The Challenges of Designing and Building a CIAM System
Once there was identity access management (IAM). It did a pretty decent job of managing our workforce access to corporate resources. Then, things changed. The Internet took off, workers started to work remotely and wanted to use their own laptops and mobile devices to check emails, etc. (BYOD).The IAM systems of old started to creak under the strain of new modes of working. And then again, there were the customers, people we dealt with, who wanted to access our services, buy our products, and receive information from our company. To do so, we had to know something about them too. The old IAM system just couldn’t cope. It raged against the machine, finally croaking as it tried to meet these new requirements.
So, IAM changed. And it has arisen from the ashes of legacy IAM to become customer identity access management (CIAM). In recent research by analysts Forrester, into Customer Identity Access Management, they found that 81% of enterprises are planning to implement or expand the use of CIAM systems. CIAM offers a number of advantages over older IAM-based systems. Many CIAM systems can act as hybrids, servicing a business/corporate audience, as well as dealing with a wider customer-facing one. This spectrum of identity use cases can be complicated. However, as the concept of digital identity matures, the spectrum will begin to merge at certain points. In this article, I will look at the areas where CIAM diverges from IAM and how it needs to meet the complicated requirements of mass-adopted, wide-demographic identity systems.
In What Ways Is CIAM Different from Enterprise IAM?
To get a view of what CIAM brings to the enterprise identity table, it is best to start off looking at how traditional IAM and CIAM differ:
IAM: Internal access to resources and enterprise applications
CIAM: Wide scope of use cases from BYOD employee access control to customer account creation and servicing to marketing automation to KYC
IAM: Controlled internal users
CIAM: Anyone; massive audience and potentially a demographic as wide as humanity; also, difficult-to-verify demographics, such as minors
IAM: Inside the perimeter, more controlled; database security, spear phishing could be an issue, insider threats, malware
CIAM: Needs to have security that crosses web app threats, database security, spear phishing, mass phishing, insider threats, malware
IAM: Employee protection under certain regulatory frameworks like GDPR
CIAM: Wide scope of privacy protection depending on location/industry, including various country/state privacy laws, GDPR, HIPAA, PCI-DSS, etc.
IAM: Enterprise-scale: Usually up to hundred of thousands at maximum, more likely much less than this
CIAM: Web-scale: Need to scale massively to millions, even up to billions
IAM: Internal employees UX much less important
CIAM: UX needs to be wonderful for customer retention; also UX needs to accommodate often complex forms and needs to be accessible to a wide audience, including disabled persons
IAM: Less important
CIAM: Must be responsive and mobile friendly; more complicated help options and security features
IAM: Not usually required
CIAM: Vital to reduce help desk costs; self-service account recovery, especially with 2FA, can be complicated
IAM: Username/password – improving with 2FA options in recent years
CIAM: Need to accommodate multiple options for a wide demographic audience; may also need to include social federated login, biometrics, mobile device-based methods
IAM: Internal directory controlled via HR
CIAM: Complicated, depending on level of assurance that the user is who they say they are
As you can see, customer identity access management has some additional considerations, compared to a traditional IAM system. However, this also confers additional benefits on anyone utilizing this type of identity service. In other words, you get what you pay for. A CIAM system will give you greater flexibility in building relationships with your customers. A CIAM system should allow you to use your customer identity to build channels of communication and trust between your service and that customer.
Six Areas to Focus on When Using CIAM
If you are thinking of implementing a CIAM system or perhaps upgrading from a more traditional identity service to a customer-facing one, there are certain areas that you can focus on when building a set of requirements. Below I have identified some of the more pertinent ones.
Area 1: What do they want to do with a CIAM system?
Understanding your use cases is a really good place to start when starting to think about using a CIAM system. CIAM is an identity approach that cuts across all industry sectors and offers benefits across a number of scenarios. Thinking of CIAM as a process is important before looking at the technology available. Here I’ll outline some general use cases by sector so you can start to plan out your own needs:
Financial: Know your customer (KYC) is a tricky issue for the financial sector to do online. According to a report by the Bank of America, 62% of Americans use digital banking. But A KYC survey by Thomson Reuters found that completing a KYC process is not straightforward and can become onerous, with costs of up to $500 million per year. Having a system that on-boards customers online could reduce both the costs and the time to do a KYC check. A number of banks are moving in this direction, looking to CIAM systems to perform identity verification checks of customers setting up bank accounts.
Healthcare: Protected health information (PHI) is coming under more scrutiny with the privacy expectations of GDPR. CIAM systems that can manage this type of special identity data can be configured to give the patient more control over who accesses their health data, why, and when. Consumer mediated exchange of health data is being promoted by HealthIT.gov as a better method for patient-controlled access to health data.
Retail and Ecommerce: CIAM systems can be designed as bridges between your organization and your customers. CIAM isn’t just about creating an identity and using it to log in to an online account. CIAM can also offer you detailed insights into customers and their shopping preferences, yet at the same time allow you to comply with privacy and security regulations.
Area 2: Identification
In traditional IAM systems, identification was something that came about with the enrollment of an employee into the company. With CIAM, identification of users is much more difficult. The area of user verification is one that is being explored by governments in particular. Countries such as New Zealand, Switzerland, and the United Kingdom have built citizen identity systems that incorporate some form of identity verification when a person signs up to access government services. Identification is usually online but can be partly offline, too. Credit file agencies (CRAs) and systems like Gemalto’s Coesys document verification service can be used to perform verification.
Area 3: Authentication
Once verified, you have to use some method to authenticate and tie that user to a verified identity. Authentication in CIAM systems needs to have a balance of usability and security that is unique to this type of service. The usual suspects, like username and password, are often used, but the second factor is becoming more important for preventing phishing. NIST has looked at the area of authentication in their Digital Identity Guidelines, which is well worth a read before embarking on what type of authentication and related policies are needed in an identity system.
Area 4: Making it scale
Customer IAM systems and their close relatives, citizen identity systems, need to scale not only in terms of numbers and performance but also in terms of audience. CIAM systems should be designed to be elastic and use horizontal scaling. When implementing a CIAM system, check out the availability and performance to make sure they conform to your expected peak times.
Area 5: Making it secure
A CIAM system needs to be secured across all aspects of the service, from web security to front-end UI display to authentication to database security to secure credential recovery. A CIAM system is often widely adopted for handling the personal data of millions of users. It is likely to become a target, so security is paramount. A good place to start when considering the security needs of CIAM is to look at the OWASP Top Ten Security issues for 2017. One of the hardest nuts to crack in CIAM security is the balance between security and usability. Because these systems are meant to be used seamlessly with a beautiful UX, you must get that balance correct.
Area 6: What about existing accounts?
CIAM has hit the shelves a little late in the day. Many organizations already have established online customer accounts. When upgrading these accounts or extending them to add CIAM capabilities, the CIAM system must be able to migrate, or extend, existing accounts without impacting the end user to any great degree.
Final suggestions for the CIAM systems of your dreams
Gartner states that CIAM “can enable you to provide a secure, unified, and business-enhancing customer experience across multiple channels.” CIAM is an evolution out of traditional IAM systems, which has been driven by changes in the world in which we live, work, and play. It has enormous potential to make seemingly difficult use cases, like online KYC, simpler, more effective, and cheaper. It can help you reach out to a wide audience, creating touchpoints and ultimately building relationships between your business and your wider customer base. If done correctly, CIAM systems can also allow you to build in the levels of security needed by a world where cyber-threats against personal data are rife. CIAM also has options to ensure compliance with privacy regulations such as GDPR and HIPAA. There is rarely a magic wand where technology solutions are concerned. But the development of customer identity access management is creating something above and beyond just access control to applications and sites; it is building mechanisms to engage, relate to, and manage relationships.