API Management / Security / Sponsored / Contributed

Developing Customer Identity and Access Management (CIAM) Solutions

3 Dec 2020 3:00pm, by

WSO2 sponsored this post.

Malithi Edirisinghe
Malithi is Senior Technical Lead in WSO2’s Identity and Access Management team. She has been part of the WSO2 family for 6 years, contributing to the development of the open-source WSO2 Identity Server. She is passionate about IAM standards, trends and helping developers and professionals in simplifying and solving IAM requirements.

Customer identity and access management (CIAM) combines the security aspects of IAM with digital customer experiences. It enables organizations to securely capture and manage all sources and forms of customer identity and profile data.

Look at the weather app on your phone. Have you ever wondered how all that information is being fed and works in real-time? The temperature updates on your weather application are a result of a data exchange between the frontend widget and a weather service (e.g., Weather.com) via an application programming interface (API). Today’s applications no longer run only on a local device. APIs are being used everywhere to connect services exposed by one or more application providers to enhance application capabilities, cater to business use cases, and provide added value.

Consider another example from Uber, which owes much of its success to the company’s strengths in API integration and orchestration. The app relies on Google Maps for navigation, which is a critical and core part of the application. (Google has exposed over 92 APIs — including those for Analytics, Calendar, and Contacts — which are consumed by many other applications and services). Similarly, Uber also offers its own API. This allows the company’s services to be integrated into other applications. Some of its key API consumers are Hinge, Expensify, OpenTable, Momento, Starbucks, TripAdvisor, and United Airlines.

Enterprises are making APIs an important factor in their business models, utilizing them to provide value-added services for consumers and generate revenue. They allow companies to interact and share information with other firms at an unprecedented scale. This not only highlights the scope and reach of digital transformation efforts, but it also shows the influence of software in our day-to-day lives.

API Management

With APIs becoming critical, enterprises need ways to monitor their usage. Companies must also look into aspects such as throttling traffic for certain parties, providing security, and managing APIs by way of creating, updating, removing, and versioning them. This is where API management comes in. It primarily involves managing an API’s lifecycle (i.e., creating, testing, documenting, publishing, discovering, and monetizing). API management helps to enforce API security with access control, rate limits, and usage policies. It also provides analytics on API usage.

An API management platform enables both internal and external developers to easily and securely access enterprise data. This further increases the enterprise’s ability to quickly onboard applications across web and mobile that may reside within the enterprise network perimeter, in the cloud, or in a hybrid environment.

Why Is CIAM Important for API Management?

An application’s users — who will require access from a variety of locations and devices — can be customers, partners, employees, contractors, and developers. To protect and control access to the application and valuable data, identities for the above personas have to be carefully managed.

For any modern business, customer convenience, trust and loyalty are key drivers for success. If a company can meet customer needs by providing a consistent and convenient user experience across its channels, assure privacy and security, and comply with regulations, people will continue to return to that business.

APIs make information accessible, but to whom, when, and which information should be made accessible is an identity and access management (IAM) problem that CIAM products are experts at solving. This is why a CIAM solution should be integrated with an API management platform.

User registration, social logins, consent management, user profile management, consolidating a single identity across disparate user accounts and data sources, and branding control are some of the key capabilities a CIAM would bring into an API management platform. This enables a digital business to meet the agility and security needs by quickly utilizing data, effectively onboarding developer communities, and adapting to changing customer and regulatory compliance requirements. Figure 1 shows how CIAM and API management work together in a digital business.

Figure 1: APIM and CIAM in a digital business environment

The Value of CIAM

An effective CIAM solution enables an enterprise to connect with the customer, provide an optimized experience, and maintain a long-term relationship. It also helps to control access and protect privacy and user data.

According to Gartner research, providing a unified experience, meeting the requirement for a 360-degree view of the customer, replacing homegrown solutions, and streamlining operations are key factors that drive the need for a CIAM solution in a digital business. Figure 2 highlights a CIAM solution’s key value propositions.

Figure 2: The key values of CIAM

User Registration

API-driven digital businesses open up API marketplaces for external developer communities, where external developers become consumers of the enterprise APIs. Plus there will be applications built by both external and internal developers that are consumed by customers. Both of these personas become end-consumers. They should have a smooth online registration process, which is optimized for their roles and needs. A complex onboarding process will turn users away, which in turn will negatively impact the business.

A CIAM solution can simplify the registration process. It can provide customizable self-service registration that an enterprise can utilize to provide an optimized, business-branded sign-up. It will also help to collect the minimum amount of information based on the persona. Social registration can be utilized to enable users to register from their external identities — like GitHub, Facebook, Google, LinkedIn and Twitter. This not only simplifies the registration process, but also saves time. Additionally, mature CIAM solutions can integrate with marketing and CRM platforms to learn about a prospective customer — e.g. starting from when they first interacted with the business anonymously, to when they visited the website and downloaded white papers. This can help to improve the registration experience when a user decides to register and consume services. With a CIAM solution in place, an enterprise can benefit from improved customer conversion rates via simplified registration experiences.

When it comes to validating accounts, in order to balance security and usability an enterprise should be equipped to identify risk factors and enforce sophisticated validation techniques for high-risk accounts, versus a more relaxed approach for low-risk ones. CIAM solutions include Captcha verification (a.k.a. Completely Automated Public Turing Test to tell Computers and Humans Apart); account verification with email, phone, and knowledge-based user attributes from previous interactions; and integration with identity proofing platforms to validate government-authorized documents (such as national IDs, passports, driving licenses, etc).

In addition to customer registration, a comprehensive CIAM solution can also help with partner registration flows, supporting BYOID by integrating with partner identity platforms, or with delegated administration — where an administrative interface is provided to create, manage and delete user accounts and passwords on behalf of the user. It can also support employee registration use cases as well.

Progressive Profiling

The end-user experience and privacy concerns matter greatly for today’s digital enterprises. For marketing purposes and identity assurance, enterprises look to gradually know more about the customer based on service requests and interactions.

For example, asking someone to fill out a detailed form during the initial registration will dissuade them due to the time-consuming registration experience and privacy concerns. Only collecting the first name, last name, and email when the initial profile is created and then requesting additional information (such as the job title, company name, delivery addresses, etc.) when accessing further resources or services (e.g. when downloading a whitepaper, accessing digital content, or when processing an order) will help to provide a simplified experience. This also helps to get to know the customer gradually and request the required information when needed. CIAM vendors typically support progressive profiling capabilities, with extensibility to build business unique flows.

Single Sign-On (SSO)

SSO is a common feature of IAM implementations. API management solutions that leverage OAuth/OIDC protocols for API security will also provide basic SSO capabilities. Yet, IAM provides more, supporting all standard federation protocols comprehensively — such as SAML, OAuth, OIDC, WS-Federation, and the ability to bridge across multiple identity providers for outbound federation. This enables a consistent login experience for users across multiple channels and applications. Moreover, an effective IAM implementation supports comprehensive session management across applications and identity providers, providing single logout capabilities, and enables binding access delegation tokens for sessions — e.g. providing access only for the duration the session is active. Integrating API management solutions with IAM systems can help organizations to securely manage sessions and tokens.

Additionally, CIAM solutions typically also provide account linking capabilities that support more customer-oriented use cases. There can be multiple scenarios where a person may end up with multiple accounts. For example, a customer of an insurance company may have multiple insurance policies (such as for auto, home, and life), each managed by a separate user account. Or, an individual may have used multiple social identities to sign-in to a single user account. A CIAM solution can leverage SSO and federation for a unified user experience by associating these multiple accounts with a single identity.

User Profile Management

When customer identity and information lies at the heart of a digital business, it is important to provide self-service capabilities so that users can manage their own profiles. They should be able to review and update their personal information, credentials and passwords, the security profile with account recovery preferences, multi-factor authentication preferences, consent forms, etc. A CIAM solution that provides a customer self-care portal can easily support these requirements.

Strong Authentication

Digital transformation initiatives founded on APIs are making business logic and data readily available to internal and external users. Every application and API exposed to the internet increases the attack surface. Strong authentication is one of the technologies that can significantly improve the chances of preventing an attack. By adding additional layers of authentication factors to the authentication flow, it makes it more difficult for an unauthorized person to access a target. Compared with API management platforms, which often provide basic authentication factors, IAM vendors provide a variety of strong authentication factors, such as software tokens, hardware tokens, and biometrics via verified and supported integrations with leading multi-factor authentication (MFA) providers.

As a best practice, companies need to employ contextual and adaptive authentication processes to enhance security. It specifically becomes important with customers where user authentication should not inconvenience the user. A CIAM solution can provide passwordless, adaptive, and risk-based authentication supporting secured access from multiple channels based on request, access channel, user attributes, and user behavioral contexts. Additionally, strong customer authentication is now included in regulatory compliance requirements, such as PSD2.

Privacy and Consent Management

Customer consent and privacy management is becoming a top priority for almost all enterprises, with the rise of privacy regulations such as the GDPR in the EU and consumer privacy acts in Canada, Brazil, and the State of California. Due to these regulations, business end-users must be able to give consent at the time of registration, during a progressive profiling flow, and while sharing information with applications that are accessed over various channels. Customers actively participate in determining which information is collected and shared; they should be able to manage consent and privacy settings from the profile and see which information is shared, with whom, when and how, and revoke as needed. CIAM solutions implement these features and become the prime component that should be integrated in a digital business environment that deals with personally identifiable information (PII).

Consolidated Identity

Providing a single view of the customer, by aggregating identity data in various data sources, marketing, and CRM systems is an added advantage of a CIAM solution. CIAM vendors that support integration capabilities and connectors make this integration less painful by helping the enterprise to build a comprehensive customer journey, while consolidating all identity properties to a single identity.

API Management and CIAM — Stronger Together

Figure 3: Reference architecture for an integrated APIM and CIAM platform

CIAM and API management are not necessarily dependent on each other; they can operate separately. Yet, with the necessity to build up a digital ecosystem for partnerships, stay ahead of the competition, and meet increasing consumer demands, enterprises open up data and applications for developers and partners. This journey brings in more and more identities to be managed for various personas. Ultimately, all these users look for a unified, consistent experience over multiple channels of access. They also want features like privacy and consent management; and these needs can be solved with CIAM. Figure 3 shows a reference architecture for an integrated platform. Note that we have used WSO2’s products as references only.

Developing CIAM solutions has increasingly become a developer’s task, moving away from the traditional identity administrator who manages user accounts and access privileges. With the proliferation of devices, the shift towards digital transformation, and the need to understand the customer journey better, identity and access management plays a pivotal role in making sense of identity data with the use of developer-friendly CIAM solutions.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.