Debunking Open Source IAM Myths

It’s been more than 30 years since open source was initiated and now it has become the biggest theme in technology. Some of the highlights in 2018 that emphasize this fact are: Red Hat being acquired by IBM for $32 billion; Microsoft completing its $7.5 billion GitHub acquisition; MuleSoft being acquired after going public for $6.5 billion; MongoDB now being worth north of $4 billion. This is only a portion of the list and it’s clear that open source adoption is at its highest and open source software is winning in the overall software market.

But, having worked in the identity and access management domain for years, I have experienced that open source penetration into the identity and access management (IAM) domain has been quite limited, compared to other domains. Even the people who love open source find it hard to convince their upper management to use open source IAM solutions. Lack of awareness and FUD (fear, uncertainty, and doubt) around open source IAM solutions prevent open source IAM adoption. Hence I thought of providing facts that reveal the truth, so you can experience the freedom of open source without any hesitations. Since my roots are in WSO2 Identity Server, all these facts are taken from WSO2 Identity Server, but I’m confident that all other open source IAM solutions out there will convey the same message. Here I list down 10 most common myths I encountered working with many individuals around the world and the facts that easily debunk them.

Myth #1: Less Secure Than Proprietary IAM Solutions

From the inception of the open source concept, this is a myth that hung around open source software and tried to prevent industry adoption. More than any other software component, this is crucial for IAM solutions/components since this is the security gate in the overall solution. But in reality, this is nothing to do with software distribution mode but the security practices followed by the software development life cycle (SDLC) that matters. In WSO2 Identity Server we follow security practices to ensure that the product meets relevant security measures.

Secure software development life cycle (SSDLC)

• The WSO2 platform security team is dedicated to researching and defining security principles, training, act as a security quality gate, and security incident response handling.
• With WSO2, SSDLC security practice is not an afterthought but included in the requirement gathering and design phase. Furthermore, open discussions enable any individual to join the project at the initial phase and find any issues early.
• Static and dynamic security analysis are conducted before any product release or any updates. Industry leading tools such as Veracode and Qualys are used for this purpose.
• Identity server production recommendations ensure that WSO2 Identity Server is secure in production.

Timely incident handling, support, and security fixes

• WSO2 24x7x365 support team is ready to attend any type of security issue immediately and the development team fixes issues immediately if needed.

Community engagement

• WSO2 is part of the EU bug bounty program.
• Customers share their security reports against the product with WSO2, which covers a variety of angles.

Myth #2: Behind the Trends

An IAM solution must meet functional requirements to be used in the industry. Over the years open source IAM solutions have evolved in such a way that the functional depth has improved to rival commercial alternatives and sometimes the innovation cycle has surpassed commercial products. Some recognition that WSO2 Identity Server has received for its capabilities include:

• 2019: Overall leader in KuppingerCole Leadership Compass: Identity API Platforms
• 2019: Product leader in KuppingerCole Leadership Compass: Access Management and Federation
• 2018: Innovation leader in KuppingerCole Leadership Compass: CIAM Platforms
• 2018: Forrester named WSO2 API Manager as a leader in Forrester Wave™: API Management Solutions, Q4 2018 and WSO2 Identity Server provides the API security

WSO2 Identity Server has a publicly available product roadmap that shows where the product is heading to and there's open room for community discussion on the roadmap items and its improvements. Furthermore, being open source does not prevent you from contributing to improvements and features that make WSO2 Identity Server stay ahead of innovations.

Myth #3: Not Scalable or Robust

Scalability and robustness are key factors when selecting software components in any enterprise solutions. Especially in customer facing solutions or CIAM solutions, scalability is crucial to accommodate customer demands and growth. Most of the leading open source IAM solutions nowadays scale enough and are robust enough to handle millions of user needs.

Some facts about WSO2 Identity Server that illustrate the above point include:

• Manages 100+ million user identities globally
• 90% of deployments that are customer facing
• Customers are spread over a number of verticals including banking and finance, healthcare, e-commerce, government, and much more

Myth #4: Integration Hassle

No one imagined the IBM acquisition of RedHat since these organizations were opposites, but that has become a reality which means acquisition and mergers reshape the business in a way that no one can imagine. With the improvements of SaaS offerings more and more organizations are adopting SaaS applications. We can no longer limit an organization's IAM requirements within the organization boundaries, integration has become a key differentiator in any IAM solution. There is a concern that open source IAM solutions were developed with limited industry requirements in mind and integration is minimum. This is how WSO2 Identity Server has included integration in to the product and therefore invalidates this claim:

• WSO2 Identity Server is based on open standards and open source principles.
• The solution comes with seamless, easy to use integration capabilities that help connect applications, user stores, directories, and identity management systems.
• The WSO2 connector store contains plenty of free connectors for identity integration.
• Extensible architecture allows you to implement connectors to integrate with non open standard based (proprietary/custom) external systems.

Myth #5: No Professional Support

Availability of community support does not guarantee that enterprises can get the adequate support it needs. Setting up in-house development and support team may only be a temporary solution because economic factors (amongst others) may make it unsustainable over the long term. This heightens the importance of professional enterprise-grade support for any IAM solution. We no longer have to worry about this fact as most open source IAM solutions provide high quality professional support. At WSO2 we believe that critical enterprise projects need enterprise-grade support and we are more than happy to provide it.

• A WSO2 Subscription gives you direct access to world-class experts fluent in the WSO2 platform as well as enterprise architecture.
• 24x7x365 expert incident-level WSO2 Support with aggressive response and resolution times.
• Priority support option with on or off-site dedicated Technical Account Manager.
• Support chat system with improved turnaround time for customers.
• Community support with public mail lists, StackOverflow, Slack channels, and Meetups.
• Global footprint, WSO2 offices are located in the US, UK, Germany, Brazil, Australia, and Sri Lanka, with a partner network across the world.

Myth #6: Maintenance Nightmare

Software maintenance is as equally important as software development to keep a solution healthy and deal with changing business and technical requirements. Solutions development take 1 or 2 years but maintenance is an ongoing activity for at least 10–20 years. Top reasons why we need to maintain our solutions are:

• Bug fixing
• Capability enhancement
• Removal of outdated functions
• Performance improvement

This can occur in hardware layer, operating systems or any part of the software, but the software layer should be capable of adopting any of these changes. It’s another common perception that proprietary IAM solutions are still superior in software maintenance and management which is also not true. This is how WSO2 Identity Server provides support for maintenance in your system:

• WSO2 Update service provides continuous access to product improvements bug fixes, security updates, and performance enhancements.
• Multiple deployment options (on-premise, public or private cloud).
• Multiple deployment infrastructure options (Bare metal hardware, Containers, etc.)
• Multiple installation options.
• WSO2 Identity Cloud provides dedicated hosting with a customized, dedicated deployment.
• Publicly available migration guide/tools and professional migration support.

Myth #7: Not in Enterprise Grade

This is another blunt claim spread about open source software and used to hinder the capabilities of open source IAM solutions. One way to validate the enterprise readiness is by evaluating the supported features, compare professional support, availability of support for enterprise integration, and so forth. But the easiest way is to look at the audience that is currently using open source IAM solutions and who is supporting open source IAM solutions. This is an overview of the WSO2 Identity Server customer base:

• More than 150 production customers at the end of 2018.
• More than 500 universities and education institutions use Ellucian Ethos Identity which is powered by WSO2 Identity Server.
• Open source usage is above the direct customers and OEM customers.

Myth #8: Limits of Longevity

Until open source business models were established and brand names became prominent, there was a belief that open source projects were developed by a bunch of random developers and project abandonment risk high. But over time, open source became the prominent delivery model and brand names such as Linux, Redhat, and Git were established. Longevity concerns faded away and enterprises began to believe in open source technologies. Along with other software components open source IAM solutions went through the same journey, so longevity concerns are no longer an issue. At WSO2, this is how we guarantee the longevity of our products:

• WSO2 is the 6th largest open source company in the world.
• WSO2 started its 14th year of operations in 2019.
• 10-year long-term support (LTS) for WSO2 products including WSO2 Identity Server.
• Global footprint.

Myth #9: Legal, Licensing, and Copyright Nightmares

Software protection is a complicated task and software license stands for legal protection of copyright and patents of the software. When it comes to open source licensing, it needs to make sure that the software is open for the public and yet be protected.

• Apache License 2.0
• BSD 2-Clause “Simplified” or “FreeBSD” license
• GNU General Public License (GPL)
• MIT license
• Eclipse Public License

Mentioned above are some of the most popular and widely used open source licenses. The Open Source Initiative has recognized more open source licenses. Even though an open source license defines what you can and cannot do, it’s your responsibility to understand what is permitted and not fully - especially when it comes to IAM solutions you need to think about not only the core product but how the extensions, connectors, etc. are covered under these licenses.

• WSO2 Identity Server is under Apache 2.0 license, which is the most acknowledged business friendly license.
• No additional cost for extensions.
• You are free to contribute your improvements and extensions to WSO2 Identity Server so that more people gain from the product.

Myth #10: Lack of Expert Knowledge

Product knowledge is crucial to build any integration solution. Expert knowledge can be gained via certified integration partners or internal expertise built by encouraging enterprise staff or contractors to use available training materials/programs and documentation. In the past open source IAM solutions were challenged about this fact but over time, open source solutions have built their partner network, documentation, and other materials so this is no longer a concern. Please refer to the following resources for more information about WSO2 Identity Server:

• Global certified technology partners, integration partners, and resellers.
• WSO2 direct support and assistance with product usage, development, migration, tuning, and best practices.
• WSO2 consultant services make WSO2 experts a part of your team.
• WSO2 Identity Server training and certification program.
• WSO2 Library includes learning resources such as on-demand webinars, white papers, articles, case studies, and more.
• WSO2 events organized globally - WSO2 Integration Summits, Workshops, and Meetups.

Why Do You Think I Came All This Way?

So, to conclude, let the FUD go away and experience freedom with open source IAM solutions. WSO2 Identity Server is one of the leading open source IAM solutions that provides freedom and benefits of open source.