As the world faced quarantines, stay at home orders and shuttered businesses, even normally reluctant consumers were forced to go online to grocery shop, order take-out and stay connected to friends and family. This focus on transacting daily tasks on-line placed a major spotlight on an emerging subset of identity security, customer identity and access management (CIAM).
The latest research from the Identity Defined Security Alliance, Identity Security: A Work in Progress, found that organizations are not as confident in the management and security of identities when they consider all human and non-human identities – 26% are very confident, 70% are only somewhat confident and 4% not confident at all. This combination of more consumers forced to live a virtual life and a seeming lack of confidence by organizations in managing and securing identities beyond their employees, led to the formation of a new technical working group focused on CIAM and the next generation of thinking.
Customer IAM vs Workforce IAM
In general, traditional IAM systems were built to protect internal systems and data without prioritizing the end user experience or ability to scale when needed. On the other hand, CIAM is the intersection of CRM and IAM and driven by revenue generating initiatives. While fewer companies focus on user experience for their employees, almost every CMO or CRO is focused on ensuring that their customers have a positive experience and therefore remain loyal to their brand. If customers find it difficult to do business or if they don’t trust that their information is safe, they will jump ship quickly.
The focus on experience, scale and trust highlights some significant differences between the two disciplines:
Customer Experience
The importance of balancing security and user experience is significantly more important in the CIAM use case. Security approaches for traditional IAM may not work for CIAM. For example, MFA via a mobile app on a managed device may provide security and a decent user experience for an employee, but control over a customer device is unlikely and the friction introduced may degrade the customer experience.
Scale and Performance
A “traditional” IAM workflow is workforce onboarding/provisioning versus the need for customer registration/enrollment. A very large company may have a workforce of 100,000 whereas there are some companies with a customer base of 100,000,000 or more. Many traditional IAM solutions are simply not designed for this scale in how they are architected and deployed. With scale challenges come performance challenges. Similar to the importance of user experience, poor performance or service disruptions can send customers to competitors.
Trust and Verification
With traditional IAM, employee identity is verified as part of the hiring/onboarding process and users accounts are created and provisioned by IT. With CIAM, customers will typically self-register or use a social login (like Facebook or Google). Therefore, the customer verification process is dependent on other techniques, such as using an email account, phone number or some more advanced identity proofing process as a way of verifying the identity. It’s often not perfect, but organizations should focus on risk reduction and achieving the highest possible level of trust.
Privacy and Consent
Employee access and the storage of employee PII can be governed by employment agreements and employment law. With CIAM, emerging regulations such as GDPR and CCPA have just begun to put in place requirements and standards for the appropriate technical and organizational measures that govern the protection of customer data. These regulations come with large repercussions against those organizations that do not make a concerted effort to protect their customers PII, provide the appropriate consent, accessibility to data or the right to be forgotten.
The Unique Challenges of CIAM
While at its most basic level IAM and CIAM share fundamental concepts – enable the right individuals to access the right resources at the right times for the right reasons – there are a number of challenges unique to the customer use case.
- High friction in the customer experience created by trying to balance security and privacy with convenience
- Risk of account takeover/fraud and the threat of a data breach
- Customer trust, acquisition, loyalty and retention
- Managing ever increasing data privacy regulations
- Disparate customer applications and siloed repositories that need modernizing to improve security and customer experience
How to Get Started?
Given that the IDSA is focused on the intersection of identity and security, our initial focus is geared toward security, privacy, consent and protecting customer data however, the customer experience and customer journey are key to acquiring and retaining customers. Successfully navigating a CIAM project should span additional disciplines such as governance, compliance and marketing, while modernizing legacy systems.
For security practitioners, consider approaches that balance security and user experience, such as risk-based, adaptive MFA and passwordless approaches. In addition, as more organizations and security teams embrace and trust moving CIAM and IAM services to the cloud, data sovereignty has become an emerging topic. Security practitioners should be thinking and asking about where and how their customers PII is being stored, as they are on the hook for compliance to existing and emerging regulations.
Some best practices have begun to emerge from a variety of sources and are evolving as we go through digital transformation and new focus is placed on the CIAM space. However, we believe this new Technical Working Group subcommittee has the opportunity to establish a set of vendor neutral CIAM best practices developed through collaboration of leading vendors in the space and security practitioners who are leading efforts in their organizations.
About the Author: The Customer Identity and Access Management Technical Working Group subcommittee was formed in July 2020. The team, led by Keith Graham, includes Baber Amin, Robbie Jones, Stephen Lee, Asad Ali, Tommy Wu, Anil Bamzai, Robert Block and Stephen Cox. Additional contributor Aubrey Turner.