Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

The Great Analyst Debate Over Consumer IAM

Analysts typically are pretty close in their opinions. They’re analyzing the same markets and pool of vendor solutions, so it stands to reason that they wouldn’t depart much from each other. So it can be entertaining when they disagree, except that as a practitioner, eventually you will have to make a decision on which one is right.

Analysts typically are pretty close in their opinions. They’re analyzing the same markets and pool of vendor solutions, so it stands to reason that they wouldn’t depart much from each other. So it can be entertaining when they disagree, except that as a practitioner, eventually you will have to make a decision on which one is right.

It’s like trying to decide for Donald Trump or Hillary Clinton if you’re a US citizen. Remain in or leave the UK. Pasta or chicken on the international flight. The choices are tough, because the implications are so significant, and the outcomes so murky.

While Identity and access management (IAM) is a mature discipline supporting internal employee access to applications, what is the future of IAM in support of end customer interactions? It turns out, that future seems to be murky as well.

Digital Business Transformation and the impact on IAM

how to enable Consumer IAM

To start, the terminology remains unsettled. Various analyst firms refer to the trend toward greater interaction with consumers using digital technologies as “digital transformation” (IDC), “business transformation” (Gartner) and “digital business transformation” (Forrester). A search indicates that they use these terms interchangeably and somewhat inconsistently. But the important point they agree on is that there is an expanding demand on the part of consumers to have access to information and services instantly and digitally, and this will create a need to change the way consumer Identity and access management (CIAM) is provided.

As consumer reliance on digital technologies increases, expectations for direct and easy access to information, such as electronic medical records or seats available on a flight, will only increase. Retailers, of course, have been interacting with customers online for over a decade, and the IAM systems they use are typically segregated from the IAM used for employees. But, how should other organizations map out the decision to implement consumer IAM? 

The debate – how to enable Consumer IAM

When considering IAM in support of digital business transformation, Gartner has called for a “bimodal” approach. Mode 1 represents the legacy estate of applications typically accessed by employee and internal users, while mode 2 is the process of enabling access for customers. The idea is to run two separate, parallel IT organizations in support of both modes.

Advertisement. Scroll to continue reading.

Martin Kuppinger of KuppingerCole analysts sees it a different way, though. In a recent blog he pointedly declared, “there is no Consumer Identity & Access Management at all – at least not as a separate discipline.” He makes the case that there are no customer-facing applications that do not also require administration and operational support from employees. Therefore, it is potentially a security risk and management challenge to run two separate IAM systems to support application access for employees and consumers.

Forrester is critical of a bimodal approach, saying, “CIOs need a single, bolder business technology (BT) strategy to accelerate innovation and simplification, not a two-class system that adds more front-end and back-end silos of complexity.” Forrester does promote Customer IAM, although they advise against using a homegrown system and working with a vendor solution that is fit for purpose.  

How do you choose? 

This decision really is one that requires an evaluation of future business plans. From a security and risk perspective, Martin Kuppinger makes a good case that there is value in having a unified system for front and back-end IAM, but Forrester points out that scalability will be the major consideration to effectively support both systems. However, some CIOs will see a bimodal approach as a quick fix to get the best of both worlds and stay ahead of digital transformation. And, many IAM vendors are working to address both use cases in their portfolios, which may make the choice easier.

We know that these types of questions have no easy answers, especially when the analyst firms disagree. But, understanding the points of the debate can help inform a decision best for your organization.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...