Access Management

To Build or To Buy: Solutions to Access Management Software Dilemmas

To build or to buy is a question that must be answered when an enterprise contemplates new technology to gain efficiency, improve productivity, bring down the cost of operation or improve their strategic advantage. The critical analysis that comes into play helps to determine whether it is more beneficial to build a custom solution in-house that meets the specific needs of the company, or to buy an existing software solution that has a wide range of built-in functionality.

This can be a challenging question for organizations considering an automated solution to manage physical identities, credentials and access. Is it better to internally develop a physical security and access management (PIAM) software package that addresses compliance, operational and quality needs – or should it be purchased as a commercial, off-the-shelf (COTS) solution? Understanding the differences between the two approaches can yield significant benefits but it’s not an easy choice to make. There are three key areas that should be considered when making the choice between an in-house solution and a COTS package – cost, customization and convenience.


Cost is a significant factor when considering the choice between a COTS solution and an in-house solution. One advantage to a COTS solution is that those costs can be negotiated and determined up front. Any added options or custom development can be quantified prior to the start of the project, and a schedule for incremental upgrades or changes can be identified for budgeting purposes. In addition, COTS solutions usually provide a better ROI over the long term thanks to their more robust features, greater reliability and ability to scale at a lower cost than an in-house solution.

However, costs for an in-house solution must include the time-intensive process of developing the outline/application, assigning personnel and determining charge-back costs for development, testing and support. The development must take into consideration workflow that integrates a variety of business system processes so that when one set of privileges changes, whether physical or logical, that alteration will automatically trigger complementary revisions in other sets. In the final analysis, it must be considered whether or not a home-grown solution will ultimately improve efficiencies or have a tangible ROI that is greater than that of a COTS solution.


Software providers are well-versed in compliance rules and laws dictated by the government and other regulating agencies, and they have developed, built and refined their offerings to incorporate the functionality needed to address these dictates from both the business/regulation side and from the technical side. In most instances the software program will meet the customer’s compliance requirements out of the box.

Effectively managing identities in an organization raises multiple challenges beyond maintaining compliance with requirements that may be mandated by various agencies. Details such as risk level, area owner and prerequisites for access, as well as correlating identities with alarms, managing badge/credentialing systems and so on, must often be in place to enable management to proactively enforce security policies and rules. For this reason, home-grown solutions can prove to be a time-consuming, expensive and inefficient way to manage an identity.


Software that is created for the sole purpose of physical identity and access management includes the capability to manage all types of identities including permanent and temporary employees, contractors, service providers, vendors and visitors. It is designed to manage details of a physical identity, such as biographic and biometric information as well as results of security checks and historical usage. In addition to aggregating access level information from various systems, the information and applications (e.g., physical identity management, role-based access, transaction audit trails) are automated into a single Web-based interface that is easy to manage and use.

An important consideration regarding any software package is the service/support aspect. With COTS software packages, vendor support including help-desk, updates, bug fixes, on-going customizations, future implementations and the like can be purchased along with the software solution or at a later date. For home-grown software solutions, the service/support aspect needs to be factored into the original package. What is the risk of losing the knowledge base as the technology resource pool changes or evolves? Although it is convenient to have in-house support, unless that support is dedicated to the PIAM software package, resolution of issues may take valuable time and pull employees away from regular tasks.


Recent trends support the conclusion that organizations will have better outcomes by working with third-party professionals for their large scale identity management needs. These providers offer application-targeted solutions built on best practices and with a proven track record in the PIAM marketplace.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Ajay Jain

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.