Case Studies


Ikue is the world’s first AI-powered customer data platform, specifically designed for the telecom industry, that helps telecom operators increase Customer Lifetime Value by collecting, collating, and analysing customer data in real time and making rich insights available to marketing users to deliver highly personalised customer experiences, craft world-class customer journeys, and drive organic growth. Ikue’s unique AI-driven features include no-code TM Forum certified connectors for efficient implementation, a telco-specific data model, an AI-powered Analytics Factory, the unique Ikue Marketing ID, and a machine learning auto-mapping capability. These features ensure a swift time-to-market. Ikue’s embedded Ikue Marketing Toolkit, boasting over 50 best practice telco use cases and delivering more than 3200 traits, is key to a quick return on investment and a significant increase in CLV.

The Challenge

Ikue needed to enhance their SaaS product offering to allow self-service onboarding. The key areas brought up during an initial discovery with Rebura were tenant isolation with respect to user-to-service and service-to-service communication and a best practice review of their current architecture optimising for scale and cost.


Cognito was chosen as the core AWS service to use for the user service to manage user identities and authentication flows. Ikue highlighted that they wanted a user pool per tenant and needed a user service built to handle identities and application-specific permissions. Furthermore, a solution for isolating tenant user traffic to the respective tenant’s resources was developed leveraging the user service, API Gateway and its custom Lambda feature. Rebura also reviewed their current data ingestion and web application architectures, including their software deployment strategy using the SaaS
Lens tool.


Tenant Isolation (Data and service access isolation)

To secure the isolation and routing within Ikue’s bridged, VPC-driven, siloed tenancy model the solution selected for this project uses context from a JWT with the user service (Cognito) to route a user through API Gateway to the correct tenant resource. A lambda authorizer is used on API Gateway to decode the JWT, verify it and provide the user access to the relevant tenant. See architecture diagram:

User Service (Self-service user management and permission system)

The user service integrates two broad functions – authentication and authorization. Amazon Cognito provides the user data store and authentication functionality. An implementation of a 3rd party package, Casbin, achieves the authorization functionality through user- and system-defined policies. The user service takes the form of a web application, which provides the client-facing interface for authentication and authorization. A framework like FastAPI would be used for this purpose to allow the combination of infrastructure and data to isolate tenants. See architecture diagram:

SaaS Lens Review

The SaaS Lens is part of the AWS Well-Architected Framework and provides a standardised set of questions addressing design principles and best practices for SaaS applications on AWS. It will enable Ikue to review and improve their cloud-based architectures and beter understand the business impact of their design decisions. During the review general design principles are addressed as well as specific best practices and guidance in line with the 6 pillars of the Well-Architected Framework.

Software Updates

Within the Discovery Report, a rundown of how they implement software updates are detailed along with a task list of how they can improve going forward. This list is intended to result in a separate, decoupled tenant provisioning process with respect to first time deployment of a tenant. The current structure Ikue have works well, they have automated the pipeline using a combination of Terraform scripts and GitHub actions, they separate the tenants via VPC’s and the deployment uses a blue green strategy to handle the swapping out of tasks which will ensure zero downtime. The solution is optimal for rolling out software updates but perhaps not for first time deployments of a tenant. Refactoring the code and GitHub Actions will provide them with a separate, decoupled tenant provisioning process with respect to the first time deployment of a tenant. In doing so can mean a frictionless onboarding process for new tenants which is a core principle for a SaaS offering.

The Results

Rebura provided Ikue with a SaaS Discovery Report detailing a prioritised list of tasks addressing the items outlined in the requirements for Tenant Isolation and Routing, User Service, SaaS Architecture Review and Software Application Updates.

The first 2 of these projects are strongly focused on the challenge of tenant and user management – identity and access, multi-tenant storage, tenant isolation. The User Service project also has ramifications to agility and operations – because of its role in onboarding users to the platform. The SaaS Architecture Review and Software Application Updates seek to improve the composition of Ikue’s SaaS product and address the DevOps challenges associated with Ikue’s siloed tenancy model.


Rebura are one of the world’s fastest growing AWS consultancies helping customers of all sizes to design, build, migrate & manage their AWS environment. Rebura is recognised and highly regarded as a strategic partner of AWS, having been awarded the 2021 Well-Architected Partner of the Year and 2020 Rising Star Partner of the Year awards by AWS. AWS also recognises Rebura as having the expertise and experience to support customers of all sizes as they build, optimize, and secure their apps and workloads on AWS.