Modernisation Case Study
Ikue is the world’s first AI-powered customer data platform, specifically designed for the telecom industry, that helps telecom operators increase Customer Lifetime Value by collecting, collating, and analysing customer data in real time and making rich insights available to marketing users to deliver highly personalised customer experiences, craft world-class customer journeys, and drive organic growth.
Ikue’s unique AI-driven features include no-code TM Forum certified connectors for efficient implementation, a telco-specific data model, an AI-powered Analytics Factory, the unique Ikue Marketing ID, and a machine learning auto-mapping capability. These features ensure a swift time-to-market. Ikue’s embedded Ikue Marketing Toolkit, boasting over 50 best practice telco use cases and delivering more than 3200 traits, is key to a quick return on investment and a significant increase in CLV.
The challenge
Ikue needed to enhance their SaaS product offering to allow self-service onboarding. The key areas brought up during an initial discovery with Rebura were tenant isolation with respect to user-to-service and service-to-service communication and a best practice review of their current architecture optimising for scale and cost.
The solution
Cognito was chosen as the core AWS service to use for the user service to manage user identities and authentication flows. Ikue highlighted that they wanted a user pool per tenant and needed a user service built to handle identities and application-specific permissions. Furthermore, a solution for isolating tenant user traffic to the respective tenant’s resources was developed leveraging the user service, API Gateway and its custom Lambda feature. Rebura also reviewed their current data ingestion and web application architectures, including their software deployment strategy using the SaaS Lens tool.
Overview of key deliverables
Tenant Isolation (data and service access isolation)
To secure the isolation and routing within Ikue’s bridged, VPC-driven, siloed tenancy model the solution selected for this project uses context from a JWT with the user service (Cognito) to route a user through API Gateway to the correct tenant resource. A lambda authoriser is used on API Gateway to decode the JWT, verify it and provide the user access to the relevant tenant. See architecture diagram:
User Service (self-service user management and permission system)
The user service integrates two broad functions – authentication and authorisation. Amazon Cognito provides the user data store and authentication functionality. An implementation of a 3rd party package, Casbin, achieves the authorisation functionality through user- and system-defined policies. The user service takes the form of a web application, which provides the client-facing interface for authentication and authorisation. A framework like FastAPI would be used for this purpose to allow the combination of infrastructure and data to isolate tenants. See architecture diagram:
SaaS Lens review
The SaaS Lens is part of the AWS Well-Architected Framework and provides a standardised set of questions addressing design principles and best practices for SaaS applications on AWS. It will enable Ikue to review and improve their cloud-based architectures and beter understand the business impact of their design decisions. During the review general design principles are addressed as well as specific best practices and guidance in line with the 6 pillars of the Well-Architected Framework.
Software updates
Within the Discovery Report, a rundown of how they implement software updates are detailed along with a task list of how they can improve going forward. This list is intended to result in a separate, decoupled tenant provisioning process with respect to first time deployment of a tenant. The current structure Ikue have works well, they have automated the pipeline using a combination of Terraform scripts and GitHub actions, they separate the tenants via VPC’s and the deployment uses a blue green strategy to handle the swapping out of tasks which will ensure zero downtime. The solution is optimal for rolling out software updates but perhaps not for first time deployments of a tenant. Refactoring the code and GitHub Actions will provide them with a separate, decoupled tenant provisioning process with respect to the first time deployment of a tenant. Doing so can mean a frictionless onboarding process for new tenants which is a core principle for a SaaS offering.
The results
Rebura provided Ikue with a SaaS Discovery Report detailing a prioritised list of tasks addressing the items outlined in the requirements for Tenant Isolation and Routing, User Service, SaaS Architecture Review and Software Application Updates.
The first two of these projects are strongly focused on the challenge of tenant and user management – identity and access, multi-tenant storage, tenant isolation. The User Service project also has ramifications to agility and operations – because of its role in onboarding users to the platform. The SaaS Architecture Review and Software Application Updates seek to improve the composition of Ikue’s SaaS product and address the DevOps challenges associated with Ikue’s siloed tenancy model.
Other case studies you might enjoy
Building a futureproof infrastructure
Find out how we improved scalability and performance for the Army Benevolent Fund’s website.
ABF Case Study
Migrating the data centre within a one-hour downtime window
Rebura successfully migrated the primary data centre and PageSuite now entirely operates in the AWS cloud.
PageSuite Case Study
Designing and delivering a new infrastructure
RCI needed a rock-solid infrastructure, so we delivered. Explore how we gave them an upgrade.
RCI Bank and Services Case Study