Stagnation vs. Innovation: Burdens of Homegrown Customer Identity that Hinder Innovation

Customer identity: Your brand’s front door

As the front door to your company’s digital experiences, identity is the lynchpin for customer apps and portals. However, authentication, authorization, and user management make up just part of the overall customer experience (CX). Application development organizations tasked with building disruptive, differentiated mobile and web apps face several competing priorities and lots of complexity. Often, teams are juggling multiple apps, sister brands, country-specific products, omni-channel requirements, various user types, and constantly evolving security threats.

Given the many dimensions above, it should come as little surprise that CX initiatives to reduce user friction and secure customer data are never really “complete.” Many teams mistakenly think that once they’ve developed basic identity services for an app—such as account creation, login, and password resets—they can ship their code and move on to other projects. But within a year, most recognize that there’s always more work required to maintain effective customer identity and access management (CIAM). Even if you rolled-your-own identity initially, there’s no denying that CIAM is an ongoing journey.

As part of Okta’s work with thousands of digital businesses, we’ve encountered a number of misconceptions that tend to hinder developers and architects from upgrading home-grown CIAM with a more modern, future-proof identity layer.

Planning and resource allocation myths

Often, you initially believe that your CIAM needs are simple (or perhaps unique). It might seem that a custom approach will be more cost-efficient than investing in an external service. However, when identity isn’t your core business, scope creep is common and the needs you started with eventually change. For example, identity workflows that were built solely for a pre-existing user store are usually unable to support social identity (also known as “bring-your-own-identity”) or new biometrics without major changes.

Few organizations accurately estimate the resources required to keep pace with these types of ever-expanding CIAM requirements—particularly as app portfolios grow. In fact, Forrester has found that maintaining a home-grown solution typically costs twice as much as purchasing a third-party platform¹. And teams frequently lack the specialized expertise required to implement secure and scalable identity for their applications. To effectively manage authorization, you need diverse technical knowledge in the areas of cryptography, database security, performance engineering, system engineering, and security auditing, as well as advanced data architecture.

Risk and compliance myths

In addition to considerations around planning and resource allocation, organizations too often fail to consider the added liability they'll be taking on by managing customer identity in-house. Teams might hope their all-star developers will be able to handle every security challenge, but don’t fully understand the depth of expertise it takes to maintain protections in an ever-evolving landscape. Custom-built identity also increases your compliance burden. Deciphering, implementing, maintaining, and validating new regulations at the state, local, and national level is complex and time consuming. Specific regulatory requirements for GDPR, CCPA, PIPEDA, and other mandates contain nuanced shades of gray that you must weigh in order to make the right calls.

Fortunately, the decision to build identity in-house isn’t permanent. In fact, it’s common for organizations to swap out home-grown user management for a robust external service as business priorities shift. You can easily embed third-party CIAM solutions right into your digital apps, offloading unexpected hassles and responsibilities. With out-of-the-box APIs, SDKs, and easily customizable components, it actually takes minimal effort to quickly rebuild fundamental identity components.

Key considerations for customer identity and access management

Demands on customer identity are only intensifying, as both internal and external factors frequently introduce more requirements, opportunities, and risks. Given the rising prevalence of data breaches, security teams are under intense pressure to better secure the perimeter, while product and marketing groups try to keep up with a new frontier of competitive advantage—the customer experience.

According to Gartner, 86% of organizations expect the user experience (UX) to be their main competitive differentiator by 2021, but only 40% currently have a CIAM initiative in place². Since registration and login pages are often one of a customer’s first digital experiences with your brand, it is critical to bridge that gap. With this in mind, read on for some of the top factors to consider as you reevaluate your go-forward CIAM strategy.

86% of organizations expect the user experience (UX) to be their main competitive differentiator by 2021
40% have a CIAM initiative in place

Requirements

When it comes to evolving CIAM requirements, it’s important to look beyond your initial user management, authentication, and single sign-on (SSO) goals. A future-ready approach to customer identity should meet users’ and regulators’ escalating demands for:

Improved usability
Comprehensive data protection and security
Enterprise-grade high availability and scalability

Risks

Customer apps are a prime target for increasingly sophisticated attacks, and registration, login, and recovery pages are often the most targeted. This risk is compounded by the fact that the average application contains a staggering 26.7 serious vulnerabilities, the majority of which come from custom code³. Unsurprisingly, broken authentication, broken access controls, sensitive data exposure, and insufficient logging and monitoring remain amongst the OWASP Top 10 security risks every year⁴.

If you’re relying on outdated or limited CIAM, it’s crucial to stay alert to:

Constantly changing security threats and other variables
Code documentation and maintenance gaps from developer brain drain
New consumer privacy standards for regulations like GDPR and CCPA

Since identity management relies on rare and expensive skills, consider how much risk your app(s) will take on when the original developers who built the CIAM components move on. Keep in mind that engineers are an itinerant crowd, with LinkedIn reporting that they experience one of the highest turnover rates of any sector at a whopping 21.7%⁵. As such, you’ll want a realistic strategy in place for transitioning CIAM management responsibility if and when the time comes.

26.7% serious vulnerabilities are contained in the average application
21.7% turnover rate of engineers

Opportunities

Once you’ve thought through the table stakes, it’s worth noting that modern CIAM opens up new opportunities you probably haven’t had a chance to focus on yet, including:

Advanced login capabilities, e.g. passwordless experiences, biometrics, social login
Less friction across the entire digital experience through seamless omnichannel CX
Streamlined compliance with a reporting interface to manage security event information

Keep in mind that the number of customer-facing apps is increasing in every industry. Since you’re competing for customer eyeballs and attention on the basis of the user experience, each CX improvement you make has a huge potential for impact. Your team must capture any opportunity to speed transformation and app development, since building a superior CX amplifies your product’s underlying value and helps nurture a loyal customer base.

The journey towards CIAM maturity

In working with thousands of companies to achieve their security and usability goals, we’ve defined four key phases most teams experience as they embrace more mature CIAM capabilities over time.

Stage 1: Basic

At stage one of CIAM maturity, you’ve built crucial identity security features into an app, and successfully brought it to market. Next, you’ll need to focus on expanding that product offering to serve a growing customer base.

Stage 2: Automated

During this stage, you’ve expanded your product reach and increased the sophistication of your user management, compliance, and security capabilities. As you continue to scale, you’ll want to invest in stronger security protections and new customer experience features.

Stage 3: Intelligent

At this point, your application provides customers with strong, perhaps even passwordless, protection. Your use and storage of customer data gives rise to personalization improvements and is fully compliant with data privacy regulations. Thanks to industry-leading integrations, your identity security is stringent and you can proactively detect and mitigate risks. Customers use your services with ease, and you’re well-positioned to explore advanced functionalities.

Stage 4: Continuous

Now that your product is a clear market leader, you most likely have an omni-channel strategy that optimizes for both security and user experience. At this stage, your app is integrated with advanced fraud and risk solutions, and your long-term identity strategy is earning dividends—in the form of consumer trust that drives competitive advantage.

For a more detailed roadmap of specific solutions and processes you can adopt as your organization moves through its own CIAM journey, read our eBook, “From Zero to Hero: The Path to CIAM Maturity.”

Hidden costs of maintaining home-grown CIAM

Now that we’ve reviewed some of the pivotal factors and tradeoffs to consider when thinking about how to maintain and evolve customer identity services, let’s dig into the specific costs associated with a hard-coded approach.

Availability

Teams typically spend 65% of their initial CIAM deployment budget on core identity functionality—such as password storage, token services, user directories, and registration, sign-in, and account recovery flows—and just 35% on security and availability. However, over time, the recurring costs needed to maintain top-notch performance and protection tend to increase in unpredictable ways.

If you rely on home-grown identity tools built years ago, managing high availability as your customer apps scale is nearly impossible. To be sure that end users can always log in, regardless of application load, you need to invest in back-end infrastructure that delivers multiple nines of availability. Guaranteeing this level of reliability also requires robust DevOps systems, automated rate limiting, monitoring of machine resources, and an on-call operations team.

While this might sound like a lot of work, the added effort is essential because the cost of an outage could be devastating to your business. As such, your identity partner must have an established history of strong uptime. Never compromise on identity availability -- exciting features are worthless if the system is offline.

65% CIAM deployment budget spent on core identity functionality
35% CIAM deployment budget spent on security and availability

Scalability

Another challenge of scaling identity comes when you get spiking traffic due to external events like sales promotions or the COVID-19 pandemic, which drove previous in-store customers en masse to the safety of brands’ digital apps. In order for your identity service to handle these peak workloads, you’ll need double or triple redundancy in your data center. Even if you use an infrastructure-as-a-service provider, this comes at a nontrivial cost and with lots of maintenance overhead.

A scalable CIAM infrastructure requires dozens of servers to manage and buffer all of your app’s resource-intensive authentication and password encryption. You must closely track loads across various production, QA, development, continuous integration, and disaster recovery environments and buffer for overprovisioning.

If users can’t log in for any reason, your application can’t perform it’s sole job: enhancing the customer experience and/or driving revenue. One bad online experience can damage customer trust and brand perception. Of course, if your app does encounter a service disruption, you’ll immediately have to pause other work to address availability and scalability problems. At that point, it will already be too late to avoid lost customers.

Security

Data breaches are frequently very public and very expensive, but also costly to prevent due to the rapidly changing security landscape. Recent research from Forrester found that companies without a mature identity management service experienced twice as many breaches, each costing $5 million more than breaches at companies with robust identity solutions⁶. Even if you addressed previously known security variables when you first built your CIAM functions, your app’s risk level has likely changed over time.

To deal with ever-present vulnerabilities and threats, you need to allocate time towards a wide range of security improvements, including:

Learning and quickly deploying the latest password hashing algorithms every 18 months
Patching your code, libraries, and operating system to secure user data
Rotating and renewing SSL / TLS certificates
Swapping out keys when someone leaves

Because companies rarely have this level of security expertise on staff, they're often left completely unaware of vital security developments like changing algorithms or newly discovered attack vectors. Unless you frequently update all login flows to incorporate the latest known protections against evolving threats, you’re chasing an ever-accelerating target. The reality is that preventing, identifying, and remediating security issues at every layer of infrastructure consumes so many resources that you’re forced to make impossible tradeoffs: Should you allocate engineering time towards updating older projects, or tolerate potential vulnerabilities in old applications so that you can focus on the opportunities ahead?

Compliance

New consumer privacy regulations also increase your workload when it comes to upholding the best possible data privacy standards. Your company is likely dedicating vast resources towards responding to customer data requests. Otherwise, it might face litigation, which comes with hefty legal fees and potential fines. But compliance isn’t just about the bottom line; stellar handling of customers’ personal data can enhance your brand image and ultimately contribute to your top line. According to an IBM study, 65% of consumers consider a company’s data-sharing policies when deciding whether to do business with that company⁷.

65% of consumers consider a company’s data-sharing policies when deciding whether to do business with that company

Complexity

Even if you’re happy with your custom-built CIAM solution at first, maintenance costs and technical debt will inevitably accrue. Once your initial identity components are in place, stakeholders will begin to request more complex features that require significantly more engineering time than the identity basics. When these unforeseen needs arise, you’ll be stuck putting other work on hold while you rewrite source code and redeploy your CIAM solution.

Some examples of future identity requirements that often emerge following initial deployment include:

Support for evolving standards (ex. from SAML and WS-Fed to OpenID Connect and OAuth 2.0)
New vulnerabilities, SSO protocols, and multi-factor authentication (MFA) factors
Adding or removing individual IPs
Social login
Advanced authorization schemes
Multi-tenancy
Token authentication
Customer data partitioning
LDAP/Active Directory integration
App integrations and provisioning
Deprovisioning API access by revoking tokens

It's not realistic for internal teams to maintain expertise in all of these areas, at all times, without ever making mistakes. Unless you have highly diligent folks proactively monitoring the ecosystem, responding to security advances or attacks, and implementing changes, you’re always playing catch up. George Moore, chief technology officer for the Cengage education platform, experienced this challenge first-hand:

“We couldn’t just build something and forget about it. It was clearly going to need to be continually evolved. Just keeping up with the growing number of students, with the constant cyber threats, was going to be a significant amount of work, which would decrease the value we could provide to students.”

And as new technologies, apps, and APIs accumulate throughout your IT environment, you may also be caught off guard by the vendor management required to maintain your home-grown CIAM solution. This typically involves working with numerous external vendors—DNS providers, Twilio, AppDynamics, Splunk, SendGrid, etc.—and can become a major burden over time.

Barriers to innovation

It’s important to remember that the tedious work of navigating and maintaining custom code not only delays critical CIAM and security updates, it takes valuable resources away from your core digital products that provide essential services or even drive revenue. Customer-facing development teams are usually under a microscope with never-ending pressure from leadership to accelerate innovation. Since you often have to wear multiple hats, each critical CIAM requirement that pops up detracts from your main focus of enhancing critical apps.

Imagine if you could instead put all of those hours exclusively towards features that differentiate the CX.

“The ability for our developers not to think about identity management databases, rules, permissions, and all those things that come with legacy identity management platforms—that, from a developer perspective has been a major unlock for getting applications out the door faster”

— Cody Sanford, CIO, T-Mobile

Every developer agrees that speed and agility are critical, since time is money. Be sure to calculate the opportunity cost of delaying projects meant to increase your organization’s competitive advantage and attract more customers, more transactions, and more engagement. For example, if a feature that’s expected to bring in $50k in new revenue per month is delayed six months due to resource constraints, that’s $300k of lost potential revenue.

Also contemplate the productivity cost of having multiple groups of developers reinvent the CIAM wheel with custom-built authentication every time you roll out a new application.

“If you don’t have a single solution, you’re rebuilding it time and time again, adding cost, time, and complexity. If you’re building identity multiple times into multiple systems, you’re [also] multiplying the number of exposure points.”

— Warren McNeel, Senior Vice President of IT, T-Mobile

Advantages of a modern CIAM solution

Offloading identity management to a trusted third-party vendor like Okta allows your organization to more rapidly unlock innovation. Consider relieving your team of the vital (but sometimes less-than-motivating) work surrounding account creation, user login, password resets, account recovery, MFA enrollment, and user access policies. By doing so, you’ll avoid many of the costs and pitfalls described above and be freed to put your energy where it matters most.

Frictionless user experiences

Before ripping out your custom-built CIAM, choose a solution that was built from the ground up to strike the perfect balance between UX and security. This will make the registration and authentication process more simple and consistent across all of your brands and apps. Experiences surrounding account creation, login, password enforcement, and session management greatly influence users’ first impressions of your application (and by extension, your company). If these workflows are filled with roadblocks, customers will take their business to your competition. Leading customer identity providers offer a UX you can implement with little to no custom code—from out-of-the-box, customizable, and hosted self-registration screens, to passwordless experiences, single sign-on, and social login.

Faster time-to-market

No business can afford to stand still in the face of today’s continuous digital disruption. By migrating user management away from a home-grown environment and embedding pre-built identity components into your app, you can maximize efficiency and more easily meet project timelines. This is huge, since identity management’s complexity makes it one of the highest-risk areas for time and cost overruns. When you replace the uncertainty inherent in a code-heavy approach with common patterns and programming languages, you’ll be able to remain laser-focused. Since you’ll no longer need to rewrite and redeploy older apps, you can execute faster on products that add value for end users.

“Moving to Okta has allowed us to take some of our best and brightest engineers, who were working hard on solving the identity problem, and let them not have to worry about it. Now those great engineers can focus on features that are really changing the industry.”

— George Moore, Chief Technology Officer, Cengage

Centralized management

Another powerful advantage of a full-featured identity service is that it allows you to centralize access management company-wide.

Instead of digging through spaghetti code every time your security team wants to make a change to the multi-factor authentication policy, you can give your IT and security admins an intuitive interface for maintaining the identity and security settings in your apps.

Since Okta separates security administration from app development, no developers are required. Non-developers can log directly into the console and update password or sign-in policies, MFA factors, and other configurations without any custom code. Our policy engine also supports the latest DevOps best practices by integrating with CI/CD pipelines to support a hybrid ops model, in which Okta admin changes are synced with infrastructure changes via a tool like Terraform.

Internet-scale security

Finally, modern CIAM helps you prevent security breaches, safeguard sensitive user data, and meet tricky compliance requirements. By turning over the management of password hashing algorithms and infrastructure vulnerabilities to security experts, you’ll better protect customers’ personally identifiable information from attackers.

The most trustworthy identity services use measures such as powerful encryption, API security, advanced firewall protection, and robust data management and system access procedures. These gold-standard practices also ensure compliance with geographic and industry-specific regulations like HIPAA, FedRAMP, GDPR, and CCPA. As a result, you’ll alleviate the burden of sifting through regulatory gray areas to make difficult calls about which requirements your business needs to support.

The choice is clear: Turn customer identity from a brand liability into a business enabler

Customer identity and access management can be either a liability or a business enabler, so it’s critical to get it right. Businesses find that CIAM becomes an Achilles heel for brand perception and regulatory compliance when it fragments customer experiences and user information, and contributes to technical complexity, costly infrastructure, and security vulnerabilities.

However, as described above, new CIAM advances have continuously pushed the boundaries of what customers and businesses expect from user management, authentication, and authorization. When organizations leverage a best-in-class CIAM platform, they rest easy with:

More secure users, products, and services
Greater business agility and flexibility
Reduced costs and operational overhead
Happier customers, partners, and employees
Increased automation and business efficiency

How the Okta Identity Cloud can help

At Okta, we offer specialized expertise and out-of-the-box identity building blocks that make replacing your home-grown services painless. Purpose-built for the modern era, the Okta Identity Cloud enables organizations to deliver secure, frictionless digital experiences for their workforces, partners, suppliers, and customers. Our identity layer provides:

Embeddable Authentication

Give your users a seamless experience. Leverage Okta’s prebuilt UI widgets for common user flows such as login, registration, and password reset, or build a completely customized experience with Okta’s APIs.

Embeddable Authentication

Configurable User and Policy Management

Manage your users and security policies programmatically via APIs or from our user-friendly admin console. Create single sign-on (SSO) experiences and manage the user lifecycle with automated onboarding and offboarding.

Okta Integration Network

Support your development efforts with an entire ecosystem of integrations, including 6,500+ pre-built connectors for SSO to applications, API gateways, IaaS, identity proofing, and application delivery controllers.

Each of these components is production-ready, so you can scale with confidence and monitor potential security threats in real-time. In fact, Okta guarantees 99.99% uptime, but our customers enjoy even higher availability (a bar many competitors don’t meet). While one extra nine may not seem significant, it’s the difference between being down almost nine hours per year versus less than one hour.

Okta safeguards your user data, because our team is comprised of experts entirely focused on advanced security across identity and access attack vectors. You’ll also benefit from our flexible customer-first services that support developers, IT, security, as well as the business. Learn more about how Okta can support all of your organization’s identity projects to dramatically accelerate time-to-market, reduce total cost of ownership, and drive core product innovation at https://www.okta.com/customer-identity/.

About Okta

Okta is the leading independent provider of identity for the enterprise. The Okta Identity Cloud enables organizations to securely connect the right people to the right technologies at the right time. With over 6,500 pre-built integrations to applications and infrastructure providers, Okta customers can easily and securely use the best technologies for their business. Over 8,400 organizations, including JetBlue, Nordstrom, Slack, Teach for America and Twilio, trust Okta to help protect the identities of their workforces and customers.

Learn more at: www.okta.com.

¹ Forrester, “Making The Business Case For Identity And Access Management,” October 2019

³ Contrast Security, State of Application Security Report, July 2017

⁴ Open Web Application Security Project, OWASP Top Ten, 2017

⁵ LinkedIn, “These 3 Industries Have the Highest Talent Turnover Rates” March 2018

⁶ Forrester, “Stop The Breach: Reduce The Likelihood Of An Attack Through An IAM Maturity Model”, Feb 2017

⁷ IBM, “Consumer Attitudes Towards Data Privacy,” Sept 2019

Top of Page