Exploring the reasons why traditional IAM systems are not very suitable for managing customer identities.
Which type of identities are you managing?
Internal or External Identities?
- IAM systems are designed to manage and protect internal, employee identities.
- Customer Identity & Access Management (CIAM) systems are designed to manage and protect external identities, such as customers, citizens, partners, contractors, APIs or things (IoT) – and is therefore optimised for very different use cases.
How do you deploy the solution?
Do you deploy in the cloud, on-premises, or a combination of both?
- IAM is increasingly deployed in the cloud as a SaaS based service.
- CIAM manages customer identity data, protection of which is heavily regulated. Some organisations want their CIAM in the cloud via an IDaaS (Identity-as-a-Service) solution. Others need to keep all CIAM capabilities and identity data local due to data residency requirements. Increasingly we see a hybrid approach – the identity management capabilities are operated as SaaS, but the identity data silos remain on-premises.
How are you verifying digital identities?
Do you need to make use of Identity Providers (IdP)?
- Managers of internal IAM systems can dictate to employees how they verify their identities. Usually it’s done by HR during onboarding or use existing enterprise identity directories or HR databases.
- CIAM systems allow for choice of Identity Provider when it comes to verification. Reusable identity, or Bring Your Own Identities (BYOI), should be supported for social login, or use of verified identities like Bank IDs or Regional eIDs. Where existing digital identities do not exist, there should be real-time identity verification.
How scalable does your system need to be?
Is your customer base larger and faster growing than your employee base?
- Your customer base will already be larger and be growing much faster than your internal employee base, so Customer Identity & Access Management systems should be more scalable than internal IAM systems.
- With scalable systems, predictability of costs is essential. Your CIAM solution should provide a predictable cost of ownership into the foreseeable future.
Who owns the data?
How important is trust?
- Internal employees generally trust their HR team with their data in work IAM systems.
- Consumers want control over their own identity data and consent attributes and how they are used. Customer IAM is set up to help organisations achieve and maintain GDPR.
How important is User Experience (UX)?
Are users trained on the systems? Is intuitive UX critical?
- In-house IAM systems need to meet certain expectations of user experience, but individual users will receive training on how to use the software properly. Ultimately, employees get little choice but to adopt the systems their employer demands.
- For externally-facing CIAM systems, an intuitive UX is not a ‘nice-to-have’ – it’s a prerequisite to success. A poor UX will quickly drive away prospective customers.
How are you controlling access to the systems?
Does you need Multi-Factor Authentication MFA)?
- Internal IAM can dictate the MFA choice. Modern IAM typically uses smartphone based MFA, but many organisations still utilise smartcards, hardware tokens, etc.
- CIAM requires flexibility in MFA, i.e. smartphone based tokens, TOTP, BYOI. Customers want to avoid frustration, so whatever MFA solution is used, it needs to be user friendly.
How flexible should the system be?
Does it need regular changes?
- Internal IAM doesn’t need to be updated regularly – and updates can be made over longer periods of time.
- Customer Identity & Access Management should be flexible enough to keep up with consumer trends, and nowadays, most likely deployed as a managed service such as IDaaS (Identity-as-a-Service).
Is manual management realistic?
Can you dedicate resource to manually adjusting customer accounts?
- Due to lower number of users (employees) and generally a lower growth rate of new users, internal IAM systems are generally set up for manual or semi-automated management of identities.
- Customers amount to thousands, sometimes millions of user identities. A CIAM system should allow customers to manage their own identities and, in common use cases, delegate management of accounts to enable scalability.
Is your goal to increase revenue, reduce operational costs, or both with you IAM system?
- Internal IAM is not intended to generate revenue, but will have strong impact on security, compliance, and reducing operational costs.
- Customer IAM will also increase customer-facing security and privacy compliance. But effective CIAM will also increase customer conversions, engagements and revenue. It may even create new revenue opportunities, and certainly should reduce costs for support and administration.
IAM vs CIAM Blog
You may already have an IAM system in place in your organisation, for example to manage internal/employee identities. So why can’t this be used for your customer-facing application?
IAM vs CIAM White Paper
How user experience, platform flexibility, business performance, revenue, privacy, trust & data regulation and compliance (among others) are driving the need to adopt Customer IAM solutions.