Security is often perceived as a roadblock to accomplishing business objectives – certainly for good reason – but there exists inevitable conflict. What if security could bring a solution to the business table to help drive competitiveness?
The current business climate requires the constant pursuit of differentiation from competitors. Continually elevated customer expectations for interacting digitally with businesses means that the feature that sets one brand apart from another is the user experience. Creating a differentiated experience, though, is a challenge when all of your competitors are quick to copy features. So how do you actually deliver a unique user experience?
In an Inc. interview featuring Kevin Cochrane, the CMO of Jahia, a digital experience management provider, he points out that:
To deliver on the next generation of customer experience, it’s not about targeting, personalization and acquisition; it’s about what happens when you already are a customer and login. I expect you to know me by name, my preferences and everything I want to buy from you or have bought from you. It’s all 100% personally identifiable information.”
If you are a security practitioner, that last line should make the hairs on the back of your neck stand up. While customer experience can be a competitive advantage if done right, it also introduces risk to be managed.
How can modern business leverage the power of personal data while simultaneously protecting it, and the individuals it belongs to? Particularly when the data resides in different systems across legacy data stores, cloud-based systems, and consumer facing applications, accessed from the web and in mobile applications? And how do you do it all while ensuring that you’re meeting the relevant compliance and governance mandates?
These are the kinds of questions that drive an increased interest in “Consumer Identity and Access Management,” or CIAM.
The great CIAM debate – to unify or duplicate?
Most security organizations are familiar with Identity and Access Management (IAM). It is a central concern for managing security while enabling access for employees. But there has been less conversation (and certainly less consensus) about CIAM. Some analysts have suggested a “bimodal” approach to supporting “digital business transformation.” According to Gartner, “Bimodal is the practice of managing two separate but coherent styles of work: one focused on that which is predictable (Mode 1) and the other which is exploratory (Mode 2).” The idea is to run two separate, parallel IT organizations in support of both modes.
By contrast, KuppingerCole analyst Martin Kuppinger suggests that, “there is no such thing as CIAM, at least not as a separate discipline within IAM. There are technologies that are of higher relevance when dealing with customers and consumers than they are when dealing with employees. But there neither are technologies that are required for CIAM only nor is there any benefit in trying to set up a separate CIAM infrastructure.”
Kuppinger goes on to point out that applications accessed by consumers or customers are also accessed by employees for customer service, administration, and operations. While there are applications only used by employees, there are no applications or data accessed by customers which are not accessed by employees. He poses the question “Why should there be a separate IAM deployment for applications that are used by a common group of users?”
The question is simple, but the answer is complex. Managing a defined group of employees (even for companies with tens or hundreds of thousands of employees) is one thing. Managing millions of consumer or customer interactions, along with all of the associated relationships between devices and applications, is another entirely.
Here are three primary things you should consider before you decide on a solution.
Vertical and horizontal scalability
It is easy to see how managing millions of user accounts could be more complicated than managing thousands. But the scalability required to deliver great customer experiences is about more than just number of users.
Consider that the data which is relevant for your customers may reside in multiple systems—some inside your organization, and others in cloud-based applications and databases. Customer-relevant data may also reside in or be provided by a smart thermostat or a set-top box. All of these devices must have identities as well, and must have data-sharing permissions associated with the relevant customer identity. Your ability to deliver the best possible experience will depend on being able to retrieve data from a variety of sources.
Beyond avoiding penalties under privacy regulations, such as GDPR and CCPA, there is an underlying concern that when customers lose faith in your ability to protect their private data, you run the risk of losing them. Consider maintaining data privacy not only where it is stored (through encryption) but also as it is passed between devices and applications.
Each interaction must be authenticated; every exchange of data must be protected. Hackers understand that the “Internet of Things” creates an opportunity to scoop up personal information the way that a whale scoops up krill. In implementing a CIAM solution, you must ensure that every point of contact—whether it be a device, legacy system, or cloud-based application— must be subject to appropriate policies and controls.
Maintain the experience over time
The consumer technology world changes quickly. A solution today that accommodates the latest and greatest consumer identity widgets will have new requirements tomorrow. So consider how your solution is going to adapt to changing needs.
Increasingly, consumers expect to be able to use their own identity source, such as Facebook or Google. Simplicity for consumers means allowing them to decide which credentialing they want to use. And that includes biometrics, such as fingerprint scanners or facial recognition. The key is that you must consider how you’re going to make access complete and secure, but also dead simple. Employees will, out of necessity, put up with performance issues. But consumers are free to choose a competitor if you aren’t meeting their expectations.
Both your business users and customers have come to expect a minimal amount of friction when authenticating into and accessing the applications your organization provides. A CIAM approach can help your security organization gain a reputation as a business partner that drives heightened user experiences and business competitiveness.