Which Is Best for IAM: Build, Open Source, or Buy?

Deciding the best way to modernize or scale up your Identity and Access Management (IAM) and API security can be a difficult task. Here at Curity, we talk to many organizations that wrestle with these decisions. The three main approaches are either building in-house, using open-source software, or buying commercial tools. All these strategies have merit in certain circumstances but much depends on the specific situation of the business.

When choosing your approach to IAM, it's good to consider the number and complexity of your use cases, existing IAM and API security systems, and the skills and resources available in the team. Still, choosing which path to take is daunting. To help, below, I'll share some key factors to consider for each approach.

Build Your Own

Organizations might choose to build out their own IAM solutions for several reasons. For one, they may have the necessary skills and resources to implement it. The business might have pre-existing in-house custom-developed systems. Or, you might be catering to a unique use case that's highly specific to the particular business.

These reasons are all valid. But the approach can be challenging in the face of the rapid change that most organizations experience. Technology and software development moves rapidly, and building from scratch might result in a project that is obsolete before it's even deployed. In particular, use cases can alter and change in priority at a rapid rate. Therefore, the greatest concern is the time it takes to deploy a stable IAM project that delivers solutions for the business.

Open Source Solution

In the Identity and Access Management industry, several open-source options can provide successful results. For example, good open-source packages are available for straightforward use cases, such as Single Sign-On (SSO). Or, perhaps the use of open source is mandated across an organization.

The challenges with open source arise when an organization has more complex use cases or when a wide range of authentication options is required. In many of these situations, businesses must use certified standards, perhaps due to regulatory requirements or for extensive interoperability. Getting technical support for an organization-specific deployment can also be more challenging despite open-source community contributions.

Buy an Identity Platform

As with the two options above, there are pros and cons to buying a solution as well. Initially, it may seem expensive compared to off-the-shelf open source, and the internal approval process can be lengthy depending on the organization. To weigh this up, organizations must focus on the priorities for the project. Usually, these would include:

  • Best technical fit for current use cases

  • Scalability for future use cases

  • Timescale for delivery

  • Availability of support and expertise

Investing in a tried and tested solution provides many benefits that can match and exceed the above priority list. Established IAM solutions typically have an extensive range of features and integration options readily available out of the box. Supporting key identity standards such as OAuth and OpenID Connect is an essential part of any modern IAM system. It must also be architected to allow for exceptional flexibility, with customization and platform extensibility options necessary for future growth.

Consider Your Options

Mature features are seldom available in "build your own," where a minimized scope is often necessary. And open-source solutions usually target the simpler, mainstream use cases, leaving organizations responsible for implementing significant elements outside the free tooling. Instead, products like the Curity Identity Server are developed collaboratively with customers, ensuring the functionality is tried and tested in a production environment and that the very best technical fit is achieved.

Over the last couple of years, many large organizations have chosen the Curity Identity Server to manage identity and access for vast numbers of customers, employees, and ecosystem partners. Even though some have very challenging use cases or legacy systems to take into account, they find that Curity's depth of technical capabilities meets their very demanding requirements. 

Customers like Kindred, with approximately 25 million customers worldwide, must facilitate large swings in user access patterns. Using the Curity Identity Server, they provide access tokens tailor-made to contain the appropriate information needed to make authorization decisions in line with any local regulation. Or PagerDuty, who chose the Curity Identity Server because of the wide range of protocols supported and the need to use our multi-region features. For Poppulo, the flexible deployment options available with the Curity Identity Server meant they could start their centralized authentication project on-premise, configure the server successfully, and then migrate to a cloud platform when they were ready.

Find out more about why our customers chose the "buy option" here: Curity Customers.

Join The Discussion

Follow @curityio on X

Next steps

Ready to modernize IAM?

Start Today - Build security and improve ease of use to stay ahead of the competition.