Customer Identity Builds Digital Trust - London Identity Summit
Getting Customer IAM Right · In its Market Overview: Customer Identity And Access Management...
Transcript of Getting Customer IAM Right · In its Market Overview: Customer Identity And Access Management...
GETTINGCUSTOMER IAM
RIGHT
WHITE PAPER
GETTING CUSTOMER IAM RIGHTWHITE PAPER
2
TABLE OF CONTENTS
03
04
05
07
13
INTRODUCTION
BUSINESS DRIVERS OF CIAM
FUNCTIONAL REQUIREMENTS OF CIAM
PUTTING CUSTOMER EXPERIENCE AT THE CENTER
CONCLUSION
GETTING CUSTOMER IAM RIGHTWHITE PAPER
3
INTRODUCTIONWhen most people think about identity and access management (IAM), they think of traditional solutions built to manage employee access to on-
premises applications. Customer access has been needed since the dawn of the Internet, but the use cases were typically treated as one-off projects
and pieced together accordingly. It wasn’t unusual for companies to build their own version of IAM to address customer-facing projects.
Fast forward to today, and the need for customer-facing IAM is apparent. As customers increasingly buy online—using new devices, applications and
channels—companies are faced with a whole new set of IAM challenges.
Aside from the customer identity information your company needs to know, like name, email address, payment types and shipping addresses, there are
deeper insights like buying behavior, product/offering preferences, communications preferences and privacy choices that companies can use to deliver
personalized customer experiences. In the digital world, the degree to which companies know and understand their customers, and can make things
easier for them, can mean the difference between successfully delivering the differentiated products and services that encourage loyalty or conversely
losing those customers to competitors.
Typically, the capturing, storing and managing of these customer identity profiles falls to the IT department and IAM pros. They have managed
employee identities for years, so how much different can customer identities be, right?
Customer IAM (CIAM) is vastly different from employee IAM. For starters, CIAM requires greater
security, performance and scalability to manage millions, if not hundreds of millions, of identities.
It also requires a unique set of customer-specific functionality that includes privacy management,
social login, self-service registration and account management, and more.
In its Market Overview: Customer Identity And Access Management (CIAM) Solutions, Forrester
states that “the unique requirements of customer identity, especially scale, performance, usability
and support for seamless multichannel interactions, have necessitated the development of
CIAM as its own market segment with competitive offerings distinct from traditional solutions
for employee IAM.”1 As such, the market is growing at a rapid pace and expected to reach $37.8
billion in size by 2023. That is almost three times larger than it is today.
Combine these requirements with an unparalleled need for usability and support for seamless
multi-channel interactions, and the delta widens. For these reasons, CIAM requirements are
increasingly regarded by leading industry analysts and others as separate and distinct from
typical enterprise IAM.
Just as the requirements are different, so is the approach to defining and implementing a solution. A CIAM solution must address multiple cross-
functional considerations and integrate with systems managed by other areas within a business.
While IT typically holds responsibility for the technology, collaboration with other key stakeholders, like marketing and legal, becomes critical. As you
align IT and technical goals to those of other business teams and their digital initiatives, the focus shifts from the bottom line to the top line. The right
CIAM solution can be a key digital business enabler that drives revenue and growth.
1 Merritt Maxim and Andras Cser, “Market Overview: Customer Identity And Access Management (CIAM) Solutions,” Forrester Research, Aug 4, 2015, http://www.servicecontrol.com/wp-content/uploads/2014/07/Forrester_Research_-_CIAM_Market_Overview.pdf
2 “Consumer IAM Market - Global Forecast to 2023”, Markets and Markets, August 2018, https://www.marketsandmarkets.com/Market-Reports/consumer-iam-market-87038588.html
The compound annual growth rate (CAGR) of the Consumer IAM
Market from 2018 to 2023.2
GETTING CUSTOMER IAM RIGHTWHITE PAPER
4
Digital transformation is a key business initiative for organizations across a wide range of industries. And CIAM capabilities are a requirement
to keep pace. Your company can’t move forward until you’re able to manage and secure the vast amounts of identity data that digital business
generates and uses across varying technologies. Further, you’re expected to provide a superior, seamless customer experience across channels,
while addressing security and privacy concerns that pose significant potential for negative ramifications.
So, how do you optimize the experience for customers, while simultaneously protecting them and your organization? Read on to learn the best
practices for defining and evaluating a CIAM solution that meets both enterprise needs and customer expectations.
BUSINESS DRIVERS OF CIAM
Before diving into CIAM functional and technical requirements, first look at your business requirements. A well-designed CIAM solution has
extensibility across the entire organization, providing value on several fronts and meeting a variety of business needs.
Start with projects where you can deliver immediate value and benefit the entire organization. Six often-mentioned business challenges driving
the need for CIAM are:
DIGITAL BUSINESS TRANSFORMATIONA recent study calls customer experience “the heart and soul of digital transformation,” reporting that 55 percent of those responsible
for digital transformation cite “evolving customer behaviors and preferences” as the primary catalyst of change. CIAM is a key enabler
for digital business strategies by supporting positive customer interactions and personalization across all channels and apps.
INCREASING SECURITY THREATSThe alarming rise in new attack vectors, coupled with the scale and frequency of data breaches—not to mention the costly damage
they can cause brands—puts securing customer data at the top of the IT team’s priority list. Customer identities must be secured from
authentication all the way to the data layer. CIAM solutions provide features such as multi-factor authentication (MFA), end-to-end
data encryption and more in their security arsenal.
INTERNET OF THINGS (IoT) ADOPTIONCIAM capabilities—such as scale, security, performance and preference management—are fundamental to supporting IoT initiatives.
As companies seek to offer innovative IoT products and services, CIAM is key to securing interactions between devices and humans.
3 Brian Solis, Jaimy Szymanski, “The 2016 State of Digital Transformation”, Altimeter, accessed on Feb 2, 2017, http://www2.prophet.com/The-2016-State-of-Digital-Transformation
GETTING CUSTOMER IAM RIGHTWHITE PAPER
5
PRIVACY REGULATION COMPLIANCEData privacy is a growing concern for customers as they share more information with more organizations and their partners. As a
result, the regulatory landscape is a complex environment that varies widely by geography, industry and other factors. Organizations
must adhere to dynamic sets of rules that vary from customer to customer. CIAM solutions offer centralized policies and fine-grained
data access governance that can be used to enforce customer consent on an attribute-by-attribute level and adhere to regulations in a
dynamic privacy landscape.
DEVELOPMENT & DELIVERY OF MOBILE APPSMobile applications can be an exciting new medium for customers, but providing a mobile customer experience that is consistent
with web apps and other channels requires a modern CIAM solution. Though mobile is only a single piece of the multi-channel puzzle,
mobile initiatives can be a catalyst to incorporate scale, performance, security, single sign-on (SSO) and other CIAM capabilities into
an enterprise.
PARTNERSHIPS, MERGERS & ACQUISITIONSThe integration of multiple web properties under a single brand—often due to new business partnerships or M&A activity—can create
disparate data silos that result in disjointed customer experiences and require varying levels of data unification. CIAM solutions have
SSO and data synchronization capabilities that can help create a single unified customer view across organizations, web properties
and applications.
FUNCTIONAL REQUIREMENTS OF CIAM
Your employees may grudgingly put up with a clunky identity management process, but your customers have options. Today’s hyper-connected
consumers expect instant, seamless and secure access whenever and wherever they want it. You need to provide a frictionless experience to
increasingly savvy and fickle customers across multiple channels and devices—or risk losing them to competitors that do.
Customer standards are rising, thanks to the growing number of customer experience leaders that provide amazing multi-channel customer
experiences. With higher expectations than ever before, customers can and will abandon your brand if their experience feels insecure or
becomes too complex, disjointed or time-consuming.
CIAM solutions provide a number of benefits that enable seamless and secure experiences for your customers:
CUSTOMER EXPERIENCECustomer experience is the next competitive battleground for enterprises. Customers expect a smooth, seamless experience that
starts with a simple registration and continues to deliver relevant, personalized experiences through all interactions with a brand.
A CIAM solution can provide self-service registration with the option for social login, account management, account recovery and
privacy management, giving customers control over their experience.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
6
SCALABILITY AND PERFORMANCECustomers expect instant and secure access to your brand, 24/7. Employee IAM solutions may support thousands of users
at relatively predictable times, but few are designed to meet the demands and peak usage requirements of customer-facing
applications. CIAM solutions must be able to scale up to handle increased traffic, including unpredictable demand spikes and usage
patterns. Consider the implications of your tax service going down on April 15 or a retail site suffering from an outage on Black Friday.
A CIAM solution can handle many millions of customers simultaneously, while delivering the high performance and availability that
customers expect.
CONSISTENCY ACROSS ENGAGEMENT CHANNELSWhether your customers use a web or mobile browser, a mobile app, an in-store kiosk or even make a phone call to your support
department, they expect a consistent experience. CIAM solutions can deliver SSO capabilities—to ensure customers have consistent
authentication experiences—secure access and a unified customer profile accessible to all channels with the same set of preferences,
privacy settings and identity data.
END-TO-END SECURITYThe frequency of data breach headlines has made both enterprises and their customers aware of the damage a breach can cause.
CIAM solutions provide end-to-end security from authentication to the data layer. This includes centralized access control, customer
MFA that is both secure and convenient, and data encryption in every state. They also deliver a long list of security features based on
best practices, giving enterprise security professionals a higher degree of confidence and putting customer concerns at bay.
PRIVACY AND DATA-SHARING CONSENTCustomers are more protective than ever of their personal data, and enterprises must adhere to privacy regulations at the corporate,
regional and industry level. CIAM solutions provide centralized policies that allow attribute-by-attribute level control over internal and
external applications’ access to customer data. This makes it easy to enforce customer consent and meet dynamic sets of regulatory
requirements, while giving customers control over and insight into who has access to their data.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
7
PUTTING CUSTOMER EXPERIENCEAT THE CENTER
According to Forrester, poor CIAM is often the cause of poor customer experience.4 In other words, design your solution well, and customers will
be delighted. But design it poorly, and they will quickly become frustrated.
Until recently, there weren’t defined standards, making it difficult to know how to evaluate solutions. But that has changed as analysts see the
need for customer IAM solutions that are distinct from traditional employee IAM.
Forrester suggests giving up the notion of building an in-house solution, given the unique capabilities and requirements of customer identity.5
So how do you evaluate competitive offerings? Gartner details a comprehensive list of capabilities:6
• Self-service registration and account management
• Scale and performance to support large customer-facing enterprises
• Social login
• Contextual multi-factor authentication (MFA)
• SSO to multiple applications
• Secure data storage and management
• Data sync and aggregation
• Password management and account recovery
• Support for multichannel engagement
Each of these plays a role in your customers’ overall experience with your brand. As they interact with it along several engagement points, your
ability to provide a streamlined, secure experience at each is key to creating loyalty and driving revenue.
4 Jeff Edwards, “Forrester Addresses the Emerging Consumer Identity and Access Management (CIAM) Market Landscape,” Solutions Review, March 3, 2016, http://solutionsreview.com/identity-management/forrester-addresses-consumer-identity-ciam/
5 Merritt Maxim and Andras Cser, “Market Overview: Customer Identity And Access Management (CIAM) Solutions,” Forrester Research, Aug 4, 2015, http://www.servicecontrol.com/wp-content/uploads/2014/07/Forrester_Research_-_CIAM_Market_Overview.pdf
6 Mary Ruddy and Lori Robinson, “Consumer Identity and Access Management is a Digital Relationship Imperative,” Gartner, Dec 30, 2015, https://www.gartner.com/doc/3182119/consumer-identity-access-management-digital
GETTING CUSTOMER IAM RIGHTWHITE PAPER
8
CUSTOMER ENGAGEMENT POINTS
GETTING CUSTOMER IAM RIGHTWHITE PAPER
9
SELF-SERVICE REGISTRATIONUnlike employees who are provisioned, customers must be able to self register and do so with the least amount of friction and an appropriate
level of security. By offering clean, simple registration forms, you provide the flexibility needed to streamline the experience for any customer.
Enterprises also need to be able to add secure, consistent registration experiences when launching new applications.
REGISTRATION BEST PRACTICESCIAM solutions provide pre-built registration workflows that include everything from password policies to account recovery workflows.
Registration experiences should be completely customizable so enterprises can represent the branding standards and ease of use they’ve
worked so hard to create.
IDENTITY CREATION AND STORAGEThe registration process creates a user profile that may contain personally identifiable information (PII) and must be securely stored in a high-
performance, scalable directory. This customer identity repository is the foundation of the CIAM architecture. It not only houses customer identity
and profile data, but also facilitates the distribution of customer identity information to internal and external applications and enforces security.
Organizations may have tens or hundreds of millions of customer accounts (and billions of attributes) that are constantly being created and
updated. The identity repository must scale to support large volumes of users and their associated identity data. These directories securely store
and expose identity and profile data at massive scale.
SINGLE SIGN-ONSeamless customer experiences begin with SSO. Authentications to your digital properties may be the most common experience customers have
with your brand. If different sets of credentials are required for each of your digital properties, your customers will quickly become frustrated and
may seek out a competitor whose digital properties are easier to access.
SOCIAL LOGINWhen providing a common authentication experience to all channels, you’ll also want to offer customers convenient options such as social login.
Customers often prefer the ability to use existing credentials from sites such as Facebook or Google to make signing on even more convenient.
THE IMPORTANCE OF STANDARDSUsing identity standards, like Security Assertion Markup Language (SAML), OAuth, OpenID Connect and SCIM, allows for the secure transmission
of user data. Today’s enterprises may require a diverse set of standards to provide SSO to all of their internal and partner applications. A solution
that supports many standards will ensure that secure, seamless SSO can be provided across all of your digital properties, whether on premises or
in the cloud.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
10
CUSTOMER MFAMFA is generally defined as an authentication procedure requiring the combination of multiple authentication factors, including at least two of
the following:
• Something you know (e.g., a password, a PIN)
• Something you have (e.g., mobile device, token, smart card)
• Something you are (e.g., proven by a fingerprint or iris scan)
Authentication beyond a username and password is a requirement for an increasing number of CIAM use cases, but striking a balance
between strong security and user experience is tricky. Unlike employees, customers won’t download a third-party mobile application for MFA.
Customer MFA must be provided conveniently and securely within the customer experience. SMS is a common option; however, the National
Institute of Standards and Technology (NIST) has recently deemed SMS as an insecure second authentication factor.
A better option for customers is to turn your own mobile application into a secure second factor. Many CIAM solutions offer MFA that you can
embed directly into your mobile app. This not only provides seamless and secure MFA for your customers, but also adds value to your mobile
application. Customer MFA should have the ability to be triggered during authentications or during specific, high-value transactions. This
ensures that you can mitigate a large portion of security risks, with little effect on customer experiences.
UNIFIED CUSTOMER PROFILEA seamless, multi-channel user experience starts with SSO during authentication and registration. However, as customers continue to interact
with a brand, a common unified profile at the data layer is also required to facilitate a cohesive multi-channel experience.
Once a customer signs on to any one of your digital properties, they’ll expect their preferences, opt-in/out choices, account information or
other data to be accurate, even if they last updated it on a different channel. There is nothing more frustrating to customers than having to
update the same information multiple times. There are several key capabilities required for modern directories that store your customer profile:
• Data encryption in every state
• Storage of unstructured data
• Extreme scalability to store many millions of customers
• High availability and performance, even during peak usage
• Accessibility to all apps via developer-friendly REST APIs
CREATING A UNIFIED PROFILEEnterprises often have multiple sources of data about their customers. These identity silos can result from separate business units using
discreet registration processes and applications built over time with different identity data repositories, as well as mergers and acquisitions.
CIAM solutions must be able to work within your existing environment to help create a unified profile. It’s not always possible for organizations
with many disparate data silos and no real source of truth about customers to do a batch export of customer data and then import it into a
new directory.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
11
CIAM solutions also should contain data synchronization capabilities that can be used to create a unified profile at the data layer from your
existing environment. This can be achieved in a couple different ways. First, data can be migrated from disparate identity silos into a unified
customer directory. A bi-directional data sync can act as a safety net, keeping the original data source up and running throughout the process
until you’re ready to migrate the associated applications and decommission the legacy data source.
Alternatively, if there is a need to keep certain legacy directories up and running for a longer period of time, a permanent, real-time bi-
directional sync can be maintained between those identity data silos and the unified directory. In either case, the unified profile needs to be
scalable, secure and easily accessible by all applications.
SELF-SERVICE ACCOUNT MANAGEMENTThe customer’s identity data is the heart of a CIAM solution. The customer profile is comprised of both structured and unstructured data
captured throughout the organization across multiple channels and apps. It may include data provided by customers through the registration
and preference management process, as well as behind-the-scenes data captured by applications, like browser fingerprints.
Customer profile management should be customizable, allowing enterprises to determine the look and feel, workflows, and data captured
and stored within the customer profile. It should also provide customers (and delegated administrators) with self-service account
management capabilities that make it easy for them to manage their profile data.
SELF SERVICE Customers have no patience for dealing with a customer service representative each time they need to update their account. Providing
an intuitive, easy-to-use interface so customers can directly access and make changes to their identity attributes, preferences and privacy
settings is vital.
DELEGATED ADMINISTRATIONIn instances where a delegated administrator needs to access or modify a customer’s account on their behalf, CIAM solutions can provide
delegated account administration capabilities. This allows a customer service rep, head of household or other delegated administrator
to manage passwords and other account attributes on behalf of customers. There should also be mechanisms to not only control which
accounts delegated administrators have access to but which specific attributes they can see and which they can edit.
PASSWORD MANAGEMENT AND ACCOUNT RECOVERYCIAM solutions should also allow customers to update or change a username and password. Self-service features like resetting passwords
for lost or forgotten sign-on credentials further improve the customer experience.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
12
PRIVACY & CONSENT MANAGEMENTEnterprises today face a complex assortment of regional, industry and corporate privacy regulations. These regulatory requirements must be
layered on top of one another and enforced differently from customer to customer. A customer who is an EU citizen, for example, may require
different consent or have different data residency requirements from a customer who is a U.S. citizen. If that customer is under the age of 18,
there may be yet another set of regulations that apply.
Failing to comply with regulations not only risks customer trust and loyalty, it can also result in costly fines, depending on which regulation was
violated. Given the frequency with which regulations change, privacy compliance can be a convoluted, risky engagement that requires CIAM-
specific capabilities:
CENTRALIZED POLICY CONTROLManaging separate sets of privacy compliance policies on an application-by-application basis is next to impossible. You must be able to
manage policies that control access to customer data in a centralized manner across all applications and channels. You should also be able
to control access to customer data on an attribute-by-attribute level. By doing this, you can manage privacy and data-sharing rules in a single
place, with little effect on individual application development teams.
CONSENT MANAGEMENTCollecting customer consent is required by several different regulations. Customers must clearly understand when they’re consenting to share
data and what value will be provided to them by sharing access to their data. They should be able to consent to individual attributes in a fine-
grained manner, versus more coarse-grained consent for sharing several attributes at a time. Finally, customers need insight into and control
over whom their data is being shared with. Giving customers this type of control will ensure that you adhere to privacy registrations and build
trust with your customers.
END-TO-END SECURITYFinally, all customer engagement points should be deployed with end-to-end security. Securing customer data throughout the customer lifecycle
is an important part of CIAM. Customers may not be aware of security when it’s working well, but if a breach puts their personal data at risk, it
can cost organizations customer trust, loyalty and revenue. CIAM solutions provide a multi-layered security approach:
AUTHENTICATION LAYER SECURITYCIAM solutions secure customers during authentication through registration and authentication best practices. They also implement seamless
and secure customer MFA, which presents second authentication factors to customers during authentications or high-value transactions.
APPLICATION / API LAYER SECURITYCIAM solutions can also centrally manage customer access to applications, down the page/URL level. This is useful for controlling access to
premium content, for example.
DATA LAYER SECURITYEncrypting data at every stage—at rest, in motion and in use—can ensure that customer data, including sensitive PII, is protected from insider
attacks. CIAM solutions also provide other data-layer security features like tamper-evident logging, data access governance and many more.
#3028 | 11.18 | v03
ABOUT PING IDENTITY: Ping Identity envisions a digital world powered by identity. As the identity security company, we simplify how the world’s largest organizations prevent security breaches, increase employee and partner productivity and provide personalized customer experiences. Enterprises choose Ping for our identity expertise, open standards leadership, partnership with companies like Microsoft, Amazon and Google, and collaboration with customers like Boeing, Cisco, Disney, GE, Kraft Foods, Walgreens and over half of the Fortune 100. The Ping Identity Platform allows enterprises and their users to securely access cloud, mobile and on-premises applications while managing identity and profile data at scale. Architects and developers have flexible options to enhance and extend their existing applications and environments with multi-factor authentication, single sign-on, access management, directory and data governance capabilities.
13
CONCLUSION
Until recently, customer identity solutions were typically customized one-offs or a combination of custom code, portals and employee
IAM solutions. But CIAM has now been established as having different and distinct considerations and technical needs. Trying to bolt on
functionality to your existing enterprise IAM solution just doesn’t cut it.
A comprehensive CIAM solution needs to be centered around your customers. It should provide secure, cohesive customer experiences
through SSO and a high-performance, scalable, unified profile that is accessible across all applications and channels. It should build the trust
of your customers by providing centralized data access governance policies that enforce customer consent and adhere to privacy regulations.
And it should allow customers to easily register, view and manage their account information, data-sharing consents and preferences to
facilitate a personalized experience across channels.
With the right CIAM solution, you can deliver the consistent, frictionless experience that your customers expect, while ensuring the security
and regulatory compliance your enterprise requires.
To learn more, visit pingidentity.com.