At the beginning, before the introduction of an Identity and Access Management (IAM) solution, often the question arises: Make or buy? It seems much easier, cheaper and faster to implement the few functions yourself than evaluating, buying and implementing a professional solution. For developers, the implementation of an in-house IAM solution is also an exciting task: The topic has been known for a long time, the necessary libraries are easily available and usually well documented.
Given these conditions, it is tempting to build something of your own. When else do you have the opportunity to translate your own needs into features and design new standards? But: Does it make sense?
In the Beginning there is Time Pressure
At first, the enthusiasm is great. Everyone is excited to participate and fascinated by how fast things are progressing. But as time passes, unexpected problems occur, and an increasing number of special cases have to be taken into account. The initial enthusiasm about the comprehensive project and process control slowly becomes a burden. Time schedules are postponed, members of the project team are increasingly often withdrawn for more urgent projects in the core business, and even if you know your own IT landscape better than any third-party provider, this alone does not solve all sorts of problems. Quite the contrary, it can even lead to a certain operational blindness and prevent more efficient approaches.
It Grows and Grows
So, it takes a little longer. But even after the first production-ready version, such projects are never really “finished“. Bugs have to be fixed, users demand additional features, and over time, adaptations to changed infrastructures and new security standards have to be made. The effort involved is usually significantly underestimated. Enthusiastically started projects thus develop into a legacy with a lot of frustration for everyone involved. Worse still, with critical tasks such as IAM, the whole project quickly becomes security relevant.
So, does it make sense to build your own IAM solution? Or is a commercial product the wiser approach? There is no universal answer. But there are some parameters that at least suggest a direction.
7 Reasons for Buying Instead of DIY
Development capacities:
Own developers are not blocked indefinitely but can concentrate on their core business, which usually is not IAM.
Defined timing:
A finished product with suitable and tested features can be integrated and used immediately instead of having to build your own solution.
Constantly updated security concept:
Security patches are provided continuously. Employees can concentrate on their core tasks.
Flexible authentication procedures:
Products provide a variety of authentication methods. Changing user preferences and integration approaches can thus be easily taken into account.
Benefit from others:
With a broad installation base, products are mature and cover the needs of many customers, providing features in different areas, that can easily be integrated and adapted.
Smooth integration of applications:
Applications and mobile apps do not have to be adapted for different identity providers, but use standard interfaces
Good scaling:
Cloudbased solutions grow with the company and have not to be reinvented by yourself.
Nevertheless, DIY projects can still make sense for IAM from time to time. Namely, when it comes to small or manageable projects without long-term strategic orientation. Under these circumstances, in-house developments are not only more tailor-made, but can also be a huge motivating factor for the team.
However, as soon as strategic solutions are required, numerous customers and suppliers are to be integrated and the system is expected to be scalable over years, there is no sensible way around a finished product. Because then they score points with factors such as experience from a broad installation base, reliable future development, being independent of available capacities and, last but not least, having a reliable cost planning.
