DevWorld 2025 - A dichotomy of open source and enterprise

Last week Cerbos headed to Amsterdam for the DevWorld conference. This was our second year attending the event and it is always great to see some familiar faces as well as get a chance to speak to hundreds of new ones (and say hi to some customers!).

Reflecting over the two days of conversations, two camps emerged: the early-stage startup open-source adopters and the massive enterprise organizations. Both groups have similar requirements around fine-grained authorization, but the technology stacks to deliver that within were different.

Authentication: Keycloak vs. Entra ID

Startups and open source adopters tend to favor Keycloak for authentication, valuing its flexibility, self-hosting capabilities, and strong support for open standards - and the price point!

On the other hand, large enterprises often rely on Microsoft Entra ID (aka Azure AD), primarily because it already exists in their enterprise IT infrastructure, provides strong compliance features, and offers managed security.

Cerbos seamlessly integrates with both, ensuring fine-grained authorization decisions can be enforced without being tied to the authentication provider. The approaching wave of non-human identities is only solidifying the need for a centralized authentication and identity management solution and picking either of these approaches sets businesses up for success.

Languages: Node vs. Java Spring

The early-stage companies we spoke to, particularly those in the developer tooling and SaaS space, often build with Node.js - why this is the case is curious given the plethora of strong technologies out there but a common theme was around prioritizing speed and developer experience.

Enterprises, however, lean heavily on Java Spring, given its robustness, long-term maintainability, and deep integration into their tech ecosystems. Spring Security was often cited by attendees as how access control is done currently, but simply couldn't deliver on the fine-grained needs of their evolving authorization logic.

Cerbos is designed to be language-agnostic, making it easy to embed policy-based access control into your languages of choice without rewriting authorization logic for each stack.

Architecture: Microservices vs Monoliths

Startups are often cloud-native, favoring microservices and containerized deployments to stay agile and scalable. In contrast, enterprises often have to work with monolithic applications, where change cycles are slower, but stability is paramount.

Cerbos' decoupled authorization model ensures that both architectures benefit from centralized policy management—whether deployed alongside microservices in Kubernetes or embedded within a legacy monolith.

Concluding thoughts

While startups and enterprises approach authorization with different technology stacks, their fundamental need for fine-grained access control remains the same. Cerbos bridges this technological divide by offering a truly stack-agnostic solution that integrates seamlessly with any authentication provider, programming language, or architectural approach - allowing teams to focus on innovation rather than rebuilding authorization logic.

Learn more about how Cerbos can seamlessly integrate into your existing ecosystem. If you’re interested in implementing externalized authorization - try out Cerbos Hub or book a call with a Cerbos engineer to see how our solution can help streamline access control in your applications.