Identity Management and Anthropology

June 19, 2018

At first glance, it may seem that identity management have nothing to do with anthropology. But look closer and internal IAM programs for employees mirror the rules and activities of a tight-knit clan. Employees of an organization, and clan members both share a set of values, common mission, and close relationships.

Accordingly, internal IAM programs are designed to both accommodate and coerce their users. End user experience, while considered, takes a back seat to security and business process efficiency. Employees will adjust to the IAM tools provided to them; you can’t choose your family, after all (OK, you can choose your employer, but probably not because of their IAM tool).

But what about people outside your clan? IAM programs are as much defined by whom they include as by whom they exclude. To learn how to manage all the people outside your organization in an IAM program, we can make comparisons to what our human ancestors did. Before modernity, there may be other tribes nearby that you did commerce with or had ongoing relationships. You didn’t have much say over how those other tribes organized, but there were rules for how you interacted, and customs were followed to avoid misunderstandings.

Today, these are your business partners, suppliers, distributors, and service providers. An organization needs to have a way to manage their access without the benefit of HR feeds. Depending on the nature of the relationship, there may only be a limited amount of identity proofing available. Make it too onerous, though, and these groups will go elsewhere. Delegated administration, federation, and a single identity across the enterprise all need to be part of the consideration.

And then, there are the “others.” Long ago, these were the nomads, or people from faraway places. They were untrusted. They may have come by, looking to trade once or twice – and once their business was over, they were on their way (hopefully!).

Today, these are your customers, who number many times your workforce. They may only need access to a few applications but need that access to be reliable and available from anywhere, and you need to be able to handle them at scale. Social logins, data portability, and self-service profile management are must haves here.

CIAM and the Modern-Day Clan

Just like our forebearers, the unique needs of partners and customers require a different approach for identity management. CIAM, or Customer Identity and Access Management, is the discipline for articulating these unique use cases and developing the supporting technology to make it work.

Legacy solutions, sometimes thought of as “Access Enforcement” or “Access Management” products, are being reevaluated against a new focus on improving end user experience and harnessing identity data for both security and marketing purposes. Focusing solely on keeping people out, without considering user experience, is a luxury that can no longer be afforded by firms that wish to be innovative.

Deciding what to tackle in the CIAM space can be challenging. Aside from new populations of users to be concerned with, CIAM projects have a new set of stakeholders to please. Whereas internal IAM programs can sometimes be championed solely by Information Security, doing so in the CIAM world is impossible due to the large-scale, public-facing nature of the result. Information security going it alone may avoid a security incident but will surely increase the risk for “marketing incidents” that can erode the same goodwill.

Table 1: Cast of Characters

Veto Power Human Resources Marketing
Collateral damage Help/Service Desk Customer Call Centers
You gotta’ make …. happy Larger IT Organization “Digital” Teams
In the middle of it all Information Security Information Security


Another consideration for CIAM is the long-term maintenance strategy for what’s been developed. While information security teams scale with the size of the workforce, that relationship breaks down when compared to the amount of customers. Small organizations may have millions of customers, depending on the industry. Maintaining a scalable solution to service so many customers requires a rethink of traditional support models and the role Information Security plays in it. Cloud solutions and managed services need to be part of an organization’s consideration set.

Starting a Civilization

Making a conscious decision to turn “Access Enforcement” into CIAM is an important first step to launching your program. This area is still being defined by software vendors, so stay open to different approaches and be willing to consider new solutions. Recognize that an organization can be both open for business and closed to intruders. The balance that is struck there depends on conversations between a new set of stakeholders who previously did not work together – hopefully, you don’t need to hire an anthropologist to make sure everyone understands each other.