High scalability is crucial when it comes to adding new features to your product and handling thousands and millions of requests per second. Software engineers and architects are always striving to find the best way to develop applications that can be elastically scaled depending on the customer’s needs. Furthermore, it’s important to give access to it in case of some trouble, for instance, lack of internet.
Chances are, your app’s features and designs look and function a lot different today than when first released. This is par for the course in today’s digital environment: the success of any application relies on its ability to adapt and grow along with customer needs—which are constantly evolving. As such, the app you first release is simply a starting point; one that needs the proper foundations to support developers and users as it evolves.
While you can’t predict future needs or opportunities, you can build your application with scalability and identity at the core. This approach allows you to move quickly and easily respond to customer requirements—whether it’s a brand new use case or added features—while keeping the experience seamless and secure for everyone.
With all of this in mind, here are five principles that can help your developers build highly scalable apps while also creating identity experiences that customers trust and enjoy.
1. Build on open standards
Before your developers can begin building an app, you need to determine which identity standards make the most sense. This will help you create a truly cross- channel strategy—one with consistent support for your developers and use cases.
Companies often start with just a few standards and protocols—OAuth 2.0, OpenID Connect (OIDC), SAML 2.0, and SCIM are among the most common—and then adopt others (e.g. social and passwordless authentication, FIDO2, WebAuthn, and Webhooks) as they scale their applications for new users and markets.
These identity standards can be pivotal in reducing your time to market and minimizing your dependence on original developers. For example, let’s say your company has a simple web application, but plans to add additional mobile apps next year. As part of your security and identity strategy for the app, your team adopts OAuth 2.0/OIDC and uses JSON Web Tokens (JWTs), signed objects/payloads holding claims such as user data, to authenticate and authorize users in a secure manner.
Since JWTs are an open standard, developers can choose among various libraries to create, verify, and inspect these tokens. The mobile experience team can then use the same resources and code bases that operate with OAuth/OIDC/ JWT, without having to deal with the web development team. This helps keep your company agile, and allows you to bypass some of the obstacles that typically hinder app development.
Benefits of using open standards
- Lowers overhead costs due to minimal refactoring
- Enables more agility and reduces time to market
- Streamlines authentication experiences across your applications
- Contributes to seamless and secure user experiences
- Attracts new customers and increases customer retention
- Increases customer trust in your app and your company
2. Centralize user stores
Applications are often rolled out with their own unique, separate customer data stores, which can be the root of several problems. For one, managing multiple repositories can be both error-prone and costly for developers—but it may also impact the overall user experience. When customer data is siloed across different applications or components of a platform, for example, it can hinder their ability to access accounts and services.
Because customer data is key to delivering relevant content and enticing offers, multiple user stores also make it challenging—if not impossible—for a company to get a full picture of its customers’ unique needs. In a time where personalization is a key customer offering, this could result in retention issues, ultimately inhibiting a platform from scaling.
The core purpose of a basic user store is to act as a repository for your user identities and credentials. But doing this in a safe and reliable way can be quite complex: to protect users’ accounts, your developers need the tools to encrypt data at rest and in motion, hash passwords, manage password complexity, reset passwords, and unlock accounts, among other things. For repositories that contain additional information, such as roles and permissions, businesses also need a way to organize that data and transmit it to applications.
By centralizing user stores, you can present a 360-degree view of your customers both internally to employees and externally to partners. This streamlined approach to user management can make it easier to scale, as you can always access the same set of identities and credentials.
Best practices for centralizing user stores
- Keep original credentials
- Reuse other data, regardless of a new schema
- Centralize as much as possible to reduce application dependencies
Identity Tech Stack Before Okta
Identity Tech Stack
3. Meet customers where they are
Customers have shorter attention spans and higher expectations than ever before. They want simple, personalized experiences tailored to their unique needs—and are quick to judge when a product or service doesn’t quite hit the mark.
While it may seem daunting to create experiences that are as seamless as those offered by Netflix, Amazon, and Facebook, technology and identity standards are constantly changing. And that means there will always be new ways to engage with customers and earn their trust from the very first time they interact with your brand and throughout their entire customer journey.
In conjunction with centralized user stores, adopting these solutions can enable you to surface attributes or information about a user at any time, reducing friction, simplifying the administration experience, and keeping your developer teams agile.
4. Open up your ecosystem
To achieve real scale, your company must be able to quickly move in the direction the market requires. This can mean adding more features, accommodating more users, or adding more use cases. Often the stumbling block for this is a closed system, which means internal teams, partners, and even customers cannot access your APIs or code. By creating a clean, open platform for your internal, or even external development teams, future teams can more quickly and effectively adopt your identity service, making it easy for devs to scale your product.
In an open ecosystem, developers must be able to:
- Quickly register to a selection of APIs with scoped access
- Authenticate to the API or application and start interacting with your API
To do this, companies must securely manage developer credentials, such as API keys and user accounts and authorize with different permissions, in both single-tenant and multi-tenant architectures.
For example, you can give internal teams access to create applications with the scope of modifying internal users and configurations. At the same time, you can restrict developers from modifying customer-based resources.
For platforms offering an external API, the next step is to properly gate and monetize access to premium resources— all while reducing barriers to entry for external developers. Companies such as Salesforce, Expedia, and eBay successfully use this model. Companies not monetizing APIs will likely struggle to keep up with competitors taking advantage of this lucrative opportunity.
While opening your ecosystem might seem counterintuitive to growing and scaling, this approach can lead to new products, increased usage, and opportunities for new revenue streams. What’s more, by providing easy and scoped access to your APIs for internal teams, partners, and external developers, you can expand your ecosystem more securely.
5. Prioritize Security
The internet is a fantastic place, but it can also be a scary one; the media is constantly reporting on data breaches, hacks, and other cyber security attacks. This growing number of potential threats and vulnerabilities has put security and privacy at the forefront of everyone’s mind.
Companies worry about the cost of recovering from a cyber security attack, as well as the often unrecoverable damage an incident can cause to their reputation.
Customers understand the risks of unprotected data, and are starting to carefully consider security when choosing products and services.
Each time you create a connected app, your company is exposed to software-layer attacks on the web. But the hardware layer is also open to vulnerabilities on desktop and mobile devices. While it’s impossible to build a service that’s immune to all attacks and vulnerabilities, you can build apps that are prepared to handle and withstand these threats—something customers both expect and appreciate.
The key to improving security and reducing risk is building security into your apps from the beginning.
In addition to making apps highly scalable, the strategies mentioned above—building on open standards, centralizing user stores, and meeting customers with federation—all add an additional level of security:
With open standards, the evolving protocols quickly patch any new vulnerabilities. Once the protocols are updated, any security issues in your app due to the standards are automatically resolved. Your developers are no longer responsible for identifying, tracking down, and fixing every security issue.
When user data is stored in one centralized place, cyber criminals have fewer entry points to attack.
Identity federation reduces the burden of storing sensitive credentials and potential user data. Additionally, by using third-party authentication providers, critical parts of your app are maintained by leading security experts and regularly monitored.
Beyond these approaches, there are a few things you can do to actively secure your application:
Gather and use as much context as possible to enrich access decisions. If your app makes an access decision with a single piece of information, such as a password, the likelihood of unauthorized access increases. By using multi-factor authentication (MFA), you can supplement logins with additional context, such as geo-location, device fingerprint, or IP address.
Develop a robust logging and monitoring service with integration in mind. This should contain all the context listed previously; it should also be flexible, exportable, and capable of keying off certain events to send Webhooks to downstream services such as SIEM or CASB. Building in this way will future-proof your platform as security concerns arise.
Building scalable apps for today and tomorrow
Each of the five principles mentioned above can help organizations build highly scalable and successful applications—especially when used together. More than simply applying these principles, however, it’s important to ensure that each is tailored specifically to your application to help prevent commoditization, and make your app truly stand out in the market. Only by putting scalability and identity at the core of your strategy, can you build an app that will exceed user expectations today and in the future.