Build or Buy? 20 Identity Management Questions.
Identity Management is well understood - been doing it since the first computers. How hard can it be? Harder than you think - take the Build or Buy Quiz!
Get the free eBook on Build vs Buy: Guide to Evaluating Identity Management Solutions
“I’m a big proponent of letting experts do what they do best. If you get identity management wrong, it falls apart horribly, and you get put on the front page of the newspaper as having exposed a large number of people to really bad things. I didn’t want to rely on building it ourselves.”
— David Bernick, Harvard Medical School
Why Build Identity Management?
Identity management has been a staple component of software since the dawn of computing: punch card batch jobs and early timesharing systems were protected by username/password authentication. With so much history, you’d think identity management would be a solved problem.
- Maybe you’re doing something simple: no sensitive information or privacy issues, and your security requirements are modest, you don’t have many users or many different types of users, you’ve got only a few apps.
- And you’re an experienced developer or part of a high-skilled team, been building authentication for apps, sites, APIs, services for years.
- And your budget is pared to the bone. Have to make some choices – seems like a no-brainer to save the money for something more strategic.
Let’s be honest: If you’re just using one or two social providers for a simple web application, without needing a username/password database yourself, or any other more elaborate features, it is easy enough to DIY. By all means, leverage the basic authentication libraries you can find in any open source framework, and be done with it.
Why Buy Identity Management?
We often hear from development teams considering Auth0:
If you’re competent, it seems hard to justify spending $ on Identity Management if your needs are simple.
Let’s dig into this.
Skills
Sure Identity Management seems simple. But failure is terrifying. A lot can go wrong, and when it does, your reputation is seriously damaged. In the face of persistent hack attempts, a never-ending stream of vulnerabilities to mitigate, do you know what you’re doing well enough to protect your users and your business?
Resources
Do-it-yourself is not free – there is opportunity cost to committing resources to Identity Management. Is authentication really what you want to be doing? Focus on your core business and add value. You wouldn’t write your own RDBMS. Identity management is like an RDBMS. Why build infrastructure like identity management when you can pay sensible money to delegate that non-core heavy lifting to specialists? And with the cost of an identity hack potentially running into the $millions, what is security worth? Consider these factors when evaluating the ROI of buying identity management!
Complexity
Applications, and products often start simple. But once you get past version one, you may need to support a broad range of identity providers. You might have partners. You could be rolling out mobile apps, and an API. Your user base hopefully will grow. You may be in a regulated industry with compliance demands. It’s never as simple as it seems at first. The cost of maintaining your own identity management may be much higher than you’re expecting.
The Quiz
Some of these questions you might already have answered. Some might be irrelevant, Some might be problems you’ll face as you work through your IAM implementation. But we invite you to think about them realistically, based on your current state and where you think you’ll be going in the next months and years. And click the links to understand how Auth0 answers these identity management questions and the complexity we’re handling as part of our comprehensive offering.
Users
1. | Have you thought about how you’ll implement user management? Self-service or admin managed? What is the user experience? |
2. | Do you have users who will authenticate with more than one IdP? How will you know it’s the same user? |
3. | Do you have multiple applications which will need to authenticate? If so, do they all use the same development stack? |
“Compared to the costs and resources required to build, host, and secure a custom solution, the investment associated with a third-party authentication service like Auth0 was a sensible choice.” — Cris Concepcion, Safari |
4. | What analytics will you need for account creation and authentication events? How will you collect, analyze, and visualize this data? |
5. | How will you flag and mitigate anomalies in user management and authentication events? |
Applications
6. | How can you use to stay on top of potential security vulnerabilities? How will you handle patch delays to libraries you rely upon? |
“Before any news sites reported on last year’s Heartbleed zero day vulnerability, Auth0 emailed us to alert us to the situation. There was already a patch to eliminate the Heartbleed threat from Auth0’s systems, followed by a confirmation email that Auth0 had already installed this patch on the Schneider Electric instance of Auth0’s service.” — Stephen Berard, Schneider Electric |
7. | What about the inevitable standards incompatibilities and changes to attributes andpermissions for different social IdPs? Implementation differences between enterprise IdPs? For different development stacks and authentication libraries? How will you deal with all of this? |
“I didn’t have to write difficult code for every IdP we needed to integrate with. It was just writing one thing, very simple, and that was it to implement secure authentication.” — David Bernick, Harvard Medical School |
8. | Can your ops team stay on top of best practices for securely configuring authentication infrastructure? On-premises and in private cloud instances? |
9. | What is your MFA strategy? How will you integrate it across different clients? Want your mobile users to use Touch ID on their IOS devices to authenticate to your applications? |
10. | Have you considered scalability, performance, and replication/availability requirements for your user store? |
“Auth0 provided the perfect fit of out-of-the-box features, flexibility and enterprise-level service. The team at Auth0 went above and beyond to accommodate our crazy performance testing and deadline needs.” — AKQA, marketing partner for Marks & Spencer |
IdPs and Standards
11. | When you migrate legacy UN/PW databases to more modern Identity Management, how will you deliver a good user experience with no password resets? |
“Auth0 brought along a host of out of the box connectors which made it very simple for Auth0 to connect with our CRM system to use the existing database as a user store and act as an Identity provider.” — Amol Date, JetPrivilege |
12. | How will you on-board new B2B customers wanting SSO for your product or service? Can you federate with partners who use Active Directory behind the firewall? |
“Setting up our application to integrate with one partner and then having that partner act as a service hub for dozens of identity systems helps simplify work for our core development teams, while allowing our customer base to grow exponentially.” — Cris Concepcion, Safari |
13. | Different SAML IdPs can store and deliver claims in many formats – do you have a straightforward method for normalizing claims? |
14. | OpenID Connect is a popular new standard for authentication: REST/JSON, OAuth2 based, developer-friendly. But the interoperability devil is in the details. How will you implement it across development stacks and clients? |
Security and Compliance
15. | Identity systems are an attractive target for attacks. Have you thought about implementing brute-force protections? DDoS prevention and mitigation on endpoints? |
16. | Should you plan to use 3rd party security consultancies to do independent penetration tests, code reviews and audits, and architecture reviews to validate security and best practices? |
17. | How will you handle reports from the security community of vulnerabilities in your Identity implementation? |
“Every technology has vulnerabilities, and if you don’t have a public process for responsible hackers to report them, you are only going to find out about them through attacks in the black market.” — Alex Rice, Facebook, in “HackerOne Connects Hackers With Companies, and Hopes for a Win-Win”, The New York Times, June 7, 2015 |
18. | Will you need contextual step-up authentication? For instance – IP range, or Active Directory group membership? Password policies? Or would passwordless authentication make sense for your users? |
On Time, Under Budget
19. | How much staff will you need including IT ops, developers, and outside services such as forensics expertise? These people are hard to find and expensive to hire. Where will you source this talent and what will it cost? |
“The demand for security professionals is growing, but the supply of security professionals is not growing at the same rate. The result is growing salaries.” — “The 2015 (ISC)2 Global Information Security Workforce Study”, Frost & Sullivan, April 16, 2015 |
20. | When is your target date to go into production? How much time / how many iterations will your IAM solution require to implement? |
“While other vendors were laying down implementation timelines of months, Auth0 promised a timeline of only a few weeks.” — Amol Date, JetPrivilege |
Sign up for free
Start building today and secure your apps with the Auth0 identity platform today.