Verificación de identidad en la nube vs. local: ¿Qué enfoque es el adecuado para usted?

La inversión de capital es una buena analogía para este tema. Todos siguen las mismas reglas, pero el nivel de riesgo con el que se siente cómodo varía. En el caso de la verificación de identidad, el reglamento está compuesto por documentos regulatorios. Sin embargo, cómo usa ese reglamento depende de su negocio. Algunos pueden asumir más riesgos, mientras que otros tienen que ir a lo seguro, o incluso están obligados a apegarse a las estrategias más conservadoras.

Veamos dos extremos para dejarlo más claro: banca y gambling & betting.

Algo que estos dos sectores tienen en común es que ambos arriesgan su licencia si surgen problemas graves. Pero hay un mundo de diferencia entre las consecuencias para empresas de estos dos ámbitos. Mientras que un casino puede trasladarse a otra jurisdicción y obtener una nueva licencia, perder la licencia para un banco significa que desaparece para siempre.

Además, estos negocios trabajan con activos de formas completamente distintas. Los casinos tienen más libertad en su estrategia empresarial, pero los bancos deben apegarse a las reglas establecidas por el banco nacional de un país determinado. En particular, esto significa que están obligados a invertir solo en activos de cierta calidad. En este caso, el debate entre nube y on-prem no importa tanto. Lo crucial es la calidad del proveedor.

Para empezar, definamos los atributos de una solución en la nube de alta calidad. Esto es esencial porque hay numerosos proveedores en el mercado, pero no todos pueden ofrecer resultados igual de buenos.

Primero, una solución de primer nivel debe tener una infraestructura robusta con centros de datos en distintas regiones, para garantizar que los clientes reciban instancias dedicadas en sus ubicaciones objetivo. Esto no solo garantiza tiempos de respuesta rápidos, sino que también se alinea con los requisitos de residencia de datos para el tratamiento de datos personales.

Segundo, deben existir controles de seguridad suficientes. Por controles de seguridad, nos referimos a una variedad de herramientas para mitigar todos los posibles riesgos asociados con la fuga y el compromiso de datos, así como políticas integrales para las acciones del proveedor en caso de emergencia. Para el peor escenario, el cliente debería tener un “botón rojo”, es decir, la capacidad de eliminar al instante todos los datos personales existentes.

El borrado total de datos, por supuesto, es una medida extrema. En la práctica, se beneficiará más de la capacidad no solo de eliminar sus datos, sino de llevarlos, por ejemplo, al migrar a otro servicio. No todos los proveedores cloud están listos para ofrecer esta opción.

Tercero, la solución debe ofrecer una interfaz de usuario conveniente que pueda personalizarse según sus necesidades.

Por último, pero no menos importante, debe haber un equipo profesional de soporte disponible 24/7.

→ Mayor colaboración. Imagine que su cliente final enfrenta un problema desconocido, por lo que usted tiene que pedir ayuda a su proveedor. Con SaaS, el equipo de soporte de su proveedor puede entrar al sistema de inmediato, detectar el problema y guiarle para solucionarlo (por supuesto, si sabe qué ocurre y cómo abordarlo).

En este aspecto, es una ventaja que un proveedor cloud tenga muchos otros clientes. Si el proveedor soluciona un problema para cualquiera de ellos, usted también recibe automáticamente la solución.

→ Ayuda a descubrir nuevos vectores de ataques de presentación de forma temprana. Este punto es importante. Al tener acceso a grandes volúmenes de datos, un proveedor cloud puede detectar rápidamente amenazas emergentes. Puede lanzar hotfixes o soluciones temporales con rapidez; es decir, ofrecerle un tiempo de reacción rápido. Aquí SaaS gana claramente, siempre que se trate de un SaaS realmente de alto rendimiento.

→ You need to mitigate higher security risks. The implications of the fact that a third party has access to your clients’ personal data are among the most serious things to consider when choosing a cloud solution. 

Which brings us back to the security controls we mentioned earlier. If they’re rock-solid and the solution is genuinely compliant, you’re in good hands. But if not, the consequences fall on you. Even if the vendor misled you, you can’t pass the blame to avoid punishment and damage to your reputation.

This means that, despite cloud solutions being positioned as the ones you can have up and running fast, you’ll have to spend time digging into the system and seeing how things work on the vendor’s side.

Also, leaks may happen even with the most reliable cloud solutions. That’s why the top-tier cloud IDV vendors should ideally have a robust insurance policy that covers the financial risks you might face if the worst-case scenario becomes a reality.

Last but not least, your metadata is also on the line. Metadata includes the details tied to your business operations, like the number of new customers, as well as their geography, age, etc. While not personal in itself, this is still private commercial information which is of huge value for any competitor. That’s yet another substantial business risk.

→ It gets expensive at scale. The price tag depends on the number of transactions. As you scale up, the price goes up too. Even though vendors charge less per single check at large volumes, the total amount can still be impressive. 

So if a business verifies, say, 1,000 new customers each month, SaaS is their go-to because on-prem is overkill in this case. However, when their monthly bill hits $5,000 or $10,000, it’s a different story. At that point, it becomes more cost-effective to invest in setting up an on-premise solution that will save them money in the long run.

The attributes of a top-tier on-prem solution include robust technology, versatility, and the ability to adapt to the unique needs of each client. It's like wearing a custom-made suit tailored just for you. The solution adapts according to your existing workflows, policies, and preferences, so you don’t have to tinker with it.

Another important feature of a good on-prem vendor is the support of a wide range of technology platforms. For example, if it supports most modern databases, this is a huge benefit as the customer doesn’t have to build a process around a different type of database.

→ You have full control over the data. The major benefit of on-prem is that you don’t have to share sensitive data with any third parties. Since all operations happen within your perimeter, you maintain control over how the data is stored, secured, and managed, thus minimizing the risk of leaks.

If you are a large organization, chances are you’ve already set up top-notch security controls for your infrastructure. With on-prem, you don't have to repeat the whole drill, as your existing controls seamlessly keep you in compliance.

It goes without saying that on-prem solutions are often the only possible option for all sorts of public services, border controls, and even some private banks. When it comes to safeguarding crucial information at this level, on-premises identity verification isn’t just a choice—it’s often the only game in town.

→ You get a multi-use asset. When you obtain an on-prem technology, you can literally build your own in-house SaaS to cater to all the possible needs of your organization. That’s especially beneficial for large-scale businesses with a robust ecosystem of services and products. Once integrated, your on-prem solution can be stretched to cover all use cases without having to pay extra—from onboarding new clients to verifying every employee before they access confidential information.

→ It provides a higher ROI in the long run. While implementing an on-prem solution implies deployment and orchestration in your infrastructure, if you can bear the costs, the price tag is significantly lower than for SaaS. It's a long-term game, though. 

Think of on-prem as an investment that needs a bit of time to mature. From Regula’s experience, it usually takes about two years to see a savings 3-4x compared to a cloud solution of the same quality.

It’s important to note, however, that the above analysis considers only the things (integration, deployments, etc.) that are under the control of companies themselves. Lurking right around the corner are fraud risks and related financial and reputational losses, which can be avoided thanks to the proper solution. Regula found out that identity fraud caused an average of $300,000 in damage to enterprises in 2022. Preventing just one such case results in top-tier on-prem paying off immediately.

→ It requires significant upfront costs. These expenses are surely higher than for cloud solutions. However, no one can say how much higher exactly, because these costs will be different for different companies. It depends on numerous factors, such as:

• Customer-owned or cloud Infrastructure

• Depth of integration

• Skills of the team

• Hosting 

The last one, though, isn’t an issue for large companies as they usually have it up and running, so the cost will be shared with other in-house services. 

→ Deployment requires more tech-savvy staff. The more robust a technology is, the trickier it is to integrate. If it's done clumsily, you might not get the full value for the cost. As a result, the entry threshold and the employee skill requirements are usually higher than for SaaS that deliberately limits the number of methods (which can be both a pro and a con, depending on your case). 

However, if the team is serious about their mission and they’re willing to delve into the specifics of IDV, they acquire much more than just a technology. They build their own knowledge base and unique in-house expertise.

Good vendors, in their turn, should help with the task as much as possible: provide all necessary scripts and configurations for fast deployment. All instructions on how to get a sustainable system up and running should be clear and comprehensive.

→ System updates may require more effort. Due to the specifics of on-prem, clients are responsible for their updates, meaning they’ll need to configure the process on their part themselves. This isn’t necessarily a burden but will require attention nonetheless.

On the other hand, this gives more control over the changes made and the overall state of the system.

There’s one more important aspect that lies beyond the technical side of the matter. It’s the role IDV plays in your business. That’s the crucial factor you need to consider before deciding whether to “rent or buy.” 

Speaking of rental, let’s say there’s a boat rental business. IDV isn’t at the heart of what makes them money. On the contrary, it’s an expense item because it’ll require some resources to have this box checked. In situations like these, it just makes sense to outsource it as much as possible.

On the opposite end of the spectrum is when identity verification is an important part of the business that allows it to make money—or, at least, save it from losing huge sums on compliance fines. 

Take a global fintech company, for instance. They go big on on-prem IDV tech, deploying it across the board. It becomes an asset, a one-time investment that pays dividends everywhere—from snagging a new digital audience for B2C products and streamlining B2B processes to onboarding employees and improving fraud prevention efforts. For them, it's a smart investment that keeps on giving without extra costs.

The above point highlights a universal principle in business decision-making—ROI matters.

Whether it’s identity verification or any other aspect of business, companies naturally assess the correlation between investments and returns. When the link is clear and promising, businesses are willing to invest. If the connection isn’t apparent, the tendency is to seek compliance while minimizing costs.