Identity and access management in the green

If you ever find yourself setting up identity and access management (IAM) in a startup where you can make all the bold choices, what do you do?

The most apparent limitation that you will need to work around is the budgetary limitations that exist in most of all companies. In a startup, it’s probably a bit stricter than what you are used to working within an established company. Despite this, most startups expect some IT and security costs to get off the ground.

Time or money, you have to spend one of the two

Let’s start with the first decision you need to agree on - what’s more valuable to you; your time or your money. If the answer is your money you have to expect to spend more time on getting things set up. The route you will go down most likely includes inexpensive or free open source software and solutions. On the other hand, if your answer is that my time is valuable to me and I have some money to spend your route will probably include getting a few ready made solutions up running to get your company off ground in the identity management and access control area.

Single sign-on everywhere

Using single sign-on (SSO) everywhere or not might be something you discuss need to discuss. Even though single sign-on has a few downsides, the benefits outweigh these downsides by far.

You cannot completely mitigate the risk of your SSO provider getting hacked. All your connected services are entirely compromised if your SSO provider encounters a security issue like that.

Another risk you can impact to a much larger degree is weak passwords on identities used for SSO. Make sure your users use a high-quality password on their SSO identity.

If you go ahead and roll your own SSO solution, ensure you know what you are doing. Should you go out and buy this as a service, make sure you choose a reputable provider with a good track record.

Open source alternatives

If you decide to go down the open source route and set up your own identity provider (IdP), there are quite a few alternatives you could look at:

• Keycloak
• Casdoor
• Authentik

When choosing one of the open source alternatives, you have to do this with an understanding that this is just free in terms of monetary cost. You must invest time to set it up, maintain it, support it, and keep it secure. Not just initially but for the lifetime of the solution. The potential cost of moving out of “your own” solution over to one of the larger identity providers should also be something you consider as a possible exit strategy.

Well-known large identity providers

If you would like to choose one of the large identity providers, there are several to evaluate. You might have a platform preference based on prior knowledge or due to other business decisions made. Not all choices are apparent. You may choose to use Microsoft as your identity provider even though your startup is considering using Google Cloud Platform or Amazon Web Services or the other way around.

A few of the ones to consider are:

• Microsoft Entra ID
• Google Cloud Identity
• Amazon AWS Identity and Access Management
• OKTA
• JumpCloud

Conclusion

While there are many ways to handle IAM in a new startup, there are also a multitude of pitfalls. No one solution works for everyone, but if you can choose a well-known identity provider, it could save you a lot of headaches down the road.

What seems to be a cheap solution today might be costly in the long run. If there is one area where you should spend, identity and access management must be at the top of your list.

It might be a hidden piece in a larger puzzle, but it’s still your only cornerstone in keeping what’s probably going to be a multitude of public cloud and software-as-a-service offerings secure both in the near and long term.

• Security
• Cloud