EMA: IT and Data Management Research, Industry Analysis and Consulting

Why Consumer IAM is Fundamentally Different From Traditional IAM

Written by Steve Brasen | Oct 6, 2020 3:34:58 PM

Identity and access management (IAM) has been an integral part of IT since the early days of computing. Foundational to the security of IT resources is the need to identify who may access them, and placing limits on what they can do with them. Since these requirements were principally established to support internal business processes, IAM practices and technologies evolved to specifically support business employees. Following the introduction of the internet, however, new security challenges evolved in support of ecommerce. Rather than having to support a limited number of employees, businesses now must ensure the secure delivery of digital engagements with an expansive range of customers and marketing prospects. These challenges greatly accelerated over the last two decades due to the rise in popularity of consumer-focused cloud services and increasing user mobility.

In today’s dynamic online marketplaces, enabling access to digital engagements is not just about security. It must also enable positive user experiences in order to retain or build on a consumer base. This led to the development of practices for consumer identity and access management (CIAM). Unfortunately, due to the naming similarities, CIAM is often confused with more internally business-focused IAM practices. In fact, many definitions of CIAM suggest it is a subset of IAM. However, that is a very misleading presumption. If CIAM were truly a subset of IAM, then IAM should natively address all the requirements for CIAM, and this is simply not the case. While there is some crossover in terms of processes and solution features, the two practices address a fundamentally different set of requirements. Here are some key points of differentiation between CIAM and traditional IAM.

Access Management Responsibility

Traditional IAM processes are administered entirely by the business or a service provider contracted by the business. The company defines what resources may be used by which employees, determines the conditions under which access will be granted, and enforces authentication and other security requirements. By contrast, the consumers principally manage CIAM. Consumers create their own accounts, set up their own credentials, and determine which offered services they will use.

Prioritization of Requirements

The achievement of enterprise security is granted the highest priority in traditional IAM deployments. While enabling greater workforce productivity is increasingly becoming important to businesses, IAM requirements for improving employee experiences still take a backseat to achieving security and compliance goals. The opposite is true with CIAM implementations since the primary goal is to entice and retain consumer audiences with user-friendly digital engagements. A great example of this can be seen with the increasing use of social media accounts (Facebook, Google, Twitter, etc.) as authenticators in CIAM deployments. Businesses would never consider using social media accounts as a method of identifying employees because of the inherently low security. However, consumers are often favorable to leveraging social media accounts because it preauthorizes them to access the offered services.

Scalability

Businesses support a fairly fixed set of users (including employees, contractors, and service providers) with traditional IAM processes. However, the very purpose of CIAM deployments is to help acquire as many consumers as possible, so “the sky’s the limit” with the number of supported users. The extreme scalability requirements for CIAM were very visible in the early days of the COVID-19 pandemic, when every online business saw a sudden and dramatic spike in consumer activity following the issuance of regional stay-at-home orders, and many unprepared business services were unable to keep up with demand, resulting in lost customers.

Reliance on Directory Services

It is very common for businesses today to leverage directory services (such as Active Directory) to either directly store user credentials or as a source of information on users and devices. Due to the high scalability requirements, it is simply impractical for CIAM solutions to store any data in typical directory services. Instead, consumer information is stored directly within the CIAM solution or through integration with a customer relationship management (CRM) system.

Establishment of Trust

The primary goal of traditional IAM processes is for businesses to establish trust with the employees and contractors who access its IT services. However, there is no requirement for workers to establish trust with the business. With CIAM, trust is a two-way street: the business must establish trust with the consumer, and the consumer must have trust in the business. If consumers lack trust in the business’ level of security effectiveness and privacy controls, they will likely leave and engage with a more trustworthy competitor.

Range of Supported Access Conditions

Traditional, enterprise-focused IAM processes have to be very granular about how they define user access. One employee may be granted access to one set of resources while another is granted access to a completely different set of resources. Supporting this access complexity requires a diverse range of policy definitions. By comparison, with CIAM, a much more basic set of requirements is applied to all consumers equally.

Supported Peripheral Tools

In support of more complex enterprise access requirements, traditional IAM solutions often include governance capabilities that monitor employee access events and their use of IT resources in order to audit security effectiveness and adjust individual access rights. CIAM, on the other hand, includes additional tools specifically for collecting consumer information and managing their engagements with the business. These include self-registration processes, privacy consent management, and progressive profiles support.

CIAM and IAM are clearly two separate and distinct practices requiring independent practices and toolsets, and organizations are advised to carefully consider the full range of requirements before introducing a consumer-focused digital service. This will allow the strategic deployment of CIAM capabilities that will ensure sustained consumer interests and high sales conversion rates.

To learn more about CIAM, be sure to check out my on-demand webinar on “Advancing Consumer Engagements by Improving Customer Identity and Access Management (CIAM).”