GETTINGCUSTOMER IAM

RIGHT

WHITE PAPER

GETTING CUSTOMER IAM RIGHTWHITE PAPER

2

TABLE OF CONTENTS

03

04

05

07

13

INTRODUCTION

BUSINESS DRIVERS OF CIAM

FUNCTIONAL REQUIREMENTS OF CIAM

PUTTING CUSTOMER EXPERIENCE AT THE CENTER

CONCLUSION

GETTING CUSTOMER IAM RIGHTWHITE PAPER

3

INTRODUCTIONWhen most people think about identity and access management (IAM), they think of traditional solutions built to manage employee access to on-

premises applications. Customer access has been needed since the dawn of the Internet, but the use cases were typically treated as one-off projects

and pieced together accordingly. It wasn’t unusual for companies to build their own version of IAM to address customer-facing projects.

Fast forward to today, and the need for customer-facing IAM is apparent. As customers increasingly buy online—using new devices, applications and

channels—companies are faced with a whole new set of IAM challenges.

Aside from the customer identity information your company needs to know, like name, email address, payment types and shipping addresses, there are

deeper insights like buying behavior, product/offering preferences, communications preferences and privacy choices that companies can use to deliver

personalized customer experiences. In the digital world, the degree to which companies know and understand their customers, and can make things

easier for them, can mean the difference between successfully delivering the differentiated products and services that encourage loyalty or conversely

losing those customers to competitors.

Typically, the capturing, storing and managing of these customer identity profiles falls to the IT department and IAM pros. They have managed

employee identities for years, so how much different can customer identities be, right?

Customer IAM (CIAM) is vastly different from employee IAM. For starters, CIAM requires greater

security, performance and scalability to manage millions, if not hundreds of millions, of identities.

It also requires a unique set of customer-specific functionality that includes privacy management,

social login, self-service registration and account management, and more.

In its Market Overview: Customer Identity And Access Management (CIAM) Solutions, Forrester

states that “the unique requirements of customer identity, especially scale, performance, usability

and support for seamless multichannel interactions, have necessitated the development of

CIAM as its own market segment with competitive offerings distinct from traditional solutions

for employee IAM.”1 As such, the market is growing at a rapid pace and expected to reach $37.8

billion in size by 2023. That is almost three times larger than it is today.

Combine these requirements with an unparalleled need for usability and support for seamless

multi-channel interactions, and the delta widens. For these reasons, CIAM requirements are

increasingly regarded by leading industry analysts and others as separate and distinct from

typical enterprise IAM.

Just as the requirements are different, so is the approach to defining and implementing a solution. A CIAM solution must address multiple cross-

functional considerations and integrate with systems managed by other areas within a business.

While IT typically holds responsibility for the technology, collaboration with other key stakeholders, like marketing and legal, becomes critical. As you

align IT and technical goals to those of other business teams and their digital initiatives, the focus shifts from the bottom line to the top line. The right

CIAM solution can be a key digital business enabler that drives revenue and growth.

1 Merritt Maxim and Andras Cser, “Market Overview: Customer Identity And Access Management (CIAM) Solutions,” Forrester Research, Aug 4, 2015, http://www.servicecontrol.com/wp-content/uploads/2014/07/Forrester_Research_-_CIAM_Market_Overview.pdf

2 “Consumer IAM Market - Global Forecast to 2023”, Markets and Markets, August 2018, https://www.marketsandmarkets.com/Market-Reports/consumer-iam-market-87038588.html

The compound annual growth rate (CAGR) of the Consumer IAM

Market from 2018 to 2023.2

GETTING CUSTOMER IAM RIGHTWHITE PAPER

4

Digital transformation is a key business initiative for organizations across a wide range of industries. And CIAM capabilities are a requirement

to keep pace. Your company can’t move forward until you’re able to manage and secure the vast amounts of identity data that digital business

generates and uses across varying technologies. Further, you’re expected to provide a superior, seamless customer experience across channels,

while addressing security and privacy concerns that pose significant potential for negative ramifications.

So, how do you optimize the experience for customers, while simultaneously protecting them and your organization? Read on to learn the best

practices for defining and evaluating a CIAM solution that meets both enterprise needs and customer expectations.

BUSINESS DRIVERS OF CIAM

Before diving into CIAM functional and technical requirements, first look at your business requirements. A well-designed CIAM solution has

extensibility across the entire organization, providing value on several fronts and meeting a variety of business needs.

Start with projects where you can deliver immediate value and benefit the entire organization. Six often-mentioned business challenges driving

the need for CIAM are:

DIGITAL BUSINESS TRANSFORMATIONA recent study calls customer experience “the heart and soul of digital transformation,” reporting that 55 percent of those responsible

for digital transformation cite “evolving customer behaviors and preferences” as the primary catalyst of change. CIAM is a key enabler

for digital business strategies by supporting positive customer interactions and personalization across all channels and apps.

INCREASING SECURITY THREATSThe alarming rise in new attack vectors, coupled with the scale and frequency of data breaches—not to mention the costly damage

they can cause brands—puts securing customer data at the top of the IT team’s priority list. Customer identities must be secured from

authentication all the way to the data layer. CIAM solutions provide features such as multi-factor authentication (MFA), end-to-end

data encryption and more in their security arsenal.

INTERNET OF THINGS (IoT) ADOPTIONCIAM capabilities—such as scale, security, performance and preference management—are fundamental to supporting IoT initiatives.

As companies seek to offer innovative IoT products and services, CIAM is key to securing interactions between devices and humans.

3 Brian Solis, Jaimy Szymanski, “The 2016 State of Digital Transformation”, Altimeter, accessed on Feb 2, 2017, http://www2.prophet.com/The-2016-State-of-Digital-Transformation

GETTING CUSTOMER IAM RIGHTWHITE PAPER

5

PRIVACY REGULATION COMPLIANCEData privacy is a growing concern for customers as they share more information with more organizations and their partners. As a

result, the regulatory landscape is a complex environment that varies widely by geography, industry and other factors. Organizations

must adhere to dynamic sets of rules that vary from customer to customer. CIAM solutions offer centralized policies and fine-grained

data access governance that can be used to enforce customer consent on an attribute-by-attribute level and adhere to regulations in a

dynamic privacy landscape.

DEVELOPMENT & DELIVERY OF MOBILE APPSMobile applications can be an exciting new medium for customers, but providing a mobile customer experience that is consistent

with web apps and other channels requires a modern CIAM solution. Though mobile is only a single piece of the multi-channel puzzle,

mobile initiatives can be a catalyst to incorporate scale, performance, security, single sign-on (SSO) and other CIAM capabilities into

an enterprise.

PARTNERSHIPS, MERGERS & ACQUISITIONSThe integration of multiple web properties under a single brand—often due to new business partnerships or M&A activity—can create

disparate data silos that result in disjointed customer experiences and require varying levels of data unification. CIAM solutions have

SSO and data synchronization capabilities that can help create a single unified customer view across organizations, web properties

and applications.

FUNCTIONAL REQUIREMENTS OF CIAM

Your employees may grudgingly put up with a clunky identity management process, but your customers have options. Today’s hyper-connected

consumers expect instant, seamless and secure access whenever and wherever they want it. You need to provide a frictionless experience to

increasingly savvy and fickle customers across multiple channels and devices—or risk losing them to competitors that do.

Customer standards are rising, thanks to the growing number of customer experience leaders that provide amazing multi-channel customer

experiences. With higher expectations than ever before, customers can and will abandon your brand if their experience feels insecure or

becomes too complex, disjointed or time-consuming.

CIAM solutions provide a number of benefits that enable seamless and secure experiences for your customers:

CUSTOMER EXPERIENCECustomer experience is the next competitive battleground for enterprises. Customers expect a smooth, seamless experience that

starts with a simple registration and continues to deliver relevant, personalized experiences through all interactions with a brand.

A CIAM solution can provide self-service registration with the option for social login, account management, account recovery and

privacy management, giving customers control over their experience.

GETTING CUSTOMER IAM RIGHTWHITE PAPER

6

SCALABILITY AND PERFORMANCECustomers expect instant and secure access to your brand, 24/7. Employee IAM solutions may support thousands of users

at relatively predictable times, but few are designed to meet the demands and peak usage requirements of customer-facing

applications. CIAM solutions must be able to scale up to handle increased traffic, including unpredictable demand spikes and usage

patterns. Consider the implications of your tax service going down on April 15 or a retail site suffering from an outage on Black Friday.

A CIAM solution can handle many millions of customers simultaneously, while delivering the high performance and availability that

customers expect.

CONSISTENCY ACROSS ENGAGEMENT CHANNELSWhether your customers use a web or mobile browser, a mobile app, an in-store kiosk or even make a phone call to your support

department, they expect a consistent experience. CIAM solutions can deliver SSO capabilities—to ensure customers have consistent

authentication experiences—secure access and a unified customer profile accessible to all channels with the same set of preferences,

privacy settings and identity data.

END-TO-END SECURITYThe frequency of data breach headlines has made both enterprises and their customers aware of the damage a breach can cause.

CIAM solutions provide end-to-end security from authentication to the data layer. This includes centralized access control, customer

MFA that is both secure and convenient, and data encryption in every state. They also deliver a long list of security features based on

best practices, giving enterprise security professionals a higher degree of confidence and putting customer concerns at bay.

PRIVACY AND DATA-SHARING CONSENTCustomers are more protective than ever of their personal data, and enterprises must adhere to privacy regulations at the corporate,

regional and industry level. CIAM solutions provide centralized policies that allow attribute-by-attribute level control over internal and

external applications’ access to customer data. This makes it easy to enforce customer consent and meet dynamic sets of regulatory

requirements, while giving customers control over and insight into who has access to their data.

GETTING CUSTOMER IAM RIGHTWHITE PAPER

7

PUTTING CUSTOMER EXPERIENCEAT THE CENTER

According to Forrester, poor CIAM is often the cause of poor customer experience.4 In other words, design your solution well, and customers will

be delighted. But design it poorly, and they will quickly become frustrated.

Until recently, there weren’t defined standards, making it difficult to know how to evaluate solutions. But that has changed as analysts see the

need for customer IAM solutions that are distinct from traditional employee IAM.

Forrester suggests giving up the notion of building an in-house solution, given the unique capabilities and requirements of customer identity.5

So how do you evaluate competitive offerings? Gartner details a comprehensive list of capabilities:6

• Self-service registration and account management

• Scale and performance to support large customer-facing enterprises

• Social login

• Contextual multi-factor authentication (MFA)

• SSO to multiple applications

• Secure data storage and management

• Data sync and aggregation

• Password management and account recovery

• Support for multichannel engagement

Each of these plays a role in your customers’ overall experience with your brand. As they interact with it along several engagement points, your

ability to provide a streamlined, secure experience at each is key to creating loyalty and driving revenue.

4 Jeff Edwards, “Forrester Addresses the Emerging Consumer Identity and Access Management (CIAM) Market Landscape,” Solutions Review, March 3, 2016, http://solutionsreview.com/identity-management/forrester-addresses-consumer-identity-ciam/

5 Merritt Maxim and Andras Cser, “Market Overview: Customer Identity And Access Management (CIAM) Solutions,” Forrester Research, Aug 4, 2015, http://www.servicecontrol.com/wp-content/uploads/2014/07/Forrester_Research_-_CIAM_Market_Overview.pdf

6 Mary Ruddy and Lori Robinson, “Consumer Identity and Access Management is a Digital Relationship Imperative,” Gartner, Dec 30, 2015, https://www.gartner.com/doc/3182119/consumer-identity-access-management-digital

GETTING CUSTOMER IAM RIGHTWHITE PAPER

8

CUSTOMER ENGAGEMENT POINTS

GETTING CUSTOMER IAM RIGHTWHITE PAPER

9

SELF-SERVICE REGISTRATIONUnlike employees who are provisioned, customers must be able to self register and do so with the least amount of friction and an appropriate

level of security. By offering clean, simple registration forms, you provide the flexibility needed to streamline the experience for any customer.

Enterprises also need to be able to add secure, consistent registration experiences when launching new applications.

REGISTRATION BEST PRACTICESCIAM solutions provide pre-built registration workflows that include everything from password policies to account recovery workflows.

Registration experiences should be completely customizable so enterprises can represent the branding standards and ease of use they’ve

worked so hard to create.

IDENTITY CREATION AND STORAGEThe registration process creates a user profile that may contain personally identifiable information (PII) and must be securely stored in a high-

performance, scalable directory. This customer identity repository is the foundation of the CIAM architecture. It not only houses customer identity

and profile data, but also facilitates the distribution of customer identity information to internal and external applications and enforces security.

Organizations may have tens or hundreds of millions of customer accounts (and billions of attributes) that are constantly being created and

updated. The identity repository must scale to support large volumes of users and their associated identity data. These directories securely store

and expose identity and profile data at massive scale.

SINGLE SIGN-ONSeamless customer experiences begin with SSO. Authentications to your digital properties may be the most common experience customers have

with your brand. If different sets of credentials are required for each of your digital properties, your customers will quickly become frustrated and

may seek out a competitor whose digital properties are easier to access.

SOCIAL LOGINWhen providing a common authentication experience to all channels, you’ll also want to offer customers convenient options such as social login.

Customers often prefer the ability to use existing credentials from sites such as Facebook or Google to make signing on even more convenient.

THE IMPORTANCE OF STANDARDSUsing identity standards, like Security Assertion Markup Language (SAML), OAuth, OpenID Connect and SCIM, allows for the secure transmission

of user data. Today’s enterprises may require a diverse set of standards to provide SSO to all of their internal and partner applications. A solution

that supports many standards will ensure that secure, seamless SSO can be provided across all of your digital properties, whether on premises or

in the cloud.

GETTING CUSTOMER IAM RIGHTWHITE PAPER

10

CUSTOMER MFAMFA is generally defined as an authentication procedure requiring the combination of multiple authentication factors, including at least two of

the following:

• Something you know (e.g., a password, a PIN)

• Something you have (e.g., mobile device, token, smart card)

• Something you are (e.g., proven by a fingerprint or iris scan)

Authentication beyond a username and password is a requirement for an increasing number of CIAM use cases, but striking a balance

between strong security and user experience is tricky. Unlike employees, customers won’t download a third-party mobile application for MFA.

Customer MFA must be provided conveniently and securely within the customer experience. SMS is a common option; however, the National

Institute of Standards and Technology (NIST) has recently deemed SMS as an insecure second authentication factor.

A better option for customers is to turn your own mobile application into a secure second factor. Many CIAM solutions offer MFA that you can

embed directly into your mobile app. This not only provides seamless and secure MFA for your customers, but also adds value to your mobile

application. Customer MFA should have the ability to be triggered during authentications or during specific, high-value transactions. This

ensures that you can mitigate a large portion of security risks, with little effect on customer experiences.

UNIFIED CUSTOMER PROFILEA seamless, multi-channel user experience starts with SSO during authentication and registration. However, as customers continue to interact

with a brand, a common unified profile at the data layer is also required to facilitate a cohesive multi-channel experience.

Once a customer signs on to any one of your digital properties, they’ll expect their preferences, opt-in/out choices, account information or

other data to be accurate, even if they last updated it on a different channel. There is nothing more frustrating to customers than having to

update the same information multiple times. There are several key capabilities required for modern directories that store your customer profile:

• Data encryption in every state

• Storage of unstructured data

• Extreme scalability to store many millions of customers

• High availability and performance, even during peak usage

• Accessibility to all apps via developer-friendly REST APIs

CREATING A UNIFIED PROFILEEnterprises often have multiple sources of data about their customers. These identity silos can result from separate business units using

discreet registration processes and applications built over time with different identity data repositories, as well as mergers and acquisitions.

CIAM solutions must be able to work within your existing environment to help create a unified profile. It’s not always possible for organizations

with many disparate data silos and no real source of truth about customers to do a batch export of customer data and then import it into a

new directory.

GETTING CUSTOMER IAM RIGHTWHITE PAPER

11

CIAM solutions also should contain data synchronization capabilities that can be used to create a unified profile at the data layer from your

existing environment. This can be achieved in a couple different ways. First, data can be migrated from disparate identity silos into a unified

customer directory. A bi-directional data sync can act as a safety net, keeping the original data source up and running throughout the process

until you’re ready to migrate the associated applications and decommission the legacy data source.

Alternatively, if there is a need to keep certain legacy directories up and running for a longer period of time, a permanent, real-time bi-

directional sync can be maintained between those identity data silos and the unified directory. In either case, the unified profile needs to be

scalable, secure and easily accessible by all applications.

SELF-SERVICE ACCOUNT MANAGEMENTThe customer’s identity data is the heart of a CIAM solution. The customer profile is comprised of both structured and unstructured data

captured throughout the organization across multiple channels and apps. It may include data provided by customers through the registration

and preference management process, as well as behind-the-scenes data captured by applications, like browser fingerprints.

Customer profile management should be customizable, allowing enterprises to determine the look and feel, workflows, and data captured

and stored within the customer profile. It should also provide customers (and delegated administrators) with self-service account

management capabilities that make it easy for them to manage their profile data.

SELF SERVICE Customers have no patience for dealing with a customer service representative each time they need to update their account. Providing

an intuitive, easy-to-use interface so customers can directly access and make changes to their identity attributes, preferences and privacy

settings is vital.

DELEGATED ADMINISTRATIONIn instances where a delegated administrator needs to access or modify a customer’s account on their behalf, CIAM solutions can provide

delegated account administration capabilities. This allows a customer service rep, head of household or other delegated administrator

to manage passwords and other account attributes on behalf of customers. There should also be mechanisms to not only control which

accounts delegated administrators have access to but which specific attributes they can see and which they can edit.

PASSWORD MANAGEMENT AND ACCOUNT RECOVERYCIAM solutions should also allow customers to update or change a username and password. Self-service features like resetting passwords

for lost or forgotten sign-on credentials further improve the customer experience.

GETTING CUSTOMER IAM RIGHTWHITE PAPER

12

PRIVACY & CONSENT MANAGEMENTEnterprises today face a complex assortment of regional, industry and corporate privacy regulations. These regulatory requirements must be

layered on top of one another and enforced differently from customer to customer. A customer who is an EU citizen, for example, may require

different consent or have different data residency requirements from a customer who is a U.S. citizen. If that customer is under the age of 18,

there may be yet another set of regulations that apply.

Failing to comply with regulations not only risks customer trust and loyalty, it can also result in costly fines, depending on which regulation was

violated. Given the frequency with which regulations change, privacy compliance can be a convoluted, risky engagement that requires CIAM-

specific capabilities:

CENTRALIZED POLICY CONTROLManaging separate sets of privacy compliance policies on an application-by-application basis is next to impossible. You must be able to

manage policies that control access to customer data in a centralized manner across all applications and channels. You should also be able

to control access to customer data on an attribute-by-attribute level. By doing this, you can manage privacy and data-sharing rules in a single

place, with little effect on individual application development teams.

CONSENT MANAGEMENTCollecting customer consent is required by several different regulations. Customers must clearly understand when they’re consenting to share

data and what value will be provided to them by sharing access to their data. They should be able to consent to individual attributes in a fine-

grained manner, versus more coarse-grained consent for sharing several attributes at a time. Finally, customers need insight into and control

over whom their data is being shared with. Giving customers this type of control will ensure that you adhere to privacy registrations and build

trust with your customers.

END-TO-END SECURITYFinally, all customer engagement points should be deployed with end-to-end security. Securing customer data throughout the customer lifecycle

is an important part of CIAM. Customers may not be aware of security when it’s working well, but if a breach puts their personal data at risk, it

can cost organizations customer trust, loyalty and revenue. CIAM solutions provide a multi-layered security approach:

AUTHENTICATION LAYER SECURITYCIAM solutions secure customers during authentication through registration and authentication best practices. They also implement seamless

and secure customer MFA, which presents second authentication factors to customers during authentications or high-value transactions.

APPLICATION / API LAYER SECURITYCIAM solutions can also centrally manage customer access to applications, down the page/URL level. This is useful for controlling access to

premium content, for example.

DATA LAYER SECURITYEncrypting data at every stage—at rest, in motion and in use—can ensure that customer data, including sensitive PII, is protected from insider

attacks. CIAM solutions also provide other data-layer security features like tamper-evident logging, data access governance and many more.

#3028 | 11.18 | v03

ABOUT PING IDENTITY: Ping Identity envisions a digital world powered by identity. As the identity security company, we simplify how the world’s largest organizations prevent security breaches, increase employee and partner productivity and provide personalized customer experiences. Enterprises choose Ping for our identity expertise, open standards leadership, partnership with companies like Microsoft, Amazon and Google, and collaboration with customers like Boeing, Cisco, Disney, GE, Kraft Foods, Walgreens and over half of the Fortune 100. The Ping Identity Platform allows enterprises and their users to securely access cloud, mobile and on-premises applications while managing identity and profile data at scale. Architects and developers have flexible options to enhance and extend their existing applications and environments with multi-factor authentication, single sign-on, access management, directory and data governance capabilities.

13

CONCLUSION

Until recently, customer identity solutions were typically customized one-offs or a combination of custom code, portals and employee

IAM solutions. But CIAM has now been established as having different and distinct considerations and technical needs. Trying to bolt on

functionality to your existing enterprise IAM solution just doesn’t cut it.

A comprehensive CIAM solution needs to be centered around your customers. It should provide secure, cohesive customer experiences

through SSO and a high-performance, scalable, unified profile that is accessible across all applications and channels. It should build the trust

of your customers by providing centralized data access governance policies that enforce customer consent and adhere to privacy regulations.

And it should allow customers to easily register, view and manage their account information, data-sharing consents and preferences to

facilitate a personalized experience across channels.

With the right CIAM solution, you can deliver the consistent, frictionless experience that your customers expect, while ensuring the security

and regulatory compliance your enterprise requires.

To learn more, visit pingidentity.com.