Deployment Maintenance
At Cloud-IAM, we recognize that maintaining the security, availability, and operational resilience of your Keycloak cluster is critical to your organization’s identity management strategy. Our comprehensive deployment maintenance framework incorporates preventive measures, mandatory updates, and lifecycle management aligned with industry best practices and compliance requirements.
This document provides an in-depth overview of the different categories of maintenance activities, detailing the processes, governance, and communication protocols Cloud-IAM follows to minimize operational risk and service disruption. It also outlines customer responsibilities to ensure seamless collaboration throughout maintenance cycles.
For a complete understanding of our overall operational resilience, please refer to related documentation including our Disaster Recovery Process, Architecture Insights and BackUp Strategy, which describe our approach to data protection, failover strategies, and infrastructure design.
Types of maintenance
Preventive maintenance
Preventive maintenance is performed regularly to reduce the likelihood of incidents and enhance the stability of your deployment.
This can involve improving resilience through infrastructure optimizations and failover testing, applying software and security updates to Keycloak and its underlying components, and periodically reviewing and adjusting security rules such as firewall policies and network access controls.
Keycloak version deprecation
Cloud-IAM follows its own lifecycle policy, detailed in the Keycloak Upgrade documentation.
When a Keycloak version reaches its end of life, customers are notified well in advance. The Cloud-IAM technical team provides clear upgrade plans with scheduled dates and times, including information on whether the upgrade will require mandatory downtime. This approach aims to minimize the impact of version upgrades on end users.
To facilitate smooth upgrades, Cloud-IAM recommends that customers maintain a secondary deployment for testing the latest Keycloak versions in a development environment. This test deployment can be either a second managed deployment on Cloud-IAM or an internal deployment set up and operated by the customer. It enables validation of custom configurations, extensions, and integrations before rolling out changes to production.
As part of our security best practices, deprecated and unsupported versions are progressively phased out to prevent exposure to known vulnerabilities.
Mandatory maintenance
Some maintenance tasks are non-negotiable because they are triggered by external requirements. These include mandatory updates from cloud providers (AWS, GCP, Azure, etc.) to maintain compatibility, as well as urgent security patches that must be applied immediately to address critical vulnerabilities (CVE) or meet compliance obligations.
How maintenance is performed
Automatic
Many updates and preventive measures are applied automatically with minimal or no downtime with rolling upgrade process. It's include minor security patches, non-disruptive configuration adjustments, and monitoring improvements.
These operations are scheduled by the Cloud-IAM technical team and performed during the Maintenance Window defined by each customer.
Manual
Other specific tasks may require manual intervention from Cloud-IAM engineers. This applies to major or complex configuration changes, customer-specific requests, and any situation where human validation is necessary to guarantee the success of the operation.
Customer communication
Clear and timely communication is central to Cloud-IAM maintenance process.
For all planned activities, Cloud-IAM informs customers in advance—except in cases of urgent security risks such as critical CVEs, where immediate action is required. The exact responsibilities and expectations are outlined in our RACI framework.
When communication is issued, it includes the type and scope of the maintenance, the expected impact or downtime, the scheduled date and time, and the steps taken to verify service integrity after completion.
Customer responsibilities
Keeping Contact Information Up to Date
To ensure you receive all important email communications without interruption, please:
- Add and regularly update your organization’s contact information (e.g., how to add additional contacts to your organization, how to add new user in your organization).
- Whitelist emails from support[at]cloud-iam.com to prevent them from being marked as spam.
Adhering to configuration and usage guidelines
Customers are expected to follow the usage guidelines and best practices provided by the Cloud-IAM technical team. Adhering to these guidelines is essential to ensure compliance with Cloud-IAM’s maintenance procedures, regardless of the incident, date, or time.
Here is a non-exhaustive list of configuration and usage guidelines:
Customers must provide up-to-date custom extensions prior to any Keycloak upgrade to ensure compatibility and smooth transition.
Customers should never whitelist or declare Cloud-IAM load balancer IP addresses, as these IPs are dynamic and may change. Instead, they must use the designated Public IP gateway. Failure to comply with these guidelines may lead to service disruptions, especially after maintenance activities that involve redeployment.