Sponsored: The geopolitics of trust - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary Episode: Sponsored: The Geopolitics of Trust Release Date: June 22, 2025 Host: Tom Uren Guest: Fletcher Heisler, CEO of Authentic

Introduction

In this episode of Risky Bulletin, host Tom Uren engages in an insightful discussion with Fletcher Heisler, the CEO of Authentic, an identity provider company specializing in self-hosted identity solutions. The conversation delves into the intricacies of identity management in cybersecurity, the evolution from home lab enthusiasts to enterprise-level deployments, and the geopolitical factors influencing trust in technology solutions.

Authentic's Identity Solution

Fletcher Heisler introduces Authentic as a robust open-source identity provider (IDP) that caters to both individual enthusiasts and large enterprises. With over a million installations and seven years of active development, Authentic has established a significant community presence.

[00:16] Fletcher Heisler: "Authentic is the open source project that has, let's say over a million installations, a very wide community, been in development for seven years."

This expansive adoption underscores Authentic's reliability and adaptability in managing identity solutions across diverse environments.

From Home Labs to Enterprise Adoption

Authentic's journey from home labs to enterprise solutions highlights a unique growth trajectory. Many users initially experiment with Authentic in their personal projects before recognizing its scalability and integrating it into their professional environments.

[01:26] Fletcher Heisler: "We've actually had a lot of Home Lab users then kind of graduate and take us to work and decide. I have experience in here, I can see how it could scale to what I need and introduce things that way."

This organic transition reflects Authentic's flexibility and the trust it garners from its user base, facilitating smooth scalability for businesses experiencing growth.

Authentic as a Integrative "Glue" for Multiple IDPs

In larger organizations, managing multiple identity solutions can lead to complexity and inefficiency. Authentic addresses this by acting as a unifying layer that integrates various IDPs, streamlining orchestration and reducing reliance on disparate systems.

[02:30] Fletcher Heisler: "We can stand up as a full-fledged IDP alongside those other sources and say maybe you have AD and that's your source of truth... We also can be the glue there."

By consolidating different identity providers, Authentic not only simplifies management but also enhances interoperability and consistency across platforms.

Drivers for Transitioning to Authentic

Several factors drive companies to consider switching to Authentic:

Cost Efficiency: As companies scale, maintaining multiple IDP solutions can become financially burdensome.
Enhanced Security: Authentic offers advanced security features that surpass conventional solutions.
Compliance Requirements: Meeting stringent regulatory standards becomes more manageable with Authentic's comprehensive compliance support.

[03:47] Fletcher Heisler: "Maybe you have some FedRamp High customers who are saying, how are you going to ensure this with all these different vendors?"

These elements collectively make Authentic an attractive option for businesses seeking sustainable and secure identity management.

Commitment to Security

Security is paramount in Authentic's offerings. The company emphasizes transparency, rigorous security testing, and source availability to build and maintain trust with its users.

[05:04] Fletcher Heisler: "We're very transparent in terms of CVE reporting... We publish all of our pen test results, we get at least annual pen tests, everything is source available."

Authentic's approach ensures that customers have visibility into the security measures in place, fostering a secure environment tailored to their specific needs.

Suitability for Different Company Sizes

Authentic is particularly beneficial for companies that prioritize security and require extensive customization. While it may demand more effort compared to out-of-the-box solutions, the benefits in terms of security and flexibility are substantial.

[07:13] Fletcher Heisler: "It's more effort than it's worth. For someone maybe just starting up a brand new small company... go with Google Workspace or something like that."

For established organizations handling sensitive data and complex identity requirements, Authentic proves to be a worthy investment.

Geopolitical Considerations and Sovereign Tech Stacks

Authentic acknowledges the growing trend of sovereign tech stacks, especially in regions like Europe, where there is a preference for non-US providers to mitigate geopolitical risks.

[08:00] Fletcher Heisler: "Half at least of our business is non US based... particularly in Europe... looking at not having to rely on a US provider."

This strategic positioning allows Authentic to cater to international clients seeking greater control over their data sovereignty.

Open Core Model and Company Structure

Authentic operates on an open core model, offering a predominantly open-source IDP with additional enterprise features available under a separate license. This model ensures that the core functionalities remain accessible while providing advanced capabilities for paying customers.

[09:50] Fletcher Heisler: "Open core. So open source, which we also build upon additional code which is not technically open source, but it's still source available."

Moreover, Authentic's status as a public benefit company underscores its commitment to maintaining open-source integrity and preventing undue influence from external entities.

[10:12] Fletcher Heisler: "We're a public benefit company... we're always going to maintain open source. We're not just going to start charging for those parts or taking them out of the open source product."

Conclusion

The discussion with Fletcher Heisler highlights Authentic's pivotal role in the evolving landscape of identity management. By offering a transparent, secure, and flexible solution, Authentic addresses the complex needs of modern enterprises while navigating the geopolitical challenges of trust in technology. For organizations seeking a reliable and adaptable IDP, Authentic presents a compelling option grounded in open-source principles and a steadfast commitment to security.

Notable Quotes:

Fletcher Heisler [00:16]: "Authentic is the open source project that has, let's say over a million installations, a very wide community, been in development for seven years."
Fletcher Heisler [01:26]: "We've actually had a lot of Home Lab users then kind of graduate and take us to work and decide. I have experience in here, I can see how it could scale to what I need and introduce things that way."
Fletcher Heisler [05:04]: "We're very transparent in terms of CVE reporting... We publish all of our pen test results, we get at least annual pen tests, everything is source available."
Fletcher Heisler [08:00]: "Half at least of our business is non US based... particularly in Europe... looking at not having to rely on a US provider."
Fletcher Heisler [10:12]: "We're a public benefit company... we're always going to maintain open source. We're not just going to start charging for those parts or taking them out of the open source product."

This summary encapsulates the core discussions of the podcast, providing a comprehensive overview for those who haven't listened to the episode.

Loading summary

Transcript28 lines

[00:04]
A
Hello everyone, this is Tom Uren. Today I have a Risky Business news sponsor interview with Fletcher Heisler who is the CEO of Authentic. G' day Fletcher, how are you?
[00:14]
B
How's it going? Thanks for having me, Tom.
[00:16]
A
So Authentic is an identity provider company like you make a self hosted identity solution. And I thought this is a space, I don't know a huge amount. And I was kind of thinking to myself before this interview that if I was to start a company I would presumably come up with some short term IT solution. And then as my company becomes an outrageous success and it grows, what would be the factors that would make me think I need to revisit the way I'm doing things and look at perhaps a different identity provider?
[00:55]
B
So we reach people at a few different turning points, I think so Authentic is the open source project that has, let's say over a million installations, a very wide community, been in development for seven years. Authentic Security, the company on top of that for the past few years has been kind of scaling that up to enterprise. But we've actually had a lot of Home Lab users then kind of graduate and take us to work and decide. I have experience in here, I can see how it could scale to what I need and introduce things that way.
[01:26]
A
Right. So they're just people who happen to play around at home because they're enthusiasts, they like it, they decide that they're in a, or they are in a position of influence within the company and they go this is the perfect fit for us or it will solve some other problem. Yeah, that's really interesting.
[01:42]
B
Yeah. And we've had kind of in both directions but sometimes a CISO will come to their team and say, hey, we need a new solution for this. And it turns out everyone's running us in their home lab so it's worth chatting with the team from a work perspective as well.
[01:57]
A
Yeah. Right.
[01:58]
B
So we get folks sort of net new project or most of the time at a larger company you probably have three, four, five different solutions. So as you said, you've grown, maybe you've acquired some companies, you've had some specific side projects that got roped in. Now you've got Okta for part of it, Microsoft for some parts, but that won't manage all of your Apple devices as well. You might have a couple keycloak instances and nothing really talks to each other very well. And so we can be the glue there. Not just in terms of orchestration. I think there are other tools and companies out there that are kind of a layer of Duct Tape to temporarily patch those things together. But we can stand up as a full fledged IDP alongside those other sources and say maybe you have AD and that's your source of truth. No matter what, you can't pull that out. Or maybe you want Authentic to be your source of truth, but you don't want to have to solve and administer all the same problems and systems five, six, seven times over. We also get from smaller companies, they might be using something like Google Workspace and starting to graduate from that and need a bit more flexibility, some additional features, some additional integrations. But because we try to be very vendor agnostic and protocol compliant, we can speak with all of those. So for instance, if you're migrating over from Okta, you can spin Authentic up and say dynamically reach out, map all the user data we need in. You might do that a slightly different way for three other systems as well. But then you don't have to deal with a day zero of we'll just export everything and hope that it works. You can stand this up alongside, make sure that you're happy and then start turning off all the various systems that you didn't want to have to keep duct taping together over time.
[03:48]
A
Right, Right. So I guess my take home message is that there comes a time when you just know that you need to revisit what you're doing and it'll be because whatever's going on is just becoming more and more painful. And is it an inevitable part of a company growing up?
[04:06]
B
It depends on what levers are the most important there. That time is often that time of renewal when your cost doubles or triples and you decide we do need to just, even from a financial perspective, find another way around that might be security driven. You have compliance requirements and they're getting harder to meet. Maybe you have some FedRamp High customers who are saying, how are you going to ensure this with all these different vendors? We have a FIPS compliant version you can run internally and so that helps check the box. It's a lot easier over time to say we already run our own private cloud infrastructure, let's run this alongside that. Instead of maintaining lots of separate pipes and services to try to incorporate these black box SaaS solutions.
[04:52]
A
Yeah. And in terms of the different drivers you've spoken about, a couple of ones. Can you tell us a bit more about security? What are the companies that value security and why are they choosing Authentic?
[05:04]
B
Well, I won't harp on Okta too much. I think it's mainly been sort of a transparency Issues sometimes in terms of security reporting. But for instance, cloudflare uses us and previously had to be the ones to let Okta know that they had been breached multiple times. And so being able to say, you know, we publish all of our pen test results, we get at least annual pen tests, everything is source available. So we've had multiple customers do code reviews and tests of their own. We're very transparent in terms of CVE is in reporting how we prioritize security. Compare that to a proprietary closed solution where the source code's been leaked on the dark web. But you as a customer don't get to see how your data is being secured or not. It's kind of night and day that we're starting from a very clear, transparent place of wanting to prioritize security as much as possible from day zero and let folks know, let you as the end user, customer administrator know, here's how you are secured. There's also in terms of sort of SaaS versus self hosting, you know, obviously you get some things taken care of for you, but especially for a larger company, a lot of the time it's kind of one size fits none. You're sharing an attack surface with every other customer. If there's shared infrastructure there, you're kind of relying on that provider to set whatever guardrails make sense. Now we do that as well and say here are your standards templates and default values and such. But if you're looking for all of these endpoints shouldn't be accessible except in these very specific situations. You have a lot more flexibility to lock down your individual instance and be secure by default by saying only these very specific ways do we expect things to be accessed or used.
[06:53]
A
So that sounds to me like the companies that would do that are the ones that care a bit more than usual about security. Is that fair to say?
[07:01]
B
Definitely. If you don't prioritize security on your identity side, I suppose that's not for me to make that judgment. But authentic is probably more effort than it's worth.
[07:13]
A
You said authentic is probably more effort than it's worth, but I think you meant something else.
[07:18]
B
Well, it's more effort than it's worth. For someone maybe just starting up a brand new small company, they're not looking at any sort of sensitive data. They just need to get something out there quickly and easily. Probably go with Google Workspace or something like that.
[07:31]
A
Right, right, right, I see, I see. If you don't care about security, anything is fine is basically what you're saying.
[07:36]
B
Pretty much, yeah.
[07:39]
A
So There's a lot of talk now about things like I guess, sovereign tech stacks, particularly in Europe. Well, and also I suppose in countries like China and Russia, I presume. I don't really follow the news there. So do people come to you with that kind of concern as well?
[08:01]
B
There's a lot of overlap there, yes. And it's sometimes kind of orthogonal companies or parties involved there, but I'd say by the numbers, in terms of usually smaller size but total count half at least of our business is non US based. There's a lot of folks in Germany and France, across Europe who are looking at not having to rely on a US provider and especially send a lot of that sensitive data back to one. And that helps check all sorts of boxes and just make things much easier for them up and down that they don't have to worry about that relationship, that management and also that increasingly geopolitical problem as well.
[08:45]
A
So authentic is open source. Right. But the company. You sound American. And so you've got to company that sits on top, that runs it as a service as well, is that right?
[08:57]
B
It's an open core model and actually our founding cto Jens is based in Germany, so we get some mileage off of that. On the EU side, our team is pretty much split roughly half and half US in Europe. So OpenCore, the vast majority of it is an open source IDP. There is essentially a folder within the same repo which is copywritten code and that's additional enterprise features that you pay for a license for. That includes support from our team as well. But that's everything that a homelab user wouldn't care about. But as a company, you're more likely to want to have more detailed granular auditing, additional specific integrations that probably mean you have multiple IDPs, things like that.
[09:43]
A
And so you have personnel, I guess all over the world in terms of. You said it was an open core model. What does that mean?
[09:50]
B
Open core. So open source, which we also build upon additional code which is not technically open source, but it's still source available.
[09:58]
A
So in terms of sovereignty, people trust you more than they might trust a big US provider because you're not intimately tied to the US it seems like you've got US links.
[10:12]
B
Right. We still are a US corporation at the end of the day. Right. Because it's also source available and the majority open source, there's kind of always that fallback option of someone could change their service or go out of business or whatever, but the code is still there. You can still run that. Another piece of that is we're actually a public benefit company, which in this case just means in our charter, we will we state that we're always going to maintain open source. We're not just going to start charging for those parts or taking them out of the open source product. So kind of assuring folks as much as we can that you won't get the rug pull as we grow. And similarly kind of intentionally limiting our options. We couldn't just have Octa or someone come in and say, here's some hush money. Just shut the thing down or change it in some way.
[11:00]
A
Yeah, yeah, yeah. It's interesting. It's a brave new world. Fletcher Heisler, CEO of Authentic. That was a very interesting discussion. Thanks a lot.
[11:08]
B
Thanks so much. Tomorrow.