As an IT Architect, I was asked to introduce my customer to the concept of an unified IT component, which could manage users’ identity and privileges in a distributed IT environment. The issue was that the component should handle not only employees’ data, which is gathered in a standard recruitment process but partners, contractors, and customers as well, which are also systems users.
What is CIAM?
With an explosion of online devices (IoT) and higher customer expectations for security and privacy, companies must find ways to ensure their customers can engage with their applications or services at any time, from any device, securely and safely. This is where Customer Identity and Access Management (CIAM) was introduced. CIAM allows for adaptive, customer-friendly access to resources with proofed identity, security, and scalability.
Figure 1 CIAM pillars
CIAM is necessary for public-facing applications, that require users to register identities and create accounts. The trend of CIAM adoption is driven by a variety of use cases, including targeted marketing to increase revenue, authentication of customers to enable single sign-on, providing a better user experience, and regulatory compliance. CIAM software helps organizations to manage customer data securely and efficiently, including customers’ identity and activity.
With it, customers no longer toned to register an account or otherwise provide information to use every brand touchpoint (such as apps, websites, and help desk portals). The software needs to offer a single view of the entire customer base and his IoT environment. Such a solution encourages customers to use the software more often, which gives the possibility to sell more often.
Figure 2 CIAM trends
CIAM as a public-facing IAM
CIAM as a subset of the larger concept of identity access management (IAM), is focused on managing the identities of customers who need access to corporate websites, web portals, and e-commerce. Instead of managing user accounts in every instance of a software application of a company, the identity is managed in a centralized CIAM component, making reuse of the identity possible. The core functional building blocks and protocols of IAM and CIAM remain the same across areas like authentication, authorization, directory services, and lifecycle management. On the other hand, customer-facing IAM requires more flexibility in authentication and a simpler authorization model. Not without significance remains a higher scalability requirement and additional diligence for compliance with regulations, such as GDPR which govern users’ privacy in the EU.
Figure 3 CIAM vs IAM features
Key CIAM features additionally include self-service for registration, password and consent management, profile management, reporting and analytics (i.e. for marketing purposes), APIs and SDKs for mobile applications, and social identity registration and login.
The idea of omnichannel and improved customer experience leads to developing new features that can leverage new business opportunities. Adaptive access should recognize dynamic identifiers such as a customer’s location, device, IP address, and other vendor-gathered data. For instance, customers using a new device to log in to a sensitive app are prompted for MFA. On the other hand, customers logging in using a previously registered mobile device can use passwordless authentication, resulting in improved security and better usability.
And Gartner says
The overlap between CIAM and other IAM deployments continues to grow. Important IAM requirements like identity lifecycles are increasingly required for CIAM use cases to combat malicious attackers. Auditing, reporting, and analytics for control are also important to tie CIAM deployments tightly to an organization’s security and DevOps processes. Further, common CIAM requirements around integration SDKs/APIs and self-service are now being used in IAM solutions for modern application development, as well as employees that have acquired consumer experience expectations. This single implementation of CIAM and IAM can offer operational efficiencies and should also adapt to the ever-changing needs of businesses and their users.
Gartner, in its reports (2019), provides a list of vendors which are the leaders of customer-facing access management solutions: Okta, Microsoft, Ping Identity, IBM.
Time to introduce UMM
Encouraged by UMM in the Zoetis case study, I decided to review this not so popular solution, concerning market leaders listed above. I focused on well-known, common features introduced in most CIAM solutions.
|common CIAM features||Microsoft Azure AD B2C||Okta Customer Identity||Ping Customer Identity||BlueSoft UMM|
|predefined registration forms||✓||✓||✓|
|self-service for registration||✓||✓||✓||✓|
|roles and groups||Azure AD||✓||✓|
|rule and policies engine||✓||✓||✓||✓|
|consent and privacy management||✓||✓||✓|
|profile generation and management||✓||✓||✓||✓|
|authentication and authorization into applications||✓||✓||✓||✓|
|social identity registration and login||✓||✓||✓||✓|
|APIs and SDKs for mobile applications||✓||✓||✓||✓|
|ETL/bulk data sync||✓||✓||✓|
|digital identity proofing||✓||✓||✓|
|reporting and analytics||Application Insight||✓||✓|
|invitation mechanism||as a custom policy||✓|
|OpenID Connect, OAuth 2.0, and SAML support||✓||✓||✓||✓|
|delivery||cloud||cloud, on-premises||cloud, on-premises||cloud, on-premises|
Based on the analysis results gathered in the table above, it is clear that all common features are covered by the UMM solution.
User Management Module is a proven (at least two commercial usage cases), highly available, easy adaptive CIAM solution which can be delivered in the cloud as well as on-premise infrastructure. Allows integration with legacy systems securely and efficiently. Having an extensive rules engine allows shortening time to the market adaptation to business needs. Which is not less and even in some cases more at a first glance than market leaders provide. What’s more, due to the rich feature portfolio, it can be considered as the IAM solution as well, which can bring a lot of benefits.
Consultation: Tomasz Nikiel