Risky Bulletin – Episode Summary

Podcast: Risky Bulletin
Host: Tom Uren (risky.biz)
Guest: Fletcher Heisler, CEO of Authentic
Date: September 28, 2025
Episode: Sponsored: Why identity is critical

Episode Overview

This episode explores the crucial role of identity management platforms (IDPs) in modern enterprise security, why they are potential single points of failure, and strategies to add resilience through backup and open-source implementations. The discussion features Fletcher Heisler (Authentic), who highlights the risks of overreliance on both cloud services and proprietary SaaS identity providers, examines lessons from real-world breaches, and explains the rationale and advantages behind Authentic’s open-source, source-available approach to identity infrastructure.

Key Discussion Points & Insights

1. The Importance of Identity Infrastructure Resilience

• Identity as a Single Point of Failure:

  • Many organizations rely heavily on a single IDP—if it fails, employee access to all services and applications is blocked.
  • Recent breaches (e.g., Aeroflot, Maersk) underscore how poor backup planning for critical systems like identity can magnify outages.
  • Quote (Fletcher):

    "You kind of have to think about the potential risks and diversify your options there based on what might possibly happen as the most catastrophic outcome. True of an identity provider, true of any other critical infrastructure for a business." [02:20]

• Balancing Uptime & Practical Access:

  • Official SaaS uptime SLAs (Service Level Agreements) often mask the practical impacts of outages or degraded services.
  • Heisler notes:

    "Is it acceptable if none of our employees can get to anything for an hour or two every year? That's a high nines uptime, right?... What if service is degraded? You can technically use it, but you know, practically speaking maybe not so much." [03:38]

2. Backup & Redundancy Strategies

• Catastrophic Real-World Examples:

  • Aeroflot: Severe disruption due to simplistic backup (two servers backing up to each other).
  • Maersk: 140 servers, all wiped except one in Africa (offline due to a power outage during an attack).
  • Lesson: Pure numbers or conventional redundancy can still fail catastrophically if not considered strategically.

• Strategy Recommendations:

  • Diversify not just geographically, but architecturally (on-premises, multiple cloud providers, local/private cloud).
  • Orchestrate multiple IDPs or backup layers to ensure there isn’t just a new single point of failure.
  • Particularly for mission-critical organizations (e.g., 911 centers):

    "...if Internet goes out entirely, they can't use an idp...they need to still have identity and so they're using that strictly on prem as well as those backups to say regardless of the scenario, we have backup access and even if we don't have Internet at all, we can still access our systems." [04:30]

• On the Business Risk Matrix:

  • Third-party cloud service failures are seen as 'everyone’s problem.'
  • IDP failures are seen as 'your problem':

    "If my IDP falls over and I don't have a backup...that's on me. That feels like something on a risk matrix that directly you're responsible rather than you can wash your hands." [06:33]

3. The Case for Open Source & Source-Available IDPs

• Authentic’s Approach:

  • Started as open source; now maintained by a public benefit company with an enterprise version for larger organizations.
  • Key selling point: If Authentic as a vendor disappears or changes pricing, customers can still run the software themselves (mitigating vendor lock-in).

• Reducing Risk and Customization Limits:

  • Proprietary SaaS solutions can suddenly shift business models or deprioritize features, leaving customers stuck.
  • Quote (Heisler):

    "If your IDP triples your cost all of a sudden now what? You can't just turn it off. So being able to have multiple options available to you is very important." [06:49]
    "...you can just keep running it, the code is yours, you're not relying on us." [07:26]

• Why Organizations Seek Authentic:

  • Often a gradual frustration: rising costs, engineering complexity, and lack of feature flexibility leads teams to seek more control.
  • Heisler:

    "It's the slow burn of we're spending more and more engineering hours...to get the last mile of functionality...or some of that reliability concern of we don't have any power over how this product operates..." [08:27]

4. The Cloud Promise vs. Reality

• Cloud-Only Isn’t Enough:

  • The conversation acknowledges that the industry hope for “cloud-only” infrastructure doesn’t address all resilience needs.
  • On-premises components or containers in your own cloud environment offer added control and reliability.
  • Heisler stresses:

    "Being able to run containers that use all of the same tooling is a lot easier to integrate with than a black box SaaS solution that you don't actually have full access to." [09:47]

• Total Cost of Ownership (TCO):

  • After initial setup, running your own or open-source IDP can often be more cost-effective and flexible than subscription SaaS models.

5. Agility, Integrations, & Community Collaboration

• Integration Flexibility:
  • Legacy leaders like Okta are strong due to their pre-built integrations, but can be slow to adapt to user-specific needs.
  • Authentic emphasizes rapid development—example:

    "We can much more rapidly develop those individual integrations with our customers and then they can customize them further...We had one [Workday integration] ready in a week and a half." [11:07]

  • Open source/community process allows direct mapping and customization of attributes without waiting for the vendor or product roadmap alignment.

Notable Quotes & Memorable Moments

• On Catastrophic Outcomes:
  "You kind of have to think...about what might possibly happen as the most catastrophic outcome. True of an identity provider, true of any other critical infrastructure for a business." (Fletcher Heisler, [02:20])

• On Uptime vs. Reliability:
  "Is it acceptable if none of our employees can get to anything for an hour or two every year? That's a high nines uptime, right?" (Fletcher Heisler, [03:38])

• On Responsibility for IDP Failures:
  "If my IDP falls over and I don't have a backup...that's on me. That feels like something on a risk matrix that directly you're responsible [for] rather than you can wash your hands." (Tom Uren, [06:33])

• On Control and Risk:
  "[With Authentic] you can just keep running it, the code is yours, you're not relying on us." (Fletcher Heisler, [07:26])

• On Integration Speed:
  "We had one [Workday integration] ready in a week and a half ... being able to turn that over very quickly and then also allow the customer to not even have to wait for us..." (Fletcher Heisler, [12:02])

Timestamps of Key Segments

• [00:48] Real-world data loss & backup failures (Aeroflot, Maersk)
• [02:20] Diversification of backup and infrastructure; thinking about catastrophic outcomes
• [03:38] SaaS uptime, reliability vs. availability
• [04:30] Healthcare/critical infrastructure: backup IDP needs for 911 centers
• [06:33] Business risk manager’s perspective: Cloud-wide failures vs. IDP failures
• [07:26] Authentic’s open source risk mitigation value proposition
• [08:27] Why organizations seek alternatives: cost, engineering burden, control
• [09:47] Shortcomings of cloud-only strategies, TCO analysis
• [11:07] Integration agility & developer experience with Authentic
• [12:32] Closing remarks

Tone & Final Thoughts

The conversation balanced practical security engineering insights with business risk realities. Both Tom Uren and Fletcher Heisler spoke candidly: Uren probed the operational realities of identity failures, while Heisler provided honest context, eschewing inflated marketing in favor of technical and business transparency. The dialogue was direct and informative, making it accessible for both technical leaders and business managers.