National Cyber Warfare Foundation (NCWF) Forums


CIAM Build versus Buy


0 user ratings
2024-08-08 09:12:37
milo
Blue Team (CND)

 - archive -- 

CIAM Build versus Buy

andrew.gertz@t…

Thu, 08/08/2024 - 07:00



If you’re in the process of developing a Customer Identity and Access (CIAM) strategy for your organization, you may be considering taking a Do-It-Yourself (DIY) approach. You may have heard that it’s not very complex and some components are already available, so DIY seems cheaper at first sight and provides more flexibility. But in this article, we want to encourage you to take a closer look at what’s at stake.


1. Functionality complexity—now and in the future


In the early days, CIAM was mostly about an online form for registration and a user-ID + password login. Today, customers can log in via various channels and devices. They need to be onboarded with as little friction as possible. At the same time, you must provide them with data protection that meets the standards of the GDPR. You may also want to match the user account with internal data and validate it against a third-party register. And what about third-party identity providers like a government ID, a bank ID or a social ID?


And that’s just talking about ‘consumers’. What if you also have to serve users from business customers, partners or guests? Or grant your partners (brokers, dealers) access to certain groups of your customers? Those scenarios require delegation models with invitations and elevation or authorizations by yourself or, again, third parties. And what about innovations like self-sovereign identity and blockchain?


Does your organization have the knowledge in-house to navigate this complexity? And can your IT organization provide the agility that your business managers expect from you?


2. Integration complexity—now and in the future


We’ve all gotten used to logins based on Security Assertion Markup Language (SAML) for more than 15 years now. Now, with devices and processes becoming increasingly diverse, the standards are evolving. Every customer now requires OpenID Connect support. FIDO has become the standard for authentication, and SCIM for the exchange of identity data. Other standards may make it… or not, like UMA. Or they may make a comeback, like PKI. And all these standards are maturing, so they come with versioning.


Are you sure that your organization is making the right choices about which standards to use? And does your tooling provide continuous support for these standards to allow for a flexible infrastructure?


3. Specialized expertise


If your IT team consists of experts who understand SAML along with some ambitious newcomers, you may get the impression that you have all the in-house expertise you need. But even if you fully understand what it takes to deliver the CIAM platform your business requires (both functionally and technically), you’re still not quite there yet. You still need to be able to bring the pieces together, to make your platform configurable, provide all the integrations and make sure everything’s documented. 


With a lifecycle of 5-10 years, a CIAM platform should not only be built to serve current challenges, but it must be built to be generic and future-proof.


Often, even if your organization has this type of expertise in-house, it can be hard to devote enough time to building your own CIAM platform. Your skilled IT team members are often tied up with other projects. Do you have the capability to establish and maintain a team of people to not only make a start, but provide the long-term solid basis required for continuously evolving customer journeys? And what if it turns out that you have to hire external experts? Will you be able to find them in this tough labor market, and what are the out-of-pocket costs?


4. Always-on


A CIAM system is the front-door of your digital company. So, it must be always-on, it must scale for peak traffic, and it must be resilient against attacks. Most organizations also want to have it certified by a third party (ISO27001, ISAE 3000, government). New functionality or configurations must be deployed regularly, without affecting the operation. This requires a test environment and a controlled process for bringing it to production. As customers do log in around the clock, you need to monitor the environment with all kinds of probes 24/7 and take immediate action on P1 and P2 incidents.


Does your organization have the data center, DevOps, expertise, and support infrastructure available to monitor and protect your company’s digital front-door? Do you have the time and budget to invest in compliance certification?
 


5. Time to value


Identity and Access Management (IAM) projects in general and CIAM projects more specifically come with a lot of complexity throughout their lifecycle. Some of the challenges are fairly obvious but others are only known if you’re already experienced in the IAM field.


In any case, there are many stakeholders influencing the project and driving requirements. If you build it from scratch, everything has to be decided on. It may take months or even years before you even arrive at a concrete plan.


At the same time, CIAM is a key component in your infrastructure and other projects rely on a timely delivery. Best practices from other customers, configuring rather than building, and using templates all accelerate the project and the time-to-value. Just as importantly, they ensure that you leverage operational experience and proof from your vendor. Building a solution is still not like having proof of scale and stability. And again, let’s not forget: You don’t have the luxury of big-time failures in the face of your customers.


Is your organization able to deliver a flexible CIAM solution in, let’s say, 8 weeks? Or are you planning on 6 months or more and still uncertain about what will be delivered? Are the costs predictable? And who will you call if things go differently than expected?


Next steps


When it comes to CIAM, pursuing your own Do-it-Yourself strategy is time-consuming, expensive and risky, even if you do have plenty of in-house expertise. This is why more and more companies across all industries today are seeing the value of choosing a commercial out-of-the-box CIAM solution.


As a next step, you may be interested in reading our case study to learn how Eneco leverage the OneWelcome Identity Platform scale its CIAM.


You can also explore the many capabilities offered by the platform in our brochure. Our CIAM experts are available if you would like to discuss your specific use cases and how best to address them. Feel free to get in touch.
 



CIAM Build vs. Buy: Choosing the Right Customer Identity and Access Management Solution






Maarten Stuljens


Maarten Stultjens | VP Global Enablement IAM

More About This Author >










CIAM platform development isn't just about technical expertise. It requires integrating diverse components, ensuring configuration flexibility, and creating extensive documentation. Furthermore, a future-proof CIAM platform must adapt to evolving customer journeys. This complexity begs the question: can your organization commit to the long-term effort required for a Do-It-Yourself (DIY) CIAM solution?



What’s at risk when you’re taking the DIY approach



When you start developing a Customer Identity and Access (CIAM) strategy, the Do-It-Yourself approach might look interesting - but there are risks you need to watch out for. Risks involved can range from identifying current and future functional complexity to the time it takes to bring it to market. In this article, I identify and expand upon 5 key risks:











1


Functional complexity

(now and in the future)








2


Integration complexity

(now and in the future)








3


Specialized expertise








4


Always-on








5


Time to value








1. Functional Complexity — Today and in the Future



CIAM has evolved far beyond simple registration forms and Username/Password logins. It has also evolved beyond just customers, what about partners and third parties? Today's challenges involve:



  • Frictionless onboarding: Balancing security with a smooth registration process is crucial.

  • Omni-channel logins: Customers expect seamless access from any device or platform with a familiar look and feel.

  • Data privacy compliance: What started with the GDPR and CCPA, Data Privacy regulations are popping up in droves in different geographies and they demand robust data protection and compliance.

  • Data validation: Matching user account with internal data and a third-party register ensures accuracy.

  • BYOI and Third-party identity providers: Integration with government IDs, bank IDs, or social logins is increasingly common.

  • Diverse user types: Managing access for consumers, business users, partners, and guests requires flexibility.

  • Access delegation: Granting controlled access to specific customer groups or partners necessitates delegation models with invitations and elevation or authorizations by yourself or third-parties.

  • Emerging technologies: What about self-sovereign identity and blockchain's role in future CIAM is important.


The Question: Can Your CIAM Keep Up?



These complexities demand a robust CIAM solution. Does your organization possess the expertise to navigate it together with global data privacy regulation compliance? Can your IT infrastructure handle the agility needed to meet evolving business demands?



2. Integration Complexity: Navigating the Standards Maze



For over a decade, the Security Assertion Markup Language (SAML) has been the go-to standard for logins. But with the explosion of devices and processes, the landscape is shifting:



  • Evolving Standards: OpenID Connect is now essential for customer access. FIDO is the new authentication standard, and SCIM is crucial for data exchange.

  • PKI and UMA: Standards like PKI have staged a comeback. While some may not, like UMA.

  • Versioning Mayhem: As standards mature, they introduce versioning challenges.


The Challenge: Choosing Wisely




  • Standard Selection: Can you confidently choose the right standards for your needs?

  • Tooling Agility: Does your CIAM solution offer ongoing support for these evolving standards? Without this flexibility, your infrastructure might struggle to adapt for the future.


3. Specialized expertise



Building your own CIAM platform might seem feasible with a skilled IT team. But expertise in standards like SAML is just one piece of the puzzle. Here's why developing in-house can be challenging:



  • Beyond Functionalities: A robust CIAM requires configurability, seamless integrations, and comprehensive documentation – not just core functionalities.

  • Future-Proofing: A 5-10 year lifecycle demands a platform built for adaptability, not just current needs.

  • Resource Allocation: Even with the right expertise, devoting internal resources to long-term CIAM development can be difficult due to competing project demands.

  • Team Building: Maintaining a dedicated CIAM development team requires long-term commitment, potentially with external expertise needed in a competitive market. Will you be able to find them in this tough labour market, and what are the out-of-pocket costs?


The Question: Is In-House Development Right for You?



Carefully consider the resource constraints and long-term commitment required before embarking on in-house CIAM development. Evaluating these challenges can help you make an informed decision.



4. Always-on: Maintaining your digital Fort Knox



A robust Customer Identity and Access Management (CIAM) system acts as your company's digital front door. Here's what it takes to keep it secure and operational:



  • Infrastructure: Do you have the right data center environment, expertise in things like devOps and security, and support.

  • Resilience, Scalability and Security: The system must be constantly accessible (always-on) and handle surges in traffic (scalability). It needs to be resilient against cyberattacks.

  • Compliance Certifications: Third-party certifications (ISO27001, ISAE 3000) might be necessary.

  • Deployment Agility: Frequent updates and configuration changes require a robust DevOps process with minimal downtime.

  • 24/7 Monitoring: Continuous monitoring with various tools (probes) is essential to detect and address critical incidents (P1/P2) immediately.


Ask yourself: Are You Equipped?



Does your organization possess the infrastructure (data center), expertise (devOps, security), and support for this demanding role? Can you invest the time and resources to achieve and maintain compliance certifications? Evaluating these factors will help you determine if you have the capabilities to manage a CIAM system effectively.



5. Time to value: Beyond the initial hurdles



While Identity and Access Management (IAM) projects are complex, CIAM adds another layer due to its specific functionalities. Here's why achieving fast time-to-value can be challenging:



  • Project Complexity: CIAM projects involve numerous stakeholders and intricate decision-making, leading to lengthy planning phases (months or years) for custom builds.

  • Infrastructure Dependency: CIAM often acts as a critical building block for other initiatives, creating pressure for timely delivery.


The Power of Pre-Built Solutions:




  • Best Practices & Configuration: Leveraging pre-built solutions with best practices and configurable options accelerates project timelines.

  • Vendor Expertise: Utilizing vendor templates and experience translates to operational efficiency and proven stability. Building from scratch doesn't guarantee scalability or reliability.


The Question: Speed vs. Risk?



You don’t have the luxury of big-time failures in the face of your customers. Can your organization afford a custom build with a 6-month+ timeframe and potentially uncertain outcomes? Pre-built solutions with predictable costs and dedicated vendor support offer a faster path to value (potentially in 8 weeks) with minimized risk of major failures.



To summarize



Building your own CIAM solution can be a time-consuming and expensive endeavor, even with internal expertise. The risk of delays and potential shortcomings is significant.


That's why an increasing number of companies across industries are turning to commercial, out-of-the-box CIAM solutions. These pre-built options offer several advantages:



  • Faster Time to Value: Reduced planning and development lead to quicker implementation.

  • Reduced Costs: Avoid the ongoing expense of in-house development and maintenance.

  • Mitigated Risk: Benefit from proven technology and vendor expertise to minimize security vulnerabilities.


Independent Validation: Thales OneWelcome an Overall Leader in CIAM



For an independent perspective, consider the CIAM Leadership Compass from KuppingerCole, a leading industry analyst firm










Schema

{

"@context": "https://schema.org",

"@type": "BlogPosting",

"headline": "CIAM Build vs. Buy: Choosing the Right Customer Identity and Access Management Solution",

"description": "Explore the pros and cons of building versus buying a Customer Identity and Access Management (CIAM) solution for your organization, and make an informed decision based on functionality, integration complexity, expertise, always-on requirements, and time to value.",

"datePublished": "2021-12-17",

"dateModified": "2024-08-08",

"author": {

"@type": "Person",

"name": "Maarten Stultjens",

"description": "Maarten has more than 25 years of experience advising enterprises on best Identity & Access Management practices for B2B and B2C. He works closely with OneWelcome's customers, technology partners, and the analysts' community, while leading a successful team of experts.",

"image": "https://cpl.thalesgroup.com/sites/default/files/content/author/field_image/2024-05/m-stultjens-headshot.jpg",

"sameAs": [

"https://x.com/MStultjens",

"https://www.linkedin.com/in/maarten-stultjens-844499/"

],

"worksFor": {

"@type": "Organization",

"name": "Thales Group",

"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",

"url": "https://cpl.thalesgroup.com",

"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",

"sameAs": [

"https://www.facebook.com/ThalesCloudSec",

"https://www.twitter.com/ThalesCloudSec",

"https://www.linkedin.com/company/thalescloudsec",

"https://www.youtube.com/ThalesCloudSec"

]

}

},

"publisher": {

"@type": "Organization",

"name": "Thales Group",

"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",

"url": "https://cpl.thalesgroup.com",

"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",

"sameAs": [

"https://www.facebook.com/ThalesCloudSec",

"https://www.twitter.com/ThalesCloudSec",

"https://www.linkedin.com/company/thalescloudsec",

"https://www.youtube.com/ThalesCloudSec"

]

},

"mainEntityOfPage": {

"@type": "WebPage",

"@id": "https://cpl.thalesgroup.com/blog/access-management/build-vs-buy-choosing-right-ciam-solution"

},

"articleBody": "If you’re in the process of developing a Customer Identity and Access (CIAM) strategy for your organization, you may be considering taking a Do-It-Yourself (DIY) approach. You may have heard that it’s not very complex and some components are already available, so DIY seems cheaper at first sight and provides more flexibility. But in this article, we want to encourage you to take a closer look at what’s at stake. 1. Functionality complexity—now and in the future In the early days, CIAM was mostly about an online form for registration and a user-ID + password login. Today, customers can log in via various channels and devices. They need to be onboarded with as little friction as possible. At the same time, you must provide them with data protection that meets the standards of the GDPR. You may also want to match the user account with internal data and validate it against a third-party register. And what about third-party identity providers like a government ID, a bank ID or a social ID? And that’s just talking about ‘consumers’. What if you also have to serve users from business customers, partners or guests? Or grant your partners (brokers, dealers) access to certain groups of your customers? Those scenarios require delegation models with invitations and elevation or authorizations by yourself or, again, third parties. And what about innovations like self-sovereign identity and blockchain? Does your organization have the knowledge in-house to navigate this complexity? And can your IT organization provide the agility that your business managers expect from you? 2. Integration complexity—now and in the future We’ve all gotten used to logins based on Security Assertion Markup Language (SAML) for more than 15 years now. Now, with devices and processes becoming increasingly diverse, the standards are evolving. Every customer now requires OpenID Connect support. FIDO has become the standard for authentication, and SCIM for the exchange of identity data. Other standards may make it… or not, like UMA. Or they may make a comeback, like PKI. And all these standards are maturing, so they come with versioning. Are you sure that your organization is making the right choices about which standards to use? And does your tooling provide continuous support for these standards to allow for a flexible infrastructure? 3. Specialized expertise If your IT team consists of experts who understand SAML along with some ambitious newcomers, you may get the impression that you have all the in-house expertise you need. But even if you fully understand what it takes to deliver the CIAM platform your business requires (both functionally and technically), you’re still not quite there yet. You still need to be able to bring the pieces together, to make your platform configurable, provide all the integrations and make sure everything’s documented. With a lifecycle of 5-10 years, a CIAM platform should not only be built to serve current challenges, but it must be built to be generic and future-proof. Often, even if your organization has this type of expertise in-house, it can be hard to devote enough time to building your own CIAM platform. Your skilled IT team members are often tied up with other projects. Do you have the capability to establish and maintain a team of people to not only make a start, but provide the long-term solid basis required for continuously evolving customer journeys? And what if it turns out that you have to hire external experts? Will you be able to find them in this tough labor market, and what are the out-of-pocket costs? 4. Always-on A CIAM system is the front-door of your digital company. So, it must be always-on, it must scale for peak traffic, and it must be resilient against attacks. Most organizations also want to have it certified by a third party (ISO27001, ISAE 3000, government). New functionality or configurations must be deployed regularly, without affecting the operation. This requires a test environment and a controlled process for bringing it to production. As customers do log in around the clock, you need to monitor the environment with all kinds of probes 24/7 and take immediate action on P1 and P2 incidents. Does your organization have the data center, DevOps, expertise, and support infrastructure available to monitor and protect your company’s digital front-door? Do you have the time and budget to invest in compliance certification? 5. Time to value Identity and Access Management (IAM) projects in general and CIAM projects more specifically come with a lot of complexity throughout their lifecycle. Some of the challenges are fairly obvious but others are only known if you’re already experienced in the IAM field. In any case, there are many stakeholders influencing the project and driving requirements. If you build it from scratch, everything has to be decided on. It may take months or even years before you even arrive at a concrete plan. At the same time, CIAM is a key component in your infrastructure and other projects rely on a timely delivery. Best practices from other customers, configuring rather than building, and using templates all accelerate the project and the time-to-value. Just as importantly, they ensure that you leverage operational experience and proof from your vendor. Building a solution is still not like having proof of scale and stability. And again, let’s not forget: You don’t have the luxury of big-time failures in the face of your customers. Is your organization able to deliver a flexible CIAM solution in, let’s say, 8 weeks? Or are you planning on 6 months or more and still uncertain about what will be delivered? Are the costs predictable? And who will you call if things go differently than expected? Next steps When it comes to CIAM, pursuing your own Do-it-Yourself strategy is time-consuming, expensive and risky, even if you do have plenty of in-house expertise. This is why more and more companies across all industries today are seeing the value of choosing a commercial out-of-the-box CIAM solution. As a next step, you may be interested in reading our case study to learn how Eneco leverage the OneWelcome Identity Platform scale its CIAM. You can also explore the many capabilities offered by the platform in our brochure. Our CIAM experts are available if you would like to discuss your specific use cases and how best to address them. Feel free to get in touch."

}


studio








THALES BLOG

CIAM Build versus Buy


August 8, 2024












The post CIAM Build versus Buy appeared first on Security Boulevard.



[email protected]

Source: Security Boulevard
Source Link: https://securityboulevard.com/2024/08/ciam-build-versus-buy/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.