When you operate at the very core of global internet connectivity - carrying traffic for thousands of operators, content providers and enterprises, reaching billions of end users - a compromised or failed authentication event can cost a lot.
Arelion, one of the world’s largest Tier 1 internet providers, understood this clearly when it set out to build its own independent IT foundation following its 2021 divestment from Telia Company. Choosing the right identity and access management solution was a strategic decision about control, security and long-term competitive resilience.
Arelion chose Curity.
We operate at the very core of internet connectivity. Our customers are measured in thousands, but the impact of our services reaches billions of users.” - Per-Axel Felth, Head of IT Architecture, Arelion
Two Years to Build Independence
Following its divestment, Arelion had two years to establish a fully independent IT landscape. Identity was among the most critical components to get right.
The requirements were straightforward: self-hosted deployment, deep flexibility for custom use cases, integration with on-premise user repositories, strict adherence to open standards like OAuth and OpenID Connect and support for specific flows.
Choosing a SaaS identity provider would have meant accepting someone else’s architectural constraints, vendor upgrade schedules and limited control over the token issuance, structure of claims and enforcing permissions.
“We wanted to keep control and make sure we could cover all our use cases” said Per-Axel “With SaaS services, you often don’t get the flexibility we needed. Having a self-hosted solution gave us that confidence”.
Curity delivered what the alternatives couldn’t: an enterprise-grade identity platform built on open standards with the deployment control Arelion needed to build an independent foundation for its business.
Curity vs SaaS
| Requirement | Curity | Typical SaaS IAM |
|---|---|---|
| Self-hosted deployment | ✓ | X |
| On-premise data store integration | ✓ | X |
| Full OAuth flow flexibility | ✓ | Partial |
| Token Intelligence | ✓ | X |
| Rolling upgrades | ✓ | Vendor-managed |
| Kubernetes production ready | ✓ | Not applicable |
| Open standards | ✓ | ✓ |
Curity - One Platform for Customers, APIs and Internal Systems
Rather than treating customer authentication and API security as separate domains requiring separate vendors, Arelion built a single, unified identity layer on Curity - one platform serving every integration point in the business.
The customer portal uses different identity flows to support users, APIs, and partner integrations. User authentication runs on the OAuth 2.0 authorization code flow, while internal and external APIs are protected using JWT bearer tokens and client credentials. Server-to-server communication runs on assertion flows and partner integrations are handled through federated identity.
Production Performance: Reliability at Backbone Scale
For Arelion’s customers - major global enterprises, operators and digital infrastructure providers - even a brief authentication failure carries significant operational and reputational consequences. In production, Curity has delivered precisely the stability the business requires.
Rolling upgrades are performed without customer impact, on Arelion’s terms, so that version changes introduce no downtime. The team emphasizes that the environment is stable, performant and operationally predictable - all these are critical for a company whose own value proposition to its customers rests on exactly these qualities.
Kubernetes at Scale: From Early Adopter to Production Ready
Arelion deployed Curity on AWS EKS - and both parties are honest about this learning curve. Curity’s Kubernetes support was not yet where it needed to be and Arelion found itself in early-adopter territory. Through the great collaboration, Arelion worked closely with Curity’s support to adapt their own deployment model and push the platform forward. Working through the hard problems together was worth it: today, the EKS environment is stable and the team runs version changes smoothly.
Toward More Granular, Risk-Adaptive Security
Arelion’s identity program continues to evolve. The next phase is focused on moving away from uniform security controls toward a risk-adaptive model, where token lifetimes, authentication strength and permission scope are dynamically tied to the privilege level of the action being performed. The team is leveraging the token intelligence capabilities of the Curity Identity Server by developing differentiated token lifetimes and also investigating stronger second-factor requirements for high-risk operations.
Compliance requirements are also becoming increasingly central, reinforcing the business case for a robust, adaptable identity foundation that Curity offers.
Identity as Competitive Infrastructure
For Arelion, the Curity platform is not a standalone security tool but rather a part of the critical infrastructure that makes the business possible - the foundation on which customer trust, API security and operational reliability are built.
From post-divestment urgency to stable, scalable production, Arelion’s journey is a case study in treating identity as a strategic asset rather than a compliance cost. The flexibility to customize token issuance, the control that comes with self-hosted deployment and the open standards architecture that enables future integrations - these are the characteristics that make the Curity Identity Server the right choice for organizations that require full control, flexibility and trust in their identity infrastructure.
