Identity and Access Management: To Build or Buy?
Identity and Access Management: To Build or Buy?
Pat Starr | Software Architect
March 9, 2020
Identity and Access Management: To Build or Buy?
Identity and access management (IAM) is about defining and managing the access privileges of individual users (who could be employees or customers), and the circumstances in which users are granted (or denied) those privileges.
The core objective of an IAM system is one digital identity per individual. Once that digital identity has been established, it must be maintained, modified, and monitored throughout the user’s ‘access lifecycle’.
DIY?
At Phase2, we serve as technical consultants and implementers. Recently we were asked by a client to evaluate the possible benefits of offloading IAM to a 3rd-party provider, or continuing to devote engineering efforts towards maintaining and expanding an internal system.
During the process of implementing a proof-of-concept and evaluating benefits vs costs, it dawned on me that, in order to properly answer the question, a bit of level setting would be required.
What Does a Typical IAM Look like?
A typical IAM system is comprised of these basic elements and practices:
- Administration Dashboard: An admin dashboard for managing users, applications, and connections and a client-facing service to host a customizable login interface and authenticate users against the Identity Repository
- Identity Repository: A directory/database store of the personal data the system uses to define individual users
- Authentication Service: A flexible system that regulates user access and enforces security policies and access privileges
- Software Development Kits: An identity management system is only valuable if it is straightforward to integrate with your applications
- Analytics, Auditing & Reporting: Used to analyze, verify, and troubleshoot how your identity platform is being used
- Standard Governance, Maintenance, and Solid Security Practices: Though last on this list, security is the key aspect of IAM and often easy to overlook
The following diagram is a logical architecture visualization of the ideal IAM:
The Question: Build / Maintain / Buy
Now that we have some idea of what our Identity and Access Management System should look like, should we take a stab at building it out ourselves, enhancing what we already have or outsourcing it to a provider? In either case, we feel like the end result should encompass the basic elements and practices above.
Key reasons to consider outsourcing:
- It’s complicated, and the problem has already been solved: Designing, implementing and securing an IAM can be a handful to say the least and, in most cases, IAM is not a core competency of your business. You already have enough unique and pressing problems to solve, do you really want to allocate resources away from your core business challenges to tackle IAM?
- Knowledge and expertise: It takes a considerable amount of knowledge to build and secure an IAM. In some cases companies may find that they simply don’t have the internal expertise required.
- Extensibility: Many 3rd party IAM providers offer a suite of services and features towards Identity Management that could open up many opportunities for your business. Not only do they provide basic functionality for managing and protecting customer identities, but they also offer ways to reduce friction on sign-up, login, or purchases. They also provide critical analytics to allow executives to plan and/or make critical decisions.
Key reasons to keep it in house:
- Budget: Sometimes, you just can’t afford a 3rd party system…. and you have internal developers who are competent enough to get the job done.
The Answer
Of course, the final answer (as always) is that it depends. It depends on the level of in-house security expertise, budget, time, number of users, future plans, etc.
With that being said, organizations should almost always default to ‘proudly built elsewhere’.
Take advantage of the tech that has already been developed, tested, and maintained by skilled 3rd party providers dedicated to the task. This is particularly true for an area like security and access, where the potential risk of getting it wrong is an enormous liability.
Ask yourself, is it really worth diverting internal resources to recreate the wheel? Wouldn’t you rather have them doing work that will improve your core business instead?
Also consider the fact that, by the time you launch your own solution recreating the features that already exist in the leading IAM products, they will already be several steps ahead with new technologies and you’ll still be lagging.
Hopefully, this initial level setting will help in making a more informed decision. It certainly helped us at Phase2 to make a recommendation that we felt 100% confident in.