Access Control - Build vs. Buy
Sep 29th, 2022
Roie Schwaber-Cohen
Authorization
When it comes to software, companies and their engineering teams constantly wrestle with the age-old question of “build vs. buy”: should the company spend time, effort, and capital on building the software in-house, or alternatively outsource the solution to an external vendor?
In this post, we’ll review the most important factors to consider when debating whether to build or buy an access control solution for your organization. Then, we’ll review the pros and cons of building or buying an access control solution. We hope this will make it easier for you to make the right decision for your organization.
Considerations
Let’s start with the factors that are important to consider when thinking about building or buying any software solution:
- What would be the cost in time or capital to build the solution compared to buying one? Remember that the real cost of building any software solution must include the time and capital spent on maintaining and improving the solution over time.
- Are all the capabilities required going to be satisfied by the solution? What kind of concessions would we have to make if developing all the required features in-house would take a while?
- Is developing the solution critical to the organization’s mission statement? Will developing the solution further the organization’s value proposition or detract from it? Or is it a must-have feature that is required for the organization to operate and be compliant with rules and regulations?
- Does the development team have the necessary skills and experience to build this type of solution?
How do these considerations apply particularly to access control solutions?
- Access control solutions are typically complex and take time (and thus capital) to build right. They are a critical component of any production-level solution, and they must have high availability and low latency capabilities since they gate every application request. This means companies can’t really afford to build access control poorly - it has to work well right out of the gate.
- Building an access control solution that would support all the features an application might need in the future from the get-go might be considered over-engineering by some. On the other hand, oversimplifying the access control model in the early stages of an application will most likely cause issues down the road that might require substantive rewrites.
- Access control rarely further’s an organization’s value proposition. With that said, it is required for most (if not all) production-level applications.
- Since access control is rarely part of most organizations’ value proposition, it is also likely their development teams might not have all the skills required to build secure access control solutions that would be efficient and reliable within a reasonable amount of time and effort.
Pros and Cons of Building Access Control Systems In-house
Pros
- Software built in-house has the potential to make integration with other components easier to manage and maintain. If your platform team is well versed in security and access management - maintaining control over these components may make it easier to integrate them across the organization.
- Maintaining control over the way the access control solution behaves allows the organization to fine-tune the access control behavior at will.
- In some cases, user and resource data cannot be shared with a third party unless an on-prem or OEM solution is provided. In these cases, relying on an external vendor may not be possible.
Cons
- The most impactful consideration in building your own access control solution is opportunity cost. Since access control is most likely not the organization’s principal value proposition, it detracts the engineering team from building features that drive the organization’s goals forward and instead forces them to spend precious time developing a feature that makes no significant difference to the organization’s mission.
- Once built, access control systems require maintenance and development over time. As the organization grows, so will its access control requirements. This means that the engineering team will continuously spend time and effort on this system - again, without an immediate and clear benefit to the organization’s mission and goals.
- Access control is critical to get right, and most engineering teams don’t have the specific expertise required to do so. This fact means that custom-made access control solutions may have dangerous security holes in them - and those could have disastrous consequences.
Pros and Cons of Buying Access Control Solutions
Pros
- Buying an access control solution means minimizing time to value. Instead of spending long development cycles to stand up an access control solution, buying such a solution ensures that the capabilities can be added swiftly and with minimal effort on the part of the engineering team.
- The engineering team can now focus on building features that are part of the organization’s core value proposition. The team doesn’t have to maintain and grow the access control solution continuously - that responsibility now shifts to the vendor.
- Built by security experts, access control solutions provided by experienced vendors are going to be much more secure than solutions built by in-house engineering teams.
Cons
- Purchasing an access control solution (like any other software solution) might be cost-prohibitive for the organization, depending on its size.
- Vendor lock-in - Attaching yourself to the wrong vendor might mean you’re not getting what you need or what you’re paying for.
Summary
In this post, we covered the leading considerations to evaluate when considering building or buying access control systems. We then reviewed some of the pros and cons of building vs buying an access control solution. Both options have pros and cons. Overall in-house solutions offer complete control that might be coveted by some but at an opportunity cost that simply doesn’t make sense for most organizations.
We hope this analysis helps you in making your own decision on whether you’d rather build or buy an access control solution for your organization. We’re here to help! Contact us here to discuss your organization’s access control challenges
Roie Schwaber-Cohen
Developer Advocate
Related Content
Deploying an Application to Kubernetes with an Aserto Sidecar
In production, we're most likely to set up the Aserto edge authorizer as on Kubernetes as a sidecar. In this post, we’ll review how to set up and deploy your application to Kubernetes and set it up to make authorization requests to an Aserto sidecar.
Oct 13th, 2022
Open-source cloud-native authorization on theCUBE
Listen to Aserto CEO, Omri Gazitt, discuss open-source cloud native authorization system Topaz.sh, the future of cloud, and views of WebAssembly on theCUBE.
Nov 3rd, 2022
How to avoid Broken Access Control vulnerabilities
Broken Access Control vulnerabilities are pervasive. This post explores three techniques that can be combined to create secure-by-default applications that can avoid or eliminate Broken Access Control vulnerabilities.
Dec 21st, 2022