Last week, FusionAuth and Cerbos co-hosted a webinar featuring myself and Alex Olivier, Cerbos CPO and co-founder. We shared insights on deploying both authentication (AuthN) and authorization (AuthZ) solutions, whether self-hosted, single-tenant in the cloud, or SaaS.
We talked about how folks evaluating such solutions should go about finding the best fit for security, control, and scalability.
Understanding The Spectrum Of Deployment Options
When deploying any architectural component that your application depends on, whether authentication, authorization or another type, you’re making a trade-off between control and responsibility.
As I put it during our discussion, referring to the table below: “As you move from self-hosted to a multi-tenant fully managed SaaS, you have less and less responsibility but you also have less and less control.”
The discussion explored three deployment models:
- Self-Hosted: Offers maximum control but requires you to manage everything from infrastructure to updates.
- Single-Tenant Cloud: A middle ground where you have your own compute/database but someone else operates it.
- Multi-Tenant SaaS: Minimum responsibility with minimum control.
To illustrate this, Alex used a helpful database analogy: self-hosting is like running PostgreSQL on your own server, single-tenant cloud is like using Amazon RDS, and multi-tenant SaaS is like a fully managed service such as Cockroach DB.
Authentication vs. Authorization
We also covered the difference between authentication (proving who you are) and authorization (determining what you can do). While these concepts are related, their deployment considerations can differ significantly.
Authentication systems typically protect the “front door” of your application and issue tokens valid for seconds or minutes.
Authorization systems, however, are in the critical path of every request. Every API call or service interaction must be either allowed or disallowed, so such systems should respond in milliseconds.
Considerations for Deployment Decisions
We outlined four major factors to consider when choosing between deployment models:
- Compliance: Legal requirements around data residency, sovereignty, and audit capabilities can influence your deployment choice. Self-hosting often provides flexibility to meet specific compliance regimes.
- Technology: Infrastructure requirements, network architecture, and availability/scalability needs all play crucial roles in determining which deployment model makes sense.
- Operational Risk: Security requirements, vendor dependencies, and migration paths should be carefully evaluated. As I mentioned during the webinar: “Every application is on a spectrum and on one end of the spectrum is the military, and a little further along is the banking system. And then eventually you further relax security requirements” such as when building an online game.
- Cost: Beyond financial considerations, there’s also the opportunity cost of building versus buying versus hosting. Alex emphasized: “Your business is not an authentication provider. Why would you go and build a whole identity system when you can go and pick FusionAuth… You really want to spend your time building valuable parts of your business.”
Flexibility
The most important takeaway from our discussion was that there’s no single right answer that works for every organization at every stage. Your needs will evolve as your business grows, and the ideal solution provides flexibility to move between deployment models as circumstances change.
Whether you’re just starting out and prefer the simplicity of SaaS, or you’re an established enterprise requiring the control of self-hosting, understanding these deployment considerations lets you make more informed decisions for your authentication and authorization infrastructure.
Want to see the complete webinar and learn more about how deployment models affect critical application components like authorization or authentication? Register for the on-demand webinar.
Why Modern Auth Matters
As digital identity requirements continue to evolve, picking the right deployment model for your organization is growing more and more important. While SaaS is appropriate in some situations, FusionAuth’s dedicated approach gives organizations the best of both worlds: a sophisticated, up-to-date auth system fully aligned with your development practices, deployment models, and business needs.
Check out the on-demand webinar today to see what you should be thinking about when deploying authentication or authorization in 2025 and beyond.
