30 Jun, 2021 | 3 min read

The developer-first drive in IAM is here!

  • Prabath Siriwardena
  • Senior Director - Security Architecture - WSO2

The Total Economic Impact Of WSO2 Identity Server—an April 2021 commissioned study conducted by Forrester Consulting on behalf of WSO2—found that our product reduced developer effort around integrations by 60% and accelerated time to market by 12 weeks. By utilizing tools to forge pre-built integrations, development staff were significantly more productive in delivering application functionality to production. 

The developer-first drive has moved to mainstreet, and IAM is no exception. In his book, Ask Your Developer: How to Harness the Power of Software Developers and Win in the 21st Century, Jeff Lawson states that every company is on a journey to become a software company and that everyone is starting to see the world through the lens of software. He defines a softwareperson as someone who is not necessarily a developer but anyone who, when faced with a problem, asks the question, how can software solve this?

Build vs. buy (or vs. die)

In the book, Jeff takes the popular debate build vs. buy to another dimension—i.e., build vs. die. As every company is becoming a software company, the competitive advantage they create is in the software they build. When software becomes the interface where your services meet customers, you need to build it if you want to survive.

Building what you want gives the freedom to experiment (or innovate). More opportunities to experiment gives you the edge to understand your customers better and grow your business.

“With an open source [WSO2 Identity Server], our developers have been very successful [in] writing custom extensions.” ~ Solutions architect, insurance, The Total Economic Impact Of WSO2 Identity Server by Forrester Consulting, commissioned by WSO2, April 2021

Build does not necessarily mean creating everything from scratch. You don’t build anything that already exists, given that it provides what you need. You only build things that are critical for your business, which help build your competitive advantage over all others. The rest, or the building blocks that help you build what you wish, are part of the digital supply chain.

The digital supply chain

Uber, for example, uses 4,000+ microservices internally. However, not all of them are developed by Uber, itself. Uber uses the Google Maps API to pull out location data, the Twilio API to facilitate communication between passengers and drivers, and many other APIs. All these APIs are coming from the digital supply chain Uber picks to build its product. Then again, these building blocks in Uber’s digital supply chain are also available to Lyft and other Uber competitors around the world. 

What brings Uber the competitive advantage is in what they build!

The software you build can be your product. At the same time, it can be a building block for another product. Google Maps is Google’s product; however, the Google Maps API is a building block for Uber. Alexa is a product of Amazon; however, the Alexa API is a building block for Nissan.

Picking the right digital supply chain is equally important as what you pick to build. Think, what if Uber had to build something equivalent to Google Maps from scratch? From 2016 to 2018, Uber paid $58 million to Google for using Google Maps. But, this is a small amount when you compare that with its revenue in 2019, which came in at $14.15 billion.

Having the right digital supply chain helps you to optimize your development team to build only what you need and no more. Instagram, for example, was only a 13 people team when Facebook acquired it for $1 billion in 2012, and the WhatsApp team was only 50 strong when Facebook acquired it for $19 billion in 2014.

Build your own identity stack?

Every service you develop, every API you design, every device you use, and every person you interact with will have a managed identity. In today’s hyperconnected world, the identity integrations with these business applications and systems are going to be critical.

Going back to the build vs. die debate, do you still have to build the identity stack to gain a competitive advantage in your business domain? If you are in the identity business, of course, you do. But, for all the others, no. The identity stack you need to build your product is a building block in the digital supply chain.

You never worried about building a TCP/IP stack yourself, so, don’t worry about building an identity stack. However, over time, we have spoken to over a thousand companies (hundreds of them are WSO2 customers), and in most cases, they bring in unique identity requirements. The uniqueness comes in that requirements are specific to the industry they are in and also specific to the complexity of the business problem they want to solve.

“Our homegrown identity solutions couldn’t do any of the stuff that we needed given the rise of identities [under management]. We had potential security issues. This all disappeared with an identity provider like WSO2 [Identity Server].” ~ Solutions architect, insurance, The Total Economic Impact Of WSO2 Identity Server by Forrester Consulting, commissioned by WSO2, April 2021

Identity is core to any business, and how you manage identity will also help you in building a competitive advantage. At WSO2, we have worked with 90% of our WSO2 Identity Server customers to solve complex identity problems. WSO2 Identity Server is open source, and if the business problem is straightforward, they don’t even talk to us; they simply use the product as it is. However, when we work with complex Identity requirements, we have extended the product to solve specific business problems.

Building these extensions, which are specific to unique business requirements, have helped companies to differentiate themselves from others. Then again, they didn’t want to build everything from scratch — rather they started with what’s common (and available to everyone) and started innovating on that. That significantly reduced time-to-market and gave the freedom to innovate.

I don’t intend to contradict what I mentioned before, that the identity stack is part of the digital supply chain you pick; however, the identity stack should have the flexibility to extend with minimal effort to build business requirements specific to your business.

“Our in-house developer team has saved a ton of time typically used extending and modifying our own homegrown [CIAM] solution. Now, they can be working on something else that makes us more competitive. WSO2 Identity Server now just gives us the out-of-the-box, compatible, and extensible solution that we’re good to go with.” ~ Chief global architect, healthcare technology, The Total Economic Impact Of WSO2 Identity Server by Forrester Consulting, commissioned by WSO2, April 2021

The TCP/IP moment in identity

In the 70’s, having support for TCP/IP in a product was considered to be a competitive advantage. Today, it’s a given, and nobody worries about TCP/IP support as it’s everywhere.

In his keynote at the European Identity Conference in 2016, Ian Glazer from Salesforce mentioned that this is the TCP/IP moment in identity. He talked about open standards (i.e., SAML, OpenID Connect, OAuth, SCIM, XACML, etc.) in the identity domain, and how they are going to be part of every product. Identity vendors cannot gain a competitive advantage by merely supporting open standards, and RFPs looking for identity products will not even worry about asking support for these standards.

“WSO2 Identity Server has support for OpenID Connect and OAuth 2.0, the types of standards that set us up internally to consolidate development approaches. Single sign-on, federated login through social, and other functions, that’s what WSO2 enables us to do now.” ~ Chief global architect, healthcare technology, The Total Economic Impact Of WSO2 Identity Server by Forrester Consulting, commissioned by WSO2, April 2021

The next TCP/IP moment in identity

Developers do not worry about building a TCP/IP stack (or even worry about TCP/IP) while building software. We believe identity integrations with business applications and systems need to be developer-first (or developer-focused) with the right level of abstractions and tools. And, doing that right would be the next TCP/IP moment in identity. This will free developers from worrying about the complexities in identity integrations.

“WSO2 [Identity Server] has clearly been built from open source best practices. Our developers and engineers are familiar with an open standard, so it’s very easy for them to get our customer identities onboarded quickly and efficiently.” ~ Sr. manager, engineering, healthcare manufacturing, The Total Economic Impact Of WSO2 Identity Server by Forrester Consulting, commissioned by WSO2, April 2021

Developer-first IAM

The single identity administrator role has started diminishing, and the role of the developer is becoming more prominent in identity integrations. These developers need a better abstraction over core identity concepts. Developer-first IAM is the way to realize the next TCP/IP moment in identity.

In the consumer identity space, enterprises bring in their unique requirements. In many cases, they look for a product that can be used to build an agile, event-driven consumer identity (CIAM) platform that can flex to meet frequently changing business requirements.

A developer-first IAM product builds an abstraction over the core identity concepts in the form of APIs and SDKs, provides tools for troubleshooting, has the ability to integrate with the organization’s build pipeline, carries the right level of developer experience, and has the ability to extend the product’s core capabilities to fit into an organization’s complex IAM requirements.

As every company is becoming a software company, and starting to build their competitive advantages on the software they build, developer-first IAM will free developers from inherent complexities in doing identity integrations. That’s the next TCP/IP moment in identity, and the developer domination has begun!