activity for at least 10–20 years. Top reasons why we need to maintain our solutions are.

1. Bug fixing
2. Capability enhancement
3. Removal of outdated functions
4. Performance improvement

This can occur in hardware layer, operating systems or any part of the software, but software layer should be capable of adopting any of these changes.

It’s another common perception that proprietary IAM solutions still superior in software maintenance and management which is also not true. This is how WSO2 Identity Server support for maintenance in your system.

• WSO2 Update service, provides continuous access to product improvements bug fixes, security updates, and performance enhancements.
• Multiple deployment options ( On-premises, Public or private cloud)
• Multiple deployment infrastructure options (Bare metal hardware, Containers, etc..)
• Multiple Installation options
• WSO2 Managed Cloud provides dedicated hosting with a customized, dedicated deployment.
• Publicly available migration guide / tools and professional migration support.

Myth #7 : Not in enterprise grade

This is another blunt claim spread over open source software and still use to hinder the capabilities of opens source IAM solutions. One way to validate the enterprise readiness is, evaluate the supported features, compare the professional support, whether it support for enterprise integration so on and so forth. But the easiest way is to see the audience who are currently using open source IAM solutions and who are supporting open source IAM solutions.

This is an overview of WSO2 Identity Server customer base.

• More than 150 production customers at the end of 2018.
• More than 500 universities and education institutes use Ethos Identity which is powered by WSO2 Identity Server.
• Open source usage is above the direct customers and OEM customers.

Myth #8 : Limits of longevity

Until open source business model get established and brand name get prominent there was a belief that open source projects were developed by a bunch of random developers and project abandoned risk is high. But over the time open source become the prominent delivery model, brand names such as Linux, Redhat, Git established, longevity concerns were faded away and enterprise used to believe in open source technologies.

Along with other software components open source IAM solutions went through the same journey, so no longer we need to think of longevity concerns. In WSO2 this is how we guarantee the longevity.

• WSO2 is the 6th largest open source company in the world.
• WSO2 started its 14th year of operations in 2019
• 10-year long-term support (LTS) for WSO2 products including WSO2 Identity Server.
• Global footprint, so you can find us anywhere in the world: WSO2 offices are located in the US, UK, Germany, Brazil, Australia and Sri Lanka, with partner network across the world.

Myth #9 : Legal, licensing, and copyright nightmare

Software protection is a complicated task and software license stand for legal protection of copyright and patents of the software. When it comes to open source license it needs to make sure that the software is open for the public and yet be protected.

• Apache License 2.0
• BSD 2-Clause “Simplified” or “FreeBSD” license
• GNU General Public License (GPL)
• MIT license
• Eclipse Public License

Are some of the popular, widely used open source licenses. Further Open source initiative has recognized and list down more open source licenses. Even though open source license define what you can do and what you can’t do, it’s your responsibility to understand truly what you can and cannot do, what you should and should not do. Especially when it comes to IAM solutions you need to think not only core product, but how the extensions, connectors etc.. cover under license.

• WSO2 Identity Server is under Apache 2.0 license, which is the most acknowledged business friendly license.
• No additional cost for extensions.
• You are free to contribute your improvements, extensions to WSO2 Identity Server and make more people get use out of that.

Myth #10 : Lack of expertise knowledge

To build any integration solutions product expertise knowledge is crucial. Expertise knowledge can be gathered via certified integration partners or build internal expertise with enterprise staff or contractors using available training materials/programs and documentation.

In the past open source IAM solutions were challenged against this fact but over the time open source solutions build their partner network, documentation and other materials so no longer this is a concern. Please find the following resources and offerings in WSO2 Identity Server.

• World wide certified technology partners, integration partners and resellers.
• WSO2 direct support and assistance with product usage, development, migration, tuning, and best practices.
• WSO2 consultant services makes WSO2 experts as part of your team.
• WSO2 Identity Server training and certification program.
• WSO2 Library including webinars, white-papers, articles, case studies and many more.
• WSO2 Events world wide Meetups, Workshops, Summits and conferences.

Why do you think I came all this way,

Let the FUD go away and experience the open source freedom with open source IAM solutions.

WSO2 Identity Server one of the leading open source IAM solutions that provides freedom and benefits of open source.

Not only WSO2 Identity Server there are many other open source IAM solutions out there so you have multiple choices.