Managing your company’s external identities (customers, partners, subcontractors etc.) efficiently and safely requires a Customer Identity and Access Management system (CIAM). However, far too often companies tend to prioritise projects related to other parts of their IT system higher and in some cases even seem to forget to pay attention to identity and access management until the very end of their deployment projects. Once everything else is in place they notice that something is missing: how can users sign up and sign in to their services; should they use strong Multi-Factor Authentication (MFA) or what about social or business logins; is there Single Sign-On between all the applications and who is responsible for ensuring that the identity repositories are up to date and not filled with obsolete data?
These are just a few important questions that you can answer by using a CIAM system. But how can you tell if the CIAM product you have in mind will work seamlessly with your IT system? This is where the pilot project comes in handy.
Planning is key
Very often, companies want to validate new IT products before they integrate them as part of their overall system. This is also the case with CIAM products. You can do this with a pilot project, a limited implementation of a production system, which offers you the possibility to test the CIAM system in a smaller-scale environment before implementing the full deployment. During the pilot, there is a small selected group of users testing the new solution while the other users are still using the old one. Note that the Proof of Concept (PoC) is different to a pilot since it runs on test data in a so-called isolated sandbox environment.
Proper planning is the key to a successful pilot, choosing the use cases to be validated carefully. Figure out such things as the right services, relevant authentication methods and federation protocols (e.g. SAML or OIDC) for the services, and where to store the identity information, how to import the identities there and how to manage them. Note that even though a CIAM system includes a variety of features, you do not need to implement them all at once. In many cases a phased approached is used instead. In a production environment, start with essential features and add more capabilities in later phases.
Let’s take a look at the main steps of a typical CIAM pilot project:
- Arrange a system workshop to start the project. This is where the CIAM vendor and the customer will agree on what the use cases and main goals are for the pilot project. Define the resourcing and responsibilities and name the management and technical personnel.
- Arrange a technical workshop with 3rd parties to review the integrations and interfaces. Figure out how to integrate the existing customer e-Services to the CIAM system. Plan the CRM (Customer Relationship Management) system integration as well if required. Define the common federation protocols and APIs (Application Programmable Interfaces) and assign the people responsible for those resources.
- Set up the pilot environment. The CIAM vendor will install and configure the pilot environment with a little assistance from the technical people who are responsible for the e-Services. The vendor is also responsible for the CIAM platform support.
- Test and verify the pilot use cases. The selected pilot group tests the environment and starts giving feedback about it.
- Arrange status meetings and a closing workshop. Arrange several status meetings during the project so that any potential issues can be solved as soon as possible. At the end of the pilot period, arrange a closing workshop and agree on the next steps.
In the end, if the company accepts the pilot project and wants to proceed with the product, start a full-scale production environment deployment.
So now that the pilot project is over, what did you get from it? If everything went well, you know that the CIAM solution is a good match for your specific environment. Also, you already know how to operate the system in practice – doing is often better than just reading! You will also have an idea of how to fully utilise the new CIAM system for your own needs.
Since the pilot project was built to serve in a production environment, it is simple to use the existing configurations in the full-scale production implementation. This simplifies and reduces the time for the production rollout project. During the pilot project you will also receive documentation on how to operate the system in your specific environment, so you won’t have to study the system using more generic level instructions.
In many cases, when you go to production, you can still utilise the pilot environment as a test or development system that runs independently from the production system. In this way, there is a safe way to test new configurations and integrations outside of the production system. This also comes in useful when you need to upgrade the system. Make sure to upgrade the test environment first to practise the procedure and repeat the procedure in the production environment after that.
Are there any downsides to doing a pilot?
The things that we have seen so far sound good, but are there any downsides to pilot projects?
Companies are usually in a hurry to implement the production solution, to start taking advantage of the benefits they are expecting the solution to bring. A pilot project could postpone this by several months due to necessary installation and configuration work, plus running the test system for the test users. It’s not unusual for IT projects, even with proper planning and scheduling, to take more time than was the original intention.
A pilot project generates additional costs for the overall project. Even though some vendors, like Ubisecure, provide pilots at very reasonable prices, you still need to reserve company resources for the project. To avoid substantial costs for the pilot project in question, limit the use cases and feature lists to include only the necessary options for you to see that the solution is a proper fit for your needs. Also, this allows you to limit the number of people who need to be involved in the project.
So, is a pilot project a must when you want to implement a CIAM system as part of your IT solution? There is no easy ‘yes or no’ answer to this question. For sure, it is a way to minimise certain risks, especially in a situation where you are not familiar with the system and the technology behind it and there are no proper references available. Also, a pilot is a good way to convince different people in your company that this solution will make your lives easier in so many different ways and save costs.
However, if you are dealing with a vendor that has an extensive amount of references to prove that they have a rock-solid product, which has been used and tested in different types of situations and solutions in several countries, you might want to save your time and money and go for production without the pilot.
At the end of the day, you have to make the decisions case by case.