Customer Identity and Access Management (CIAM) looks like regular IAM from the outside, but it’s a distinct area of identity management and governance. A recent project we did with a manufacturing company reveals the differences between the two. If you’re considering CIAM for your business, our experience can guide you with some concepts and practices that will drive success in a CIAM project.
What is Customer Identity and Access Management (CIAM)?
Before we dig into the key success factors and lessons learned regarding CIAM, it’s worth taking a moment to define the term. CIAM refers to a collection of technological solutions, practices and processes that enable your business to establish an identity and access management system for your customers.
Companies undertake CIAM to create a digital presence for their customers on their internal systems. CIAM solutions allow the customer to set up identity credentials so they can log into one or more corporate systems on a self-service basis. The goal of CIAM is to give customers control over their identities. This is partly for their convenience, but also to let yourself off the hook for a massive administrative job.
For instance, if you want your customers to be able to log into your Enterprise Resource Planning (ERP) system and check the status of their orders, a CIAM solution will enable them to do that—without you having to do anything or even be aware of what’s happening on a day-to-day basis. Or, if you log into your bank account over a mobile app, you’re almost certainly using the bank’s CIAM solution. CIAM solutions create a customer ID that is distinct from an employee user ID. The bank employees use the IAM system, which is likely completely separate.
Your customers see you as one entity, but you’re not
CIAM can potentially reveal tensions between your branding and your actual organizational structure. You may strive, for example, to create the public impression that you are a single entity, a unified brand with consistent logo and color scheme spanning every corner of the corporation. Under the hood, so to speak, you know the reality is a lot more complicated.
Your business could consist of multiple divisions or operating groups, each of which tends to have its own application portfolio. These applications, in turn, generally have their own disparate identity stores and require discrete logins. Furthermore, user profile information may also differ between those found in applications and the ones used in marketing or Customer Resource Management (CRM) systems. For example, a customer may already have a self-service login credential for your CRM. However, that credential is meaningless to your ERP.
A CIAM solution must span these organizational and systemic gaps. It has to deliver a single, uncomplicated experience no matter how compartmentalized the internal application landscape may be. For this reason, dedicated CIAM solutions like Okta are the preferred approach—they are designed to create that single-sign-on customer experience.
User experience is a central concern
Customers are not interested in knowing about the nuances of your internal structure. They simply want a seamless experience across channels. Unfortunately, in our experience working on CIAM, we have seen some bad user experience (UX) situations over the years.
For example, a customer might be required to log into systems separately, each demanding a unique username. Alternatively, systems might require two-factor authentication (2FA) for even the most minimal interactions. These kinds of poor UX can negatively affect the brand.
CIAM is business-driven, not tech-centric
A further challenge of CIAM stems from the reality that customer identity projects are truly business-driven. IT is typically not in charge, or shouldn’t be. The reason for this should be easy to understand: the customer relationship belongs to the business. IT is ideally in a support role, making CIAM work according to business objectives and expectations.
The business needs to set standards for user experience and customer lifecycle. For its part, IT needs to ensure security and adherence to standards. IT coordinates application teams’ use of the CIAM platform. For instance, if the ERP needs to allow customer access, the IT department should take the lead in connecting ERP with the CIAM solution to enable that capability.
The business also has to establish the policies around CIAM. Indeed, organizational and policy issues are quite important in CIAM in general. Access privileges must be well defined. By having clear access rules, it is possible to delegate access control the customer. Getting this all set up will likely involve having some lengthy conversations that cut across organizational boundaries. Executive sponsorship can be extremely helpful in this case.
Don’t be afraid of issuing digital identities
One practice we recommend is the issuing of digital identities directly to customers. This makes it easy for users to log in, enabling marketing use cases without compromising security. The approach is analogous to signing into Gmail when you’re already logged into Google. A unified digital identity makes it possible to correlate actions across applications and public facing websites.
Where to start?
There is no single correct path to a successful CIAM deployment, regardless of what vendors tell you. Rather, it’s essential to examine the business needs and determine use cases as a first step. This might mean developing a use case inventory by bringing Business and IT together. What may evolve from that point on is an incremental plan.
CIAMs often do well when they start with one target system and expand over time. However, to get this right takes having a holistic view of the entire project and where it’s headed.
CIAM maturity is also a factor in determining the best approach. Not every company is ready for a full CIAM. Their CIAM maturity level, as we call it, depends on things like how well the company is currently managing its basic IAM solution. If IAM is problematic, that needs to be addressed first, for example. We recommend that our clients pick a target maturity level at the outset. This means trying to scope out how automated the CIAM process will be, how deeply it will go into the application ecosystem, and so forth.
From there, it’s about picking the right technology and implementation partner. However, if you have good knowledge of your use cases and target maturity, you can approach vendor selection with a higher degree of confidence that a given vendor will be aligned with your direction.
Click here to learn more about our CIAM services Integral Partners has to offer.