Identity and client access management: Build -v- Buy

Customer, consumer, and citizen identity and access management platforms are often plagued by internal design team analysis: “Should we build or buy?” “. Many early CIAM projects are often labeled as “just a connection box”. How difficult can it be? There are also often a lot of uncertainties. How many users will register for the system? Will the service or application generate new revenue? How long will the service be needed? What are the expected throughput and capacity levels? A lack of clarity can often result in a lack of comprehensive requirements, a limited internal business case, and limited available funding.

Of course, the ability to implement ‘a simple plug-in box’ clearly misses the main features of a complete CIAM platform – which is there to generate business opportunities, through stronger customer relationships through secure service. , multichannel and preserving confidentiality.

Why the exit of Home Grown Solutions

It is clear that this question assumes that there is a commercial solution ready for the market. Today it is, but maybe 6-7 years ago it was not, allowing a local solution to become an immediate priority.

Small-scale project

Another angle to consider is the small, large-scale project that essentially focused on ‘glueware’ that integrated existing customer relationship management systems, often with a mobile app or basic web-oriented application. outside. Requirements can also be highly customized based on particular data streams, making purchasing a standard system too expensive or time consuming.

Lack of organizational maturity

Buying any software – especially platform-driven systems – requires a level of business maturity – especially when it comes to budget ownership, metrics, deployment, and accountability. CIAM capabilities may be well defined, but a team to manage and own the platform may not exist, limiting the possibility for an external product to be a) purchased and b) monitored for return on investment.

Implications of home cultivation

Building anything in-house has implications – both good and bad.

Can the tools be sold?

A simple question to ask is: “Can tooling that has been built in-house be sold?” “. The rough answer, of course, is usually no, but that doesn’t mean tooling can’t generate income. It is clear that while the service provided by CIAM tooling is business-friendly, the internal cost can often be consumed by the revenue generated. However, this calculation is not complete. Another subtraction must also take place: the opportunity cost associated with the internal development and maintenance team. What could they have done instead of building the CIAM tool? I don’t want my local doctor to build the hospital website – even if he could – because the opportunity cost of course is that he can’t see patients while he codes. The same applies here.

Can it be extended and extended?

It could very well be a simple project to add an authentication layer to an application. But can this in turn be extended to handle multi-factor authentication? What about an end user dashboard to manage access requests from data subjects? What about tokenization services to handle data sharing use cases while preserving privacy? Unless a future long-tail roadmap is created with a generic, modular platform, these use cases are unlikely to be added easily. The second aspect to be aware of is that CIAM systems are often plagued by inaccurate user counts, often resulting in huge spikes in demand, followed by decreases in infrastructure requirements. Was this taken into account when designing the “connection box”?

A homemade checklist

So how do you decide? Here is a simple way to discuss the problem internally:

  1. Does the organization have existing expertise in designing identity and access management capabilities?
  2. Does the organization have an existing operational team to support ongoing CIAM functions?
  3. Does the organization have an allocated budget for CIAM-based solutions?
  4. Does the organization have indicators of success for systems that will use CIAM capabilities?
  5. Does the organization have to adhere to any external security or compliance requirements?
  6. Does the organization have experience building outward-facing applications?
  7. Is the profile of the end users of the application known? (For example, volume, use, location, growth pattern, habits)
  8. Are the current and future requirements of the CIAM system known? (For example, integrations, security, usability, access control)

Sections of the above were taken from Chapter 2 of “Consumer Identity & Access Management: Design Fundamentals” available for purchase on Amazon now.

About the Author

Simon Moffatt is founder and analyst of The Cyber ​​Hut. He is a published author with over 20 years of experience in the cybersecurity and identity and access management industries. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is CISSP, CCSP, CEH and CISA. He also holds a part-time postgraduate degree on the GCHQ certified MSc. Information Security at Royal Holloway University, UK. His 2021 research journal focuses on “How to Kill the Password”, “Next Generation Authorization Technology” and “How IAM Countermeasures Can Defend Against Cyber ​​Warfare.” For more information, see here.

The Customer Identity & Access Management: Build -v- Buy post appeared first on The Cyber ​​Hut.

*** This is a syndicated Security Bloggers Network blog from The Cyber ​​Hut written by Simon M. Read the original post at: -v-buy /