Thales Blog

CIAM Build vs. Buy: Choosing the Right Customer Identity and Access Management Solution

December 18, 2021

Maarten Stuljens Maarten Stultjens | VP Global Enablement IAM More About This Author >

If you’re in the process of developing a Customer Identity and Access (CIAM) strategy for your organization, you may be considering taking a Do-It-Yourself (DIY) approach. You may have heard that it’s not very complex and some components are already available, so DIY seems cheaper at first sight and provides more flexibility. But in this article, we want to encourage you to take a closer look at what’s at stake.

1. Functionality complexity—now and in the future

In the early days, CIAM was mostly about an online form for registration and a user-ID + password login. Today, customers can log in via various channels and devices. They need to be onboarded with as little friction as possible. At the same time, you must provide them with data protection that meets the standards of the GDPR. You may also want to match the user account with internal data and validate it against a third-party register. And what about third-party identity providers like a government ID, a bank ID or a social ID?

And that’s just talking about ‘consumers’. What if you also have to serve users from business customers, partners or guests? Or grant your partners (brokers, dealers) access to certain groups of your customers? Those scenarios require delegation models with invitations and elevation or authorizations by yourself or, again, third parties. And what about innovations like self-sovereign identity and blockchain?

Does your organization have the knowledge in-house to navigate this complexity? And can your IT organization provide the agility that your business managers expect from you?

2. Integration complexity—now and in the future

We’ve all gotten used to logins based on Security Assertion Markup Language (SAML) for more than 15 years now. Now, with devices and processes becoming increasingly diverse, the standards are evolving. Every customer now requires OpenID Connect support. FIDO has become the standard for authentication, and SCIM for the exchange of identity data. Other standards may make it… or not, like UMA. Or they may make a comeback, like PKI. And all these standards are maturing, so they come with versioning.

Are you sure that your organization is making the right choices about which standards to use? And does your tooling provide continuous support for these standards to allow for a flexible infrastructure?

3. Specialized expertise

If your IT team consists of experts who understand SAML along with some ambitious newcomers, you may get the impression that you have all the in-house expertise you need. But even if you fully understand what it takes to deliver the CIAM platform your business requires (both functionally and technically), you’re still not quite there yet. You still need to be able to bring the pieces together, to make your platform configurable, provide all the integrations and make sure everything’s documented. 

With a lifecycle of 5-10 years, a CIAM platform should not only be built to serve current challenges, but it must be built to be generic and future-proof.

Often, even if your organization has this type of expertise in-house, it can be hard to devote enough time to building your own CIAM platform. Your skilled IT team members are often tied up with other projects. Do you have the capability to establish and maintain a team of people to not only make a start, but provide the long-term solid basis required for continuously evolving customer journeys? And what if it turns out that you have to hire external experts? Will you be able to find them in this tough labor market, and what are the out-of-pocket costs?

4. Always-on

A CIAM system is the front-door of your digital company. So, it must be always-on, it must scale for peak traffic, and it must be resilient against attacks. Most organizations also want to have it certified by a third party (ISO27001, ISAE 3000, government). New functionality or configurations must be deployed regularly, without affecting the operation. This requires a test environment and a controlled process for bringing it to production. As customers do log in around the clock, you need to monitor the environment with all kinds of probes 24/7 and take immediate action on P1 and P2 incidents.

Does your organization have the data center, DevOps, expertise, and support infrastructure available to monitor and protect your company’s digital front-door? Do you have the time and budget to invest in compliance certification?

5. Time to value

Identity and Access Management (IAM) projects in general and CIAM projects more specifically come with a lot of complexity throughout their lifecycle. Some of the challenges are fairly obvious but others are only known if you’re already experienced in the IAM field.

In any case, there are many stakeholders influencing the project and driving requirements. If you build it from scratch, everything has to be decided on. It may take months or even years before you even arrive at a concrete plan.

At the same time, CIAM is a key component in your infrastructure and other projects rely on a timely delivery. Best practices from other customers, configuring rather than building, and using templates all accelerate the project and the time-to-value. Just as importantly, they ensure that you leverage operational experience and proof from your vendor. Building a solution is still not like having proof of scale and stability. And again, let’s not forget: You don’t have the luxury of big-time failures in the face of your customers.

Is your organization able to deliver a flexible CIAM solution in, let’s say, 8 weeks? Or are you planning on 6 months or more and still uncertain about what will be delivered? Are the costs predictable? And who will you call if things go differently than expected?

Next steps

When it comes to CIAM, pursuing your own Do-it-Yourself strategy is time-consuming, expensive and risky, even if you do have plenty of in-house expertise. This is why more and more companies across all industries today are seeing the value of choosing a commercial out-of-the-box CIAM solution.

As a next step, you may be interested in reading our case study to learn how Eneco leverage the OneWelcome Identity Platform scale its CIAM.

You can also explore the many capabilities offered by the platform in our brochure. Our CIAM experts are available if you would like to discuss your specific use cases and how best to address them. Feel free to get in touch.