How to Optimize Customer Identity and Access Management
Customer identity and access management (CIAM) has become indispensable for organizations. According to an article by the Business Research Company, the CIAM market is expected to reach $45.56 billion in 2025, at a compound annual growth rate of 18.6%. The research firm adds that the increasing use of Internet of Things (IoT) devices — such as smartphones, smartwatches, smart homes and medical sensors — will be the primary driving factor for this growth.
As the key purpose of CIAM is to increase revenue growth by harnessing identity data to acquire and retain customers, organizations can no longer ignore the signs and need to act. However, companies do not have similar experience levels with CIAM implementations. In this post, we look at organizations with three levels of experience and discuss what each of them should consider.
First, we need to understand the difference between CIAM and traditional identity and access management (IAM). On the surface, the differences might seem minor as both deal with managing identities and profile data and control user access to applications and services. However, the key differentiator is that CIAM deals with customers whereas traditional IAM addresses employees.
Since employees are bound by contracts and NDAs, traditional IAM solutions do not need to concern themselves too much about data and privacy. Furthermore, changes to user accounts made when an employee joins, leaves and switches roles within a company are handled by the administration. However, with CIAM, customers are not bound to a contract. Therefore, compliance with data and privacy regulations is critical for organizations. Moreover, customers perform tasks like registering, updating and managing consent.
Understanding these key differences plays a significant role in achieving enterprise goals. Depending on an organization’s experience with CIAM, there are other areas to consider to successfully implement a CIAM solution. These are reviewed below.
Level 1: Organizations New to CIAM
These organizations will have little understanding of what CIAM is and what to expect from a solution. Here are six areas they should consider:
1. Single Sign-On
An organization might have several applications. For example, an e-commerce portal might possess separate applications for buying, selling, payment and support. It is cumbersome to expect users to create multiple user accounts to access these applications, let alone remember their login credentials. This is where single sign-on (SSO) comes to the rescue. With SSO, users only need to create one account and can use it to access all applications.
2. Multifactor Authentication
Multifactor Authentication (MFA) adds an additional layer of security on top of passwords to ensure user accounts are safe from hackers. MFAs require an additional authenticating factor, such as a one-time password (OTP) that is usually texted or emailed to users. For instance, a solution like WSO2 Identity Server allows organizations to use SMS OTP, email OTP, authenticator apps and eligible biometric readers as additional authentication factors. This provides greater security, as even if a hacker gets hold of a user’s password, they will be unable to access the user account. However, not all customers like to go through the hassle of having to authenticate themselves, which leads us to the next point.
3. Adaptive Authentication
Since MFAs can put off a lot of customers, organizations can strike a balance between user experience and security with adaptive authentication. This decides if a user should be prompted to authenticate through additional factors based on their attributes such as their IP address (location), user role (administrator, general user, etc.) and risk factor. WSO2 Identity Server uses WSO2 Identity Server Analytics to analyze user behavior and decide if a user should be prompted to authenticate via additional factors.
4. Social Login
Let’s admit it. Nobody likes signing up for a new account anymore. We can skip this by allowing users to sign in using their social media accounts such as Facebook and Twitter, or other logins like Hotmail or Google ID. A solution like WSO2 Identity Server can integrate with popular applications including Microsoft, Google, Facebook, Twitter, Yahoo and Office 365 right out of the box and also allows organizations to add custom social logins.
5. Passwordless Authentication
It is difficult to remember passwords. This leads to risky behavior such as not using multiple passwords across applications, writing passwords down in nonsecure locations and using simple passwords that are easy to hack into. Passwordless authentication solves this problem by allowing customers to authenticate themselves via other factors such as OTPs, biometrics such as fingerprints and eye scans and email links.
Customers should be able to create their own accounts, unlike in traditional IAMs where the account is created for the user by someone else.
These factors will allow organizations new to CIAM to produce a CIAM solution that provides a healthy blend of security and a good user experience.
Level 2: Organizations with an Intermediate Understanding in CIAM
These organizations are likely exploring different ways to attract new customers. At this stage, a CIAM vendor can be expected to work with them to help better analyze industry trends and market competition. Here, it helps to understand the importance of regulations and compliance that can give organizations a competitive advantage. This is where experienced tech vendors come into their own, as their extensive experience can help to guide customers through the next stage of their CIAM journey.
Customer data is very important to an organization and a breach of this data can cost them financially and damage their reputation. Recent examples include compromising email addresses of 1.2 million GoDaddy accounts, leaking personal information and passport details of 106 million visitors to Thailand, and hackers accessing customer data of USCellular through its CRM software.
Furthermore, organizations should ethically collect, handle and store customer data. This is commonly known as data privacy. Data should not be collected without user consent or details about why information is required. Users should also be able to request a company remove their data.
A good CIAM solution will cater to these privacy requirements while being able to audit the use of customer data. Not respecting the data privacy of customers can land organizations in hot water.
Level 3: Organizations with Extensive Experience in CIAM
These organizations will already have a functional CIAM solution that complies with data privacy regulations. Here, a CIAM solution can go a step further and provide a robust way to help them provide a great user experience.
This means that a CIAM solution should support deployments in any environment — on premises, cloud or hybrid. A CIAM solution should also make sure that the integration with various deployment environments is as smooth as possible and the solution supports integrations with various other products in the market.
These organizations will likely have an exponentially growing user base. Therefore, a CIAM solution should be scalable to cater to such growth. The solution should enable enterprises to access user information easily and the information should be current.
Moreover, a CIAM solution should support access control to limit access to customer information. This ensures that customer information is available only to those who need it.
We have looked at three types of organizations and what they need to consider when implementing CIAM. Companies can further boost their CIAM solution by considering other aspects such as providing easier biometric authentication, automating user reports, securing all endpoints against brute force and phishing attacks, automating user reports, and providing analytics and data visualization.