Build or Buy? The Strong Case for Buying a CIAM Solution
With any new software initiative, there’s often an internal push to build the solution in-house, based on the assumption that this approach affords your organization the ability to meet all your needs and requirements. On its face, building is an attractive option. You can create only what you need, seamlessly integrate it with what you have, and provide whatever support is required.
Plus (and I say this based on my decades as a developer), developers relish coding, solving problems, and overcoming obstacles. Building software ourselves is desirable simply because it’s part of our nature and we love what we do.
Sometimes, however—and this is my brutally honest viewpoint here—that mindset can produce emotion-based decisions and recommendations. This is especially true in the identity environment, where the idea of building a solution is an exciting challenge that developers would love to tackle. Identity and access management (IAM) is the core of cybersecurity, and who wouldn’t want to be an integral part of that?
But the reality is the IAM “problem” has already been solved. The solution is well established, standardized, and battle tested, in both the workforce and the customer arenas. Customer identity and access management (CIAM) experts in particular have years of experience powering identity security and engaging end users. Instead of reinventing the wheel, buying a CIAM solution provides the enterprise with greater benefits and leads to a superior customer experience. What follows is my take on why that’s the case.
Meet Business Requirements
In an ideal environment, developers would have unlimited time and resources to get the job done. But for the vast majority of situations, resource constraints and business priorities mean developer time must be prioritized. As a result, it’s nigh impossible to meet all software requirements when you build—and that’s assuming the requirements are correctly identified in the first place. Consider this from the Geneca “Doomed From the Start?” study:
- 78% of IT professionals think the business is always or usually out of sync with project requirements
- Less than 20% describe the requirements process as the articulation of business need
- Only 23% state they are always in agreement when a project is truly done (i.e, when the requirements are met)
When you buy, however, you’ve got that expertise at your fingertips and a clear agreement on what requirements will be met by the vendor’s solution. Identity is complicated. IAM companies like Ping Identity know what your challenges are and how to meet your requirements, and are not held back by the practical restrictions that can get in the way of your developers. This goes not only for building an identity system but also for maintaining it.
Create a Better Customer Experience
Identity underpins important customer interactions: account creation, login, password reset, user preferences, multi-channel personalization and more. It’s important to get customer experience right from the beginning, because if you don’t, it’s easier than ever for your customers to turn elsewhere to feel valued.
For example, customers expect a smooth sign-on experience. The concept of single sign-on (SSO) is simple, and you may be tempted to build an SSO solution yourself. But once that concept moves into use cases and mid-development discovery, compounded by IT environment limitations, enterprises often find they’ve created a rabbit hole that can end with a rip and restart. Worse still, they may end up going live with a sub-par solution that requires significant maintenance, and the original desired product never comes to fruition.
The best CIAM platforms are dedicated to supporting frictionless experiences for end users. Ping Identity solutions come with out-of-the-box capabilities that solve identity challenges, with proven outcomes such as seamless access to resources, intelligent authentication, adaptive multi-factor authentication (MFA), unified customer profiles and consent capture and enforcement. Your customers aren't going to settle for experiences that are less than the best, so neither should you when it comes to the tools that will help you build them.
Get It Done Faster
If you’re starting your customer identity efforts from scratch, you need to take a realistic look at how much time the project will take. In my experience, developers rarely take into account the fact that they won't be able to work on the new cool project 100% of the time, and therefore underestimate the amount of time it will take them. (This is not a knock on developers, just a note that it’s easy to misjudge how hard it will be to build a CIAM solution that’s truly secure and seamless without incurring more technical debt!)
In addition, developers typically provide estimates of effort, not estimates of duration, which isn’t in line with how businesses make decisions. These factors are some of the reasons why a Harvard Business Review study of IT change initiatives found “fully one in six of the projects [had] a cost overrun of 200%, on average, and a schedule overrun of almost 70%.”
But even if you’ve already started the in-house build project, that doesn’t mean continuing it is preferable to buying a solution. Keep in mind that your build team may not fully understand the problem domain, or more importantly, the protocol specs to properly implement IAM and the vast breadth of uses cases it accommodates. In these cases, time overruns quickly add up and the use of a third-party solution can provide the quickest resolution.
Ensure a More Secure System
Oftentimes, homegrown solutions don't maintain a proper separation of concerns from the rest of the enterprise systems. If your developers aren’t experts in identity security, it’s hard to build an identity system that’s 100% secure. They not only have to design for standard use cases, but also protect against attacks such as registration bots creating dummy accounts, detect when a user’s account is compromised, determine what authenticated users are authorized for, consider what profile data can be shared, and more. Building this functionality adds to the project’s complexity and timeframe, and the stakes are high if you get it wrong.
When you buy, the security you need is baked in and well established, and you benefit from the software vendor knowing they are liable for the security of the experience as opposed to taking on that liability yourself. The right CIAM solution will give your users secure access to the right applications, step up security when necessary for high-risk situations, securely manage identity and profile data at scale, and may even encompass API security to help you address the growing threats posed by the exploding API landscape.
Future-proof Your CIAM Solution
It’s the nature of the beast: Homegrown systems tend to get stuck in their initial state because it takes too much effort to upgrade or change to accommodate new environments. Even if you were to build a solid identity platform (and that’s a mighty big if, for the reasons given above), odds are the solution will quickly be out of date and then you’re right back where you started.
Buying a CIAM solution can help you future-proof your identity initiatives in several key ways:
- You keep up with changing standards. New industry standards such as FIDO2 are improving authentication security, and organizations like NIST are routinely updating the best practices for identity and access management. Identity experts like Ping pay close attention to changing standards, with solutions based on open standards that ensure secure interoperability now and in the future. Buying helps ensure you don’t create technical debt over time that makes adopting standards more difficult, a situation that can be particularly painful since modern IAM doesn’t work in isolation but in conjunction with the rest of the federated systems.
- Identity scales as you grow. When you choose someone you trust to provide identity services, those services will scale with you as you grow. Here at Ping, for example, we publish the scale and performance benchmarks our enterprise customers achieve, demonstrating that our solutions can handle peak user demand spikes, balance horizontal and vertical scale, and provide instant access to customer data, among other things—while meeting our customers’ SLAs.
- You better comply with regulations. If your development team doesn’t know the ins and outs of the changing data privacy landscape—and you likely don’t expect them to be experts on GDPR, CCPA and a host of proposed legislation on the horizon—you could find yourself in a regulatory mess. Ping has the expertise that can help you flexibly build and enforce policies to meet requirements, while also complying with future legislation.
Doing What You Do Best
Ultimately, it makes sense to let your business do what it does best and find a partner like Ping that does what it does best: identity. Identity services is one of the top areas of growth in software development, and that’s our complete focus, so it doesn’t have to be yours. We stake our reputation and our business on our ability to keep your enterprise secure and to help you enable great digital experiences, and our track record of success on that front speaks for itself. When you team with us, you’re laying the foundation of a partnership for success.
To learn more about CIAM solutions, visit our website.
