<img alt="" src="https://secure.norm0care.com/164647.png" style="display:none;">

CIAM Build vs. Buy: Choose the right approach for Consumer Identity and Access Management

Maarten Stultjens
August 11, 2020 at 11:10 AM

We regularly encounter customers that are considering a Do-it-Yourself (DiY) approach for CIAM. The perception is that it is not very complex, some components are already available, it seems cheaper at first sight and it provides more flexibility. Let’s analyse this a bit further.

1. Functionality Complexity – now and in the future

In the early days, CIAM was mostly about an online form for registration and a user-id/pwd login. Nowadays customers can login via various channels and devices. They need to be onboarded as frictionless as possible.

But you also need to provide them with the means to protect their data in the context of GDPR. You also may want to match the user account with internal data and validate it against a third-party register. And what about third-party identity providers like a government ID, a Bank ID or a Social ID? And that’s just talking about ‘consumers’. What if you also have to serve users from business customers, partners or guests? Or have to allow your partners (brokers, dealers) to get access to restricted groups of your customers?

Those scenarios require delegation models with invitations and elevation or authorisations by yourself or again by third parties. And what about innovations like self-sovereign identity and blockchain?

Does your organisation comprehend this complexity, and can your IT-organisation provide the agility that the business managers expect from you?

2. Integration Complexity – now and in the future

We have been used to SAML based logon for more than 15 years now. With the increasing variety in devices and processes, standards are evolving. Every customer now requires OpenID Connect support. FIDO has become the standard for authentication and SCIM for the exchange of identity data. Other standards may make it… or not, like UMA. Or they may return like PKI. And all these standards are maturing, so they come with versioning.

Does your organisation have the knowledge about what choices to make and does your tooling provide continuous support for these standards to allow for a flexible infrastructure?

3. Specialised Expertise

If your IT-team consists of experts that understand SAML and some ambitious youngsters, you may get the impression that you have the in-house expertise. Even if you - functionally and technically - fully understand what it takes to deliver the CIAM platform your business requires, you are still not there. You need to be able to bring the pieces together, to make your platform configurable, provide all of the integrations and make sure everything’s documented. With a lifecycle of 5-10 years, a CIAM platform should not only be built to serve current challenges, but it must be built generic and future-proof.

Does your organisation have this expertise in-house? If so, are these talents also required for other projects? Are you able to establish and maintain a team of people to not only make a start, but provide the long-term solid basis required for continuously evolving customer journeys? And what if it turns out that you have to hire external experts; can you find these rare species and what are the out-of-pocket costs?

4. Always-on

A CIAM system is the front-door of your digital company. So, it must be always-on, it must scale for peak traffic and it must be resilient against attacks. Most organisations also want to have it certified by a third party (ISO27001, ISAE 3000, Government). New functionality or configurations must be deployed regularly, without affecting the operation. This requires a test environment and a controlled process for bringing it to production. As customer do login around the clock… you need to monitor the environment with all kinds of probes 24/7 and take immediate action on P1 and P2 incidents.

Does your organisation have the data centre, devops, expertise and support infrastructure available to take on the responsibility of being the digital front-door? Are you willing to invest time and money in (compliance-) certification?

5. Time to value

IAM projects in general and CIAM projects more specifically come with a lot of complexity, imminent or during the lifecycle, very obvious or only known if you are already experienced in the IAM field. In any case there are many stakeholders influencing the project and driving requirements. If you build it from scratch, from a ‘white piece of paper’, everything is fluid and coming to a definition may takes ages. At the same time CIAM is a key component in your infrastructure and other projects are relying on the timely delivery. Best practices from other customers, configuration rather than build and templates accelerate the project and the time to value on the one side, but evenly important ensures that you leverage operational experience and proof from your vendor. Building a solution is still not alike having proof of scale and stability. And again, let’s not forget… you do not have the luxury of big-time failures in the face of your customers.

Is your organisation able to deliver a flexible CIAM solution in let’s say 8 weeks… or are you anticipating on 6 months or more and still uncertain about what will be delivered? And are the costs predictable for this endeavor? And who will you call upon if things go different than expected?

CIAM Build vs. Buy

To summarise

So unless you have quite an appetite for risk, a lot of extra time on your hands, a wide expertise, no need to keep your focus on your core strategic initiatives… ánd on top of that you have a lot of money, it is not a rational decision to choose a Do-it-Yourself strategy for CIAM over an out-of-the-box solution.

iWelcome has invested 10 years in solving specific CIAM challenges. We and our colleagues in the market are ready to serve you and stay ahead of the curve for the years to come. Depending on the industry you are in, the locations you are operating or the functional demands, there is always a good solution out there.

Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com.

You May Also Like

These Stories on CIAM

Subscribe by Email

No Comments Yet

Let us know what you think