Hey…Where’s My Music?
Do you remember when you used to own your music? You would buy a CD at the store, and flip through folders of CDs when you wanted to listen to something. Today, if you want to access your music, you are generally using something like Spotify, connected to data or wifi. While there is some added convenience in having songs on your phone, it’s very likely that you’ve lost all the songs from the phases of your life during the CD, MP3, IPOD or early Pandora eras. And you probably never kept a laundry list of all your favorite songs from every stage of your life, so you can probably only access, or remember, music from the date in which you joined your music streamer of choice. You can’t go back to the old model because very few sell CDs anymore. Your car probably doesn’t even come equipped with a CD player.
SaaS has literally hijacked your music. You subscribe to music, but don’t own it.
What if this kind of hijack was to occur in an industry that has major security ramifications, and processes personal data? Like, say, authentication, which touches apps used everywhere across daily life, from the bank to kids’ schools to work to that streaming app you use to listen to music! The consequences to a company - and consumers - of ceding control over authentication can be serious, because authentication has access to the passwords and usernames in use in all your daily life. A quick analysis shows that authentication, or the Customer Identity and Access Management (CIAM) industry, is not safe, and has fallen prey to hijacking by multi-tenant SaaS offerings.
But the good news is technical teams still have a choice; you can still prevent multi-tenant SaaS from hijacking your authentication.
Multi-tenant SaaS ≠ the Cloud
In authentication, it’s multi-tenant SaaS (specifically, as a singular deployment option) that is the culprit. The cloud has not hijacked your auth, and neither has SaaS by itself. Because single-tenancy in the cloud gives you strong control and ownership for your auth, and SaaS is just another way to say a cloud-based application.
By multi-tenant SaaS, we are referring to a situation of shared infrastructure, where noisy neighbors that consume excess resources can affect your own access to resources.
A single-tenant Cloud deployment is also in the cloud, but the infrastructure is dedicated. You can also have multi-tenancy in a single-tenant architecture in the cloud, with dedicated resourcing, and this does not have the same security issues as multi-tenant SaaS.
Why is Multi-Tenant SaaS so Prevalent in Customer Identity?
It took the greater part of a decade for customer identity to turn itself over to multi-tenant SaaS, and in fact, multi-tenant SaaS wasn’t always the de-facto deployment model. From 2013-2015, when Customer Identity started to emerge, multi-tenant SaaS was outnumbered by self-hosting options:
- When Auth0 was founded in 2013, it offered a self-hosted deployment option
- FusionAuth was founded in 2018 (after an initial launch of Passport in 2017), and had a self-hosted option (spoiler alert: it still does, and you can download FusionAuth locally)
- Other legacy players in the market at that time, like Ping Identity and Forgerock, offered on-premises options (though they were not very developer or customer identity friendly)
Eventually, many self-hosting options gave way to multi-tenant SaaS. Why did this happen? From the outside, one can only surmise - but it probably had something to do with the growth expectations of the VC-driven model in a fast-growing industry:
- With a self-hosting and a cloud option, engineering teams can find themselves maintaining two separate release cycles, which can be viewed as inefficient for a growing startup that is being told to tighten its focus to hit growth targets
- Multi-tenancy is largely viewed as a cost-cutting strategy for companies operating in the cloud
By 2025, the majority of Customer Identity and Access Management (CIAM) players had completely succumbed to multi-tenant SaaS.
- By 2020, Auth0’s self-hosted on-premises option was deprecated in favor of multi-tenant cloud deployments. Okta’s purchase of Auth0 in 2021 did not change this model.
- In a similar time-frame, multiple multi-tenant SaaS copycats were born: e.g. Frontegg (launched in 2019), Stytch (launched in 2020) and more.
- Ping was bought by Thoma Bravo in 2022 and Forgerock was merged into the same in 2023 to create the PingOne Advanced Identity Cloud Architecture which is single-tenant However, it is unclear from the outside whether PingOne for Customers, which is Customer Identity, can actually be deployed in that single-tenant model. Today, it is marketed as “Ping’s multi-tenant cloud solution.”
Here we are today, and FusionAuth remains as the only downloadable, enterprise-scale, single-tenant solution that you can run in the cloud or on-premises.
In the next blog post in this series, we will give an in-depth explanation of the limitations of multi-tenant SaaS for your auth.
