Customers, suppliers, employees, and partners, all need to be able to access the data they need at the right time, in a secure and efficient manner. You can either do it yourself or delegate this core competence to a trusted partner. Yet, it's important to identify it as a critical aspect of your business, as it can have a significant impact on your bottom line and your reputation.
Identity vs Access Management
Identity verification is a process that verifies the identity of a user of your system. It verifies different properties of the user’s identity, such as their name, email address, or phone number, to ensure that they are who they claim to be. This process is important because it helps to prevent fraudulent activities, such as identity theft and assign the right access to the right person in the end.
Access management is a process that manages the access to a system or resource. It is the process of granting or denying access to specific users or groups based on their roles, permissions, subscription or other criteria. This process is important and almost always critical to an organization acting in the digital space, as it ensures that only authorized users have access to the system or resources, and that they are granted the appropriate level of access.
When registering as a user on a digital platform, you need to be able to identify and authenticate yourself. That platform provider must first ensure that you can be identified uniquely. Traditionally verifying your email address and a password. In the last years, multifactor authentication, digital keys, biometrics, and other methods have become more and more popular for platform providers to identify their users. Once you have an identity, the platform grants you access to the resources you need to move forward.
As a business, you want to allow new users to register with the least amount of friction. To do so, you can allow them to identify themselves using well-known identity providers such as Google, Microsoft, LinkedIn, Apple, GitHub, etc. but here’s the catch, you do not want to delegate the access management part to a third party.
Remaining in control of the access management authorization to access resources is a critical aspect of your business when acting in the digital space.
A Typical Access Management Delegation Traps
Google Firebase offers to manage all contacts between your platform and your users, and allows you to configure access management and notification using its technology stack. By delegating this access management to Firebase, you will be able to leverage the power of its feature stack, such as two-factor authentication, encryption, and data protection, to ensure the security of your users’ data and prevent unauthorized access. On the other side, you must ask yourself then, who really owns the contact with your users? Is it Google or is it you?
For your organization, you need to make a choice between benefits and downsides. Between so-called free features and delegating a certain level of control to a third party.
Owning your Customers
You might decide that you want to keep control of your customers and the management of their data, by leveraging the identity providers out there, yet ensuring your own access management capabilities. The two practical solutions out there are self-baked solutions, with your custom code or using a framework, and self-hosted enterprise open-source solutions which you can operate yourself.
Advantages of Owning your Customers
By being in control of the contact with your customers, you can monitor all incoming and outgoing signals they receive. This way, you can ensure that they are always in a secure and trusted environment and strongly improve your understanding of your customers. Controlling the digital experience of your customers allows you to ensure receive a fantastic experience when navigating within your digital products’ ecosystem.
Why we run Keycloak ourselves rather than a foreign SaaS
At Luzid, we put the same principle into practice for our own platform and for clients who want to own their identity layer. We looked at the obvious foreign SaaS options - Auth0, Okta, Microsoft Entra, Google Firebase Auth - and ruled them all out for the same reason: each one places the customer relationship and the access-decision layer under a foreign company’s terms and a foreign jurisdiction’s reach. The cost of that delegation is not always obvious until you try to leave, change pricing tier, or answer an audit question about who can read your user list.
We chose Keycloak, the open-source IAM project originally created by Red Hat and now governed under the Cloud Native Computing Foundation. Three things made the difference:
- It is open source. No licence meter, no per-user pricing, no surprise tier change. We can read the code, audit it, and fix it ourselves if we have to.
- It runs on our infrastructure. Identity data sits in our own databases, on our own servers, under the same jurisdiction as the rest of our stack. There is no third-party in the auth path.
- It is a serious standards implementation. OpenID Connect, OAuth 2.0, SAML 2.0, FAPI - all properly implemented. We can integrate any compliant identity provider for social login (Google, Microsoft, GitHub) without giving them control over the access decision itself.
Running Keycloak yourself does mean operating it: you patch it, you back it up, you tune it. For us that is a feature, not a bug. We already operate the rest of our stack the same way, and the operational discipline that goes into running our own database also covers our own auth. For clients who care about owning their customer relationship, we have a deployment pattern we can replicate quickly, rather than a SaaS account we would rent on their behalf.
Own Your Customer, Own Your Digital Brand
Evaluate with how many external partners you have been delegating access management for your customers and partners, in which country they are and what are their terms and conditions. Ensure that you are in compliance with the regulations and that you are able to provide the same level of access to your customers and partners.
Ensure that you have the right tools and processes in place to manage the access to your customers and partners, including the use of strong passwords, multi-factor authentication, and regular security audits. Being in control will allow you ultimately to be in charge and leverage user access management to your advantage.
