Recognizing your brand's need for a customer identity and access management platform is an important milestone to reach, but it's only the first step on the journey to implementation. Inevitably, all CIAM project owners are faced with an extremely important decision: to build or buy their customer identity management platform?
In part one of this series, we explored some of the major points of consideration that need to be addressed when choosing between building and buying a CIAM solution. In this second installment, we'll dive deeper into the merits of both options and further define the best course of action.
Should you host your customer identity platform yourself?
Regardless of whether you choose to build a customer identity management solution or buy a software license, how you host it is a significant consideration. Will you host it yourself in your own data center or colocation environment, or do you go with a cloud-based model where another organization handles the nuts and bolts of hosting your CIAM solution?
Both avenues have their merits. Hosting the platform with your own teams and infrastructure -- or even using leased hardware in a colocation setup -- gives your organization more direct control over your hosted assets. That's important if the data you process, transmit and store is far too sensitive to risk sending over a public network.
Colocation raises its own concerns, especially now that GDPR is in effect. GDPR's rigid guidelines detailing how customer data is managed and processed apply to both the companies gathering this information and their vendors that might access it or handle it in some way. That means organizations need to thoroughly vet their colocation partners to ensure they are adhering to GDPR requirements.
Then there's the fact that whatever steps companies take to host their CIAM platforms in theirs or others' data centers will need to be duplicated for every region they operate in. Doing so improves platform performance and responsiveness in each area while reducing the risks presented by network latency and downtime.
What the cloud offers customer identity management deployments
Meanwhile, cloud deployment models enable faster service configurations as well as virtually limitless scalability opportunities. Typically, cloud environments can more readily incorporate more advanced technologies and development methods, including agile, DevOps, microservices and continuous integration.
There are many differences between private and public cloud platforms, but one of the most pertinent to the CIAM discussion is how companies build in the elasticity and scalability needed to manage usage spikes. Because the responsibility of managing private clouds falls largely on the organization itself, it must invest in networks, platforms, and hosted environments capable of meeting the demands of the busiest periods, even if that means their systems run well below capacity most of the time.
Public clouds, on the other hand, don't present such challenges. In most cases, public cloud vendors only charge for the services you use, so there are no wasted expenditures on capacity that is only rarely tapped into.
When comparing the costs and benefits of each option, keep in mind that a CIAM solution requires specific capabilities to operate effectively at a large scale -- namely, support for multi-region footprints and redundancy and failover capabilities.
What open source means for your CIAM solution
If you choose to build your own customer identity access management platform, there's a good chance you will wind up leaning heavily on free/open source software (FOSS). Tools like OpenSSL, Apache web server and Linux, for instance, are readily used in modern application stacks.
When going this route, it's important that every single component is thoroughly vetted to ensure it meets the needs of an enterprise-scale project. Also, keep in mind that just because open source software is free to use doesn't mean it's free to run. The time and manpower needed to incorporate FOSS components into the infrastructure or application stack, along with ongoing operational costs, can add up to a considerable expense.
A misconception to be wary of is the belief that open source communities will take care of future development and quality assurance needs. Open source communities are under no obligation to address the concerns of a commercial enterprise or even ensure that new software builds are compatible with other components in the application stack. These groups are assets, to be sure, but don't expect them to follow your company's vision or come through when needed most.
Clearly, there are a lot of factors to consider, especially around the "build" argument. In the next and final installment of this series, we'll review some final considerations and answer the question: "Should you build or buy your CIAM platform?"