If you're looking for a secure and reliable way to manage user authentication,
permissions, and more, you may have heard of Ory. Did you know that there are
two ways to use Ory?
In this article, we'll explore the differences between Ory Network and
self-hosting Ory Open Source, and help you decide which option is right for you.
Ory Network and Ory self-hosted
Before we dive into the differences, let's take a quick look at what the Ory
Network and self-hosting Ory open source means.
Ory Network is a global infrastructure that uses Ory Open Source to deliver
various services and APIs such as login, permissions, OAuth2, and more. Ory
Network spans several global regions to deliver a fast service anywhere in the
world. Use Ory Network to take advantage of the power of open source and all the
features and benefits built on top by the Ory team, as well as continuous
updates, support, and security.
Self-hosting Ory means to use the foundational building blocks of the Ory
Network, the (Ory Kratos Identity Server, the
Ory Hydra OAuth2 Server, and the
Ory Keto Permission Server) and build
authentication and authorization systems yourself. Self-hosting Ory Open Source
is a great way to explore and experiment with security software, learn more
about open source software development, and participate in the building the new
login.
Feature differences
When deciding between the Ory Network and self-hosting, it's essential to know
what features are available in each option. The following table summarizes the
feature differences:
| Feature | Ory Network | Self-Hosting |
|---|
| Security & compliance | | |
| GDPR-compliant data storage | ✅ | ⚠️ |
| SOC2 T2 & ISO 27k certification | ✅ | ⚠️ |
| Automatically OpenID certified | ✅ | ❌ |
| PII region storage selection | ✅ | ⚠️ |
| Intelligent PII data homing | ✅ | ❌ |
| Brute force & DoS protection | ✅ | ⚠️ |
| Suspicious IP throttling | ✅ | ⚠️ |
| Breached password detection | âś… | âś… |
| OAuth2 Verifiable Credentials | âś… | âś… |
| OAuth2 Resource Owner Password Grant | ✅ | ❌ |
| Services and APIs | | |
| Identity and user management APIs | âś… | âś… |
| Low latency edge authentication | ✅ | ❌ |
| Permission APIs | âś… | âś… |
| Passwordless login | âś… | âś… |
| SMS verification and MFA | ✅ | ⚠️ |
| Password login | âś… | âś… |
| Social sign in | âś… | âś… |
| Machine-to-machine auth | âś… | âś… |
| Multi-factor authentication | âś… | âś… |
| OAuth2 and OIDC APIs | âś… | âś… |
| Search API | âś… | âś… |
| Organizations & B2B SSO | ✅ | ❌ |
| One-click SAML SSO | ✅ | ⚠️ |
| User management | | |
| Custom profile fields | âś… | âś… |
| Account linking | âś… | âś… |
| (Bulk) user import | âś… | âś… |
| User interfaces | | |
| Administrative user interface | ✅ | ❌ |
| Configuration management interface | ✅ | ❌ |
| No-code self-service pages | ✅ | ❌ |
| Themeable self-service pages | ✅ | ❌ |
| User activity insights | | |
| Live analytics and insights | ✅ | ❌ |
| Analytics and events UI | ✅ | ❌ |
| Integration and SDKs | | |
| Ory CLI tools | ✅ | ❌ |
| Backwards compatibility guarantee | ✅ | ❌ |
| SDKs for popular programming languages | âś… | âś… |
| Operations and deployment | | |
| Multi-regional deployments | ✅ | ❌ |
| Zero-downtime upgrades and migrations | ✅ | ❌ |
| Configuration management via API | ✅ | ❌ |
| Configuration management via files | âś… | âś… |
| Log access | đź” | âś… |
| Organization and multi-tenancy | | |
| Multitenancy (prod, staging, dev) | ✅ | ⚠️ |
| Team management | ✅ | ❌ |
| Organization management | ✅ | ❌ |
| Customer-facing multi-tenancy | ✅ | ❌ |
| Support & Maintenance | | |
| Community support | âś… | âś… |
| Automatic updates to the latest version | ✅ | ⚠️ |
| Zero-downtime migrations | ✅ | ⚠️ |
| 24/7 on-call incident support | ✅ | ⚠️ |
| Private ticketing system | ✅ | ❌ |
| Concierge migration support | ✅ | ❌ |
Legend:
- ⚠️: your responsibility
- âś…: solved
- ❌: not available
- đź”: planned
When it comes to choosing between Ory Network and self-hosting Ory, there are
several key differences to consider. Ory Network offers a range of features that
are not available in the open source stack, including compliance and
certifications, user-friendly interfaces, and advanced analytics and insights
systems. These features are specifically designed for the Ory Network
infrastructure, making it a comprehensive and convenient solution for businesses
looking to implement a fully featured IAM (Identity and Access Management) and
auth system.
On the other hand, the open source stack provided by Ory offers the powerful and
efficient APIs that form the backbone of Ory Network. However, running an auth
system in production requires more than just APIs - it also requires a deep
understanding of security requirements and solid infrastructure to ensure a
professional and scalable solution. This is where Ory Network shines, providing
businesses with a complete IAM and auth stack that is based on open source
technology, yet offers the added benefits of compliance, user interfaces, and
advanced analytics. By choosing Ory Network, companies can enjoy the best of
both worlds - the flexibility, openness, and customizability of open source
technology, combined with the convenience and professional features of a fully
managed solution.
Support
Ory only offers support services for self-hosted instances of its software in
rare cases.
Here's why:
- Incident response: When self-hosting, Ory's incident response team has no
access to the companies infrastructure. The time it takes to resolve incidents
thus increases significantly if Ory Engineers need to be involved. What could
be solved in minutes on Ory Network, has to go through several communication
channels, back and forth when Ory is self-hosted on the companies
infrastructure.
- Release process: Ory Network releases new features and updates on a daily
basis, while open source releases are quarterly. This allows Ory to maintain
the highest standards of security, reliability, and performance. With
self-hosting, companies have to manage upgrades, which can be time-consuming
and can lead to running in production on outdated versions, which can lead to
performance issues and potentially even security vulnerabilities.
- Upgrade fatigue: Based on open source telemetry data, less than 10% of all
Ory open source deployments run on a recent and supported version, while 90%
of deployments run on outdated versions that may have known vulnerabilities
such as patched Golang CVEs. This puts businesses and their customers at risk
of security breaches and performance issues. Ory Network eliminates upgrade
fatigue by providing automatic upgrades and ensuring that all deployments are
running on the latest and most secure version of Ory open source.
- Expertise: Ory engineers are experts when it comes to running Ory
software. They have the experience and knowledge to manage and troubleshoot
issues quickly and efficiently. With self-hosting, companies have to train
staff and build up expertise in-house or hire additional third parties to
manage the software.
Save time using Ory Network
When you use Ory Network, you save a significant amount of time that would
otherwise be spent on setting up infrastructure, maintaining it, and upgrading
the software yourself. The following estimates are based on what we have
observed since Ory was founded in 2015. Note that an exact time estimate heavily
depends on the details of your use case.
Get more done
Self-hosting takes longer than using Ory Network for several reasons:
- Initial setup: Setting up infrastructure and configuring it for
production use can be time-consuming, especially if you're not familiar with
the tools and technologies involved.
- Maintenance and monitoring: Once the solution is up and running, monitor
it 24/7 to ensure that it is performing as expected and to deal with any
issues that may arise. This can be a significant ongoing time commitment. On
Ory Network you can rest assured knowing that our team of experienced
engineers is handling maintenance and monitoring for you, freeing up your
time to focus on other important tasks.
- Upgrades: Upgrades can be time-consuming, especially if there are
breaking changes that require you to update your configuration and code. This
is particularly true if you are running on an older version of the software
and need to catch up with several releases at once. On Ory Network automatic
updates have you running on the latest versions always.
- UI and API development: If you need to develop user interfaces or
integrate with the software's APIs, this can add significant development time
to your project.
- Migration: Migrating a live auth system can be a complex process. On Ory
Network you can instead rely on an experienced team of engineers that get you
up and running in concierge onboarding sessions.
Estimated time savings
The following table shows estimated time savings when using the Ory Network
compared to setting up and maintaining the software yourself:
| Self-hosting | Ory Network |
|---|
| Set-Up | Continuous effort | Set up | Continuous effort |
|---|
| Operations |
| Monitoring and alerting | 1-14 days | 365 days / year | Available | None |
| Disaster recovery | 1-8 hours | 1 week / year | Out of the box | None |
| Configuration management and continuous deployment | 1-5 days | Not applicable | Out of the box in Ory Console | Not applicable |
| Software upgrades | 0h | 2-4 weeks / year | Not needed | None |
| Management |
| User-facing UIs | 1-4 weeks | 2 weeks / year | Out of the box | None |
| Administrative UIs | 2-4 weeks | 2 weeks / year | Out of the box | None |
| Admin API access control | 1-2 days | 1 day / year | Out of the box | None |
| Integration |
| New site/service | ~1-2 days | None | ~1-10 hours | None |
| Migration site/service to Ory | ~2-4 weeks | None | ~1-2 weeks | None |
Cost Savings when Using the Ory Network
Choosing Ory Network over self-hosting can also result in significant cost
savings. When you self-host, you're responsible for infrastructure costs such as
EC2 instances and Postgres AuroraDB, as well as ongoing expenses like continuous
monitoring, alerting, and traffic costs. With Ory Network, these costs are
already included in our subscription plans. This means that you can focus on
building your product without worrying about the hidden costs of infrastructure
and maintenance.
While these numbers are rough estimates and heavily dependent on the use case
and cost optimization, choosing Ory Network can help you save both time and
money compared to self-hosting.
1-1,000 Daily Active Users/Machines
For a site with less than 1,000 active users/machines (regardless of what Ory
service you use), two virtual machines for failover, each with 2 vCPUs and 4GB
of RAM to run up to three Ory services, and one small sized PostgreSQL instance
with 100GB would be needed.
According to the
AWS price calculator,
this sums up to about $2,080.76 per year.
On the other hand, with the Ory Network Production Plan, these resources are
included, along with development/staging projects, continuous monitoring,
alerting, traffic, and metrics for only $770 per year.
| | Self-hosting | Production Plan |
|---|
| Compute | 2x AWS EC2 2vCPU, 4GB RAM, 50GB SSD | $918.72 / year | $0 / year |
| Database | 1x AWS RDS Postgres 2vCPU, 4GB RAM, 100GB SDD | $879.96 / year | $0 / year |
| API Gateway | AWS API Gateway | $44.52 / year | $0 / year |
| Load Balancer | AWS Load Balancer | $237.48 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | Depends on solution | $0 / year |
| | | |
| Total | > $2,080.76 / year | $770 / year |
| Cost savings | | > 40% |
1,000-20,000 Daily Active Users/Machines
For a site or application with 1,000 to 20,000 daily active (machine) users,
self-hosting Ory open source becomes more expensive. Self-hosting at this scale
requires more virtual machines for failover and a larger database instance,
resulting in higher costs. With the Ory Growth Plan, you get a cost-effective
solution that is easier to set up, manage, and scale.
According to the
AWS price calculator,
this sums up to about $14,167.78 per year.
For businesses with 1,000-20,000 daily active users/machines, we recommend the
Ory Growth Plan for $9350 per year as the cheaper and better option. This plan
includes everything in the Production Plan, plus additional features such as
enterprise-grade support, a dedicated account manager, and priority bug fixes.
| | Self-hosting | Growth Plan |
|---|
| Compute | 4x AWS EC2 4vCPU, 8GB RAM, 50GB SSD | $4,695.48 / year | $0 / year |
| Database | 2x AWS RDS Postgres 4vCPU, 16GB RAM, 500GB SDD | $8,780.76 / year | $0 / year |
| Traffic | In- and egress | $445.44 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | $246.12 / year | $0 / year |
| | | |
| Total | $14,167.78 / year | $9350 / year |
| Cost savings | | > 65% |
Over 100,000 Daily Active Users/Machines
When dealing with a website or application that has over 100,000 daily active
users, self-hosting becomes even more complicated and expensive. Here are some
reasons why:
- The cost of compute and self-hosting explodes further because you need one
highly available deployment (at least 4 nodes) in every region. This means
that you will need a lot more virtual machines to run your application.
- You need a multi-region capable database. A multi-region capable database
such as Spanner is needed to ensure that data is consistent and available in
every region.
- Multi-region setup is only available in the Ory Network due to the software
and architecture complexity and reliance on third-party service providers
such as Cloudflare and CockroachDB.
- We recommend reaching out to us directly. We are
committed to finding a solution that fits your needs - both on the technology
and the commercial side. Ory Network platform provides you with the resources
and support you need to handle a large user base.
How Ory achieves these savings
Ory Network achieves cost savings through several factors, including economies
of scale, efficient multi-tenancy, and optimized design. By serving a large
number of customers, we're able to spread infrastructure costs across many
users, resulting in lower expenses for everyone. Our custom code also allows us
to run multiple tenants on shared resources more efficiently, further reducing
costs.
In contrast, self-hosting can be expensive and time-consuming. When businesses
self-host, they need to purchase or rent their hardware and set up
infrastructure, which can be a significant upfront investment. They also need to
manage the infrastructure themselves, including updates, security, and
maintenance. This requires an experienced team and/or other third party
services. These ongoing costs can add up quickly.
In contrast, Ory Network provides a turnkey solution that eliminates the need
for businesses to manage their infrastructure. We take care of hardware,
software, security, and maintenance, allowing businesses to focus on their core
competencies instead of worrying about IT operations. This can result in
significant cost savings, especially for smaller businesses or those without
dedicated IT resources. By choosing Ory Network, businesses can save time,
reduce costs, and improve their overall identity and access management solution.
Have questions about Ory Network or need help with your identity and access
management solution?
Reach out to our team of experts!
