Security Experts:

The Great Analyst Debate Over Consumer IAM

Analysts typically are pretty close in their opinions. They’re analyzing the same markets and pool of vendor solutions, so it stands to reason that they wouldn’t depart much from each other. So it can be entertaining when they disagree, except that as a practitioner, eventually you will have to make a decision on which one is right.

It’s like trying to decide for Donald Trump or Hillary Clinton if you’re a US citizen. Remain in or leave the UK. Pasta or chicken on the international flight. The choices are tough, because the implications are so significant, and the outcomes so murky.

While Identity and access management (IAM) is a mature discipline supporting internal employee access to applications, what is the future of IAM in support of end customer interactions? It turns out, that future seems to be murky as well.

Digital Business Transformation and the impact on IAM

how to enable Consumer IAM

To start, the terminology remains unsettled. Various analyst firms refer to the trend toward greater interaction with consumers using digital technologies as “digital transformation” (IDC), “business transformation” (Gartner) and “digital business transformation” (Forrester). A search indicates that they use these terms interchangeably and somewhat inconsistently. But the important point they agree on is that there is an expanding demand on the part of consumers to have access to information and services instantly and digitally, and this will create a need to change the way consumer Identity and access management (CIAM) is provided.

As consumer reliance on digital technologies increases, expectations for direct and easy access to information, such as electronic medical records or seats available on a flight, will only increase. Retailers, of course, have been interacting with customers online for over a decade, and the IAM systems they use are typically segregated from the IAM used for employees. But, how should other organizations map out the decision to implement consumer IAM? 

The debate - how to enable Consumer IAM

When considering IAM in support of digital business transformation, Gartner has called for a “bimodal” approach. Mode 1 represents the legacy estate of applications typically accessed by employee and internal users, while mode 2 is the process of enabling access for customers. The idea is to run two separate, parallel IT organizations in support of both modes.

Martin Kuppinger of KuppingerCole analysts sees it a different way, though. In a recent blog he pointedly declared, “there is no Consumer Identity & Access Management at all – at least not as a separate discipline.” He makes the case that there are no customer-facing applications that do not also require administration and operational support from employees. Therefore, it is potentially a security risk and management challenge to run two separate IAM systems to support application access for employees and consumers.

Forrester is critical of a bimodal approach, saying, “CIOs need a single, bolder business technology (BT) strategy to accelerate innovation and simplification, not a two-class system that adds more front-end and back-end silos of complexity.” Forrester does promote Customer IAM, although they advise against using a homegrown system and working with a vendor solution that is fit for purpose.  

How do you choose? 

This decision really is one that requires an evaluation of future business plans. From a security and risk perspective, Martin Kuppinger makes a good case that there is value in having a unified system for front and back-end IAM, but Forrester points out that scalability will be the major consideration to effectively support both systems. However, some CIOs will see a bimodal approach as a quick fix to get the best of both worlds and stay ahead of digital transformation. And, many IAM vendors are working to address both use cases in their portfolios, which may make the choice easier.

We know that these types of questions have no easy answers, especially when the analyst firms disagree. But, understanding the points of the debate can help inform a decision best for your organization.

view counter
Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.