To build or to buy is a question that must be answered when an enterprise contemplates new technology to gain efficiency, improve productivity, bring down the cost of operation or improve their strategic advantage. The critical analysis that comes into play helps to determine whether it is more beneficial to build a custom solution in-house that meets the specific needs of the company, or to buy an existing software solution that has a wide range of built-in functionality.

This can be a challenging question for organizations considering an automated solution to manage physical identities, credentials and access. Is it better to internally develop a physical security and access management (PIAM) software package that addresses compliance, operational and quality needs – or should it be purchased as a commercial, off-the-shelf (COTS) solution? Understanding the differences between the two approaches can yield significant benefits but it’s not an easy choice to make. There are three key areas that should be considered when making the choice between an in-house solution and a COTS package – cost, customization and convenience.


Cost is a significant factor when considering the choice between a COTS solution and an in-house solution. One advantage to a COTS solution is that those costs can be negotiated and determined up front. Any added options or custom development can be quantified prior to the start of the project, and a schedule for incremental upgrades or changes can be identified for budgeting purposes. In addition, COTS solutions usually provide a better ROI over the long term thanks to their more robust features, greater reliability and ability to scale at a lower cost than an in-house solution.

However, costs for an in-house solution must include the time-intensive process of developing the outline/application, assigning personnel and determining charge-back costs for development, testing and support. The development must take into consideration workflow that integrates a variety of business system processes so that when one set of privileges changes, whether physical or logical, that alteration will automatically trigger complementary revisions in other sets. In the final analysis, it must be considered whether or not a home-grown solution will ultimately improve efficiencies or have a tangible ROI that is greater than that of a COTS solution.


Software providers are well-versed in compliance rules and laws dictated by the government and other regulating agencies, and they have developed, built and refined their offerings to incorporate the functionality needed to address these dictates from both the business/regulation side and from the technical side. In most instances the software program will meet the customer’s compliance requirements out of the box.

Effectively managing identities in an organization raises multiple challenges beyond maintaining compliance with requirements that may be mandated by various agencies. Details such as risk level, area owner and prerequisites for access, as well as correlating identities with alarms, managing badge/credentialing systems and so on, must often be in place to enable management to proactively enforce security policies and rules. For this reason, home-grown solutions can prove to be a time-consuming, expensive and inefficient way to manage an identity.


Software that is created for the sole purpose of physical identity and access management includes the capability to manage all types of identities including permanent and temporary employees, contractors, service providers, vendors and visitors. It is designed to manage details of a physical identity, such as biographic and biometric information as well as results of security checks and historical usage. In addition to aggregating access level information from various systems, the information and applications (e.g., physical identity management, role-based access, transaction audit trails) are automated into a single Web-based interface that is easy to manage and use.

An important consideration regarding any software package is the service/support aspect. With COTS software packages, vendor support including help-desk, updates, bug fixes, on-going customizations, future implementations and the like can be purchased along with the software solution or at a later date. For home-grown software solutions, the service/support aspect needs to be factored into the original package. What is the risk of losing the knowledge base as the technology resource pool changes or evolves? Although it is convenient to have in-house support, unless that support is dedicated to the PIAM software package, resolution of issues may take valuable time and pull employees away from regular tasks.


Recent trends support the conclusion that organizations will have better outcomes by working with third-party professionals for their large scale identity management needs. These providers offer application-targeted solutions built on best practices and with a proven track record in the PIAM marketplace.