Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
GETTING CUSTOMER IAM RIGHT - CDM MediaWHITE PAPER GETTING CUSTOMER IAM RIGHT 5 USABILITY Providing a...
Transcript of GETTING CUSTOMER IAM RIGHT - CDM MediaWHITE PAPER GETTING CUSTOMER IAM RIGHT 5 USABILITY Providing a...
GETTINGCUSTOMER IAM
RIGHT
WHITE PAPER
GETTING CUSTOMER IAM RIGHTWHITE PAPER
2
TABLE OF CONTENTS
INTRODUCTION
COMMON BUSINESS DRIVERS
FUNCTIONAL REQUIREMENTS OF CIAM
DEFINING A SOLUTION TO MEET EVERYONE’S NEEDS
THE STAGES OF CUSTOMER ENGAGEMENT
Self-service Registration
Multi-factor Authentication
Account Validation
Seamless User Experience
Customer Profile Management
Personlization & Preference Management
COMMON CONSIDERATIONS
CONCLUSION
03
04
05
07
08
13
13
GETTING CUSTOMER IAM RIGHTWHITE PAPER
3
INTRODUCTION
When most people think about identity and access management (IAM), they think of traditional solutions built to manage employee access to
on-premises applications. Consumer access has been needed since the dawn of the Internet, but the use cases were typically treated as one-off
projects and pieced together accordingly. It wasn’t unusual for companies to build their own version of IAM to address customer-facing projects.
Fast forward to today, and the need for a new breed of IAM is apparent, particularly in the consumer-facing enterprise. As customers increasingly
buy online using new devices, applications and channels, companies are faced with a whole new set of IAM challenges.
Aside from the customer identity information your company needs to know—like name, email address, payment types and shipping addresses—
there are deeper insights like buying behavior, product/offering preferences, communications preferences and privacy choices that companies can
use to deliver personalized customer experiences. In the digital world, the degree to which companies know and understand their customers, and
can make things easier for them, can mean the difference between successfully delivering the differentiated products and services that encourage
loyalty or conversely losing those customers to competitors.
Typically, the capturing, storing and managing of these customer identities and profiles falls to the IT department and IAM pros. You’ve managed
employee identities for years, so how much different can it be, right?
Unfortunately, it’s not that simple. Managing IAM for customers can be vastly
different than for employees. For starters, customer IAM (CIAM) requires greater
scalability to manage millions, if not hundreds of millions, of identities and a
unique set of customer-specific functionality. Combine these requirements with
an unparalleled need for usability, convenience, security, privacy and support for
seamless multi-channel interactions, and the delta widens. For these reasons,
CIAM requirements are commonly regarded by leading industry analysts and
others as separate and distinct from typical enterprise IAM.
Just as the requirements are different, so is the approach to defining and
implementing a solution. While IT typically holds responsibility for the
technology, CIAM can’t be siloed. It has to address the considerations of—and
integrate with the systems managed by—other areas of the business, including
sales, marketing and business analytics.
While employee IAM often focuses on bottom-line concerns, your CIAM solution has significant top-line impact. When implementing CIAM, you
must align your goals to the goals of the business teams you are supporting and their digital business initiatives. The right CIAM solution can be a
key digital business enabler that delivers value by driving revenue and growth.
Digital transformation has become pervasive across many industries, but limited CIAM capabilities are slowing its pace. Your company can’t
move forward until you’re able to manage and secure the vast amounts of identity data that digital business generates and uses across varying
technologies and limitless application locations. Further, you’re expected to provide a superior customer experience, while addressing security and
privacy concerns that pose significant potential for negative ramifications.
So, how do you optimize the experience for customers, while simultaneously protecting them and your organization? Read on to learn the best
practices for defining and evaluating a CIAM solution that meets both enterprise needs and customer expectations.
1 Gartner Finding the Right Consumer IAM Products, Gregg Kreizman, Felix Gaehtgens and Brian Iverson, April 8, 2015.
By 2018, 50% of IT/IAM programswill be responsible for both enterprise
and consumer infrastructure,more than double today’s number.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
4
It probably goes without saying, but before diving into functional and technical requirements, first look at your business requirements. While it’s
helpful to focus on immediate business drivers, one of the primary values in a well-designed CIAM solution is its extensibility across the entire
organization, alleviating the pain of multiple customer identity silos.
When starting off, look for projects where you can deliver immediate value and the ability to prove out an approach that will benefit the entire
organization. Six often-mentioned business initiatives driving the need for CIAM are:
1. Digital business transformation
Analysts predict that by 2018, 67% of CEOs of Global 2000 enterprises will have digital transformation at the center of their
corporate strategy2. CIAM is a key enabler for digital business strategies because it supports positive customer interactions and
personalization across all channels and apps.
2. Increasing security threats
The alarming rise in data breach scale and frequency—and the costly damage that it can cause brands—puts data security at the top
of the IT team’s priority list. Identity-centric security goes beyond protecting your data at the perimeter with a firewall. It helps protect
data everywhere that it is used, a crucial capability for today’s multi-channel business strategies and the growing number of mobile
apps and devices.
3. Internet of Things (IoT) adoption
CIAM capabilities such as scale, security, data linking, performance and preference management are fundamental to supporting IoT
initiatives. As companies seek to offer innovative IoT products and services, CIAM will be required to manage and secure interactions
between devices and humans.
4. Privacy regulation compliance
Data privacy is a growing concern for customers as they share more information with more organizations. As a result, the regulatory
landscape is rapidly evolving and creating a complex environment that varies widely by geography and demographics. Organizations
need ways to enforce fine-grained access governance policies in order to comply.
5. Development and delivery of mobile applications
Mobile applications offer the opportunity to centralize CIAM capabilities, support a unified view of customers across all business
units and support a consistent customer experience across disparate applications or properties.
6. Partnerships, mergers and acquisitions
The dynamic nature of business means that data often needs to be shared or migrated across organizations, web properties and
applications. The integration of multiple web properties under a single brand—often due to new business partnerships or M&A
activity—requires varying levels of authentication. Additionally, third-party applications often require access to unified customer data
in order to deliver a seamless customer experience across multiple web properties and mobile apps.
2 https://whatsthebigdata.com/2015/12/27/gartner-idc-and-forrester-on-the-future-of-digital-transformation/
COMMON BUSINESS DRIVERS
GETTING CUSTOMER IAM RIGHTWHITE PAPER
5
USABILITYProviding a user-friendly experience is a make-or-break aspect of CIAM. Your customers have a choice about doing
business with you. If they deem your process too tedious, too demanding or too risky, they can and will opt out.
SCALABILITY AND PERFORMANCECustomer identity solutions must be able to scale up to handle increased traffic, including unpredictable demand
spikes and usage patterns. Employee IAM solutions may be able to support thousands of employees at relatively
predictable times, but few are designed to meet the elastic demands and peak usage requirements of customer-
facing applications. Peak usage outages are not only the most likely to occur, but also the most costly; consider the
implications of your tax service going down during peak usage on April 15, or a retail site dropping on Black Friday.
CIAM must be able to handle many millions of customers, often simultaneously and with high performance.
CONSISTENCY ACROSS ENGAGEMENT CHANNELSConsumers can interact with your brand across many channels. Whether they use a web or mobile browser, a
mobile app, an in-store kiosk or even make a phone call or visit in person, your customers expect a seamless,
consistent experience. Plus, being able to capture and adhere to customer product preferences and privacy consent
at every touchpoint strengthens brand affinity as well as regulatory compliance. Your customer identity solution
plays a key role in delivering a fluid experience across multiple channels. It can and should make things easier for
your customer.
MAXIMIZING CONVERSION RATESHow you handle customer identity directly impacts your bottom line. Get it right, and conversion and adoption
rates will improve. Get it wrong, and the opposite occurs. The key lies in simplifying everything and balancing
convenience with security. If you minimize friction points from the initial touchpoint (like leveraging existing, known
logins) through the password recovery process and everything in between, you’ll maximize conversions. Similarly,
if you leverage knowledge of customer preference across engagement points, you’ll be able to build more relevant,
higher-converting customer experiences across all channels.
Your employees may grudgingly put up with a clunky identity management process, but your customers have options. They can and will abandon the
process if it becomes too complex, too time consuming or if it doesn’t provide the right level of security.
Today’s hyper-connected consumers expect instant and seamless access whenever and wherever they want it. You need to provide a frictionless
customer experience to increasingly savvy and fickle consumers across multiple channels and devices—or risk losing them to competitors that do.
Delivering customer-friendly experiences is multi-faceted. It requires several CIAM capabilities working together to capture high volumes of customer
data, securely store it, aggregate it across multiple data silos and govern access at a variety of touchpoints. This isn’t a comprehensive list, but the
following considerations are inherent in CIAM and present unique challenges:
FUNCTIONALREQUIREMENTS OF CIAM
GETTING CUSTOMER IAM RIGHTWHITE PAPER
6
UNIFIED CUSTOMER VIEWWhen a company implements separate customer engagement channels over time, or acquires new brands or products,
the probability is high that an individual customer exists across multiple properties and directories. The right customer
identity solution will provide the business with a unified view of the customer across all forms of contact, including
internal and third-party online data sources. A unified view of the customer allows for more personalized engagement and
deeper insights that can drive revenue-generating opportunities and more effective marketing strategies.
END-TO-END SECURITYConsumers are increasingly protective of their personal data and fearful of potential threats. The frequency of headlines
announcing the latest breach has heightened awareness of the damage a customer data breach can cause and the need
for security and fraud protection. Having a centralized CIAM solution is the core of a strong security posture, providing
end-to-end data encryption and security to provide a higher degree of confidence and put customer concerns at bay.
PRIVACY AND DATA SHARING CONSENTConsumers are increasingly concerned about how their personal data is used and shared. It’s become a critical
competitive requirement that leading brands not only provide privacy and consent options, but make these options user
friendly. If the customer can’t easily find or use them, they might as well not exist. Further, regulations to enforce privacy
and management of customer data sharing consent continue to proliferate. Your customer identity solution plays a
critical role in ensuring customer confidence, as well as compliance with privacy regulations across all the jurisdictions
in which you operate. This is particularly important with multi-national organizations that must adhere to varying data
storage location requirements.
MANAGING PERSONAL PREFERENCESCustomers expect a tailored experience that is relevant to their interests and needs. Capturing and managing these
preferences is an increasingly critical part of delivering successful customer experiences. Augmenting identity profiles
with preference data enables companies to personalize products, offers and communication frequency and methods.
3 Compendium: Customer Experience http://www.mckinsey.com/global-themes/customer-experience, Winter 2016
Review these requirements, and it becomes apparent that the demands of CIAM are highly customer-driven and require a cross-functional effort to
fulfill them. No longer just IT’s purview, defining your company’s solution has line of business implications and involves the interests of other functional
business areas.
It makes sense since your customer identity solution just might be the first interaction a customer has with your company or brand. Design it well, and
customers will be delighted. Design it poorly, and their frustration could easily lead to abandonment and missed opportunities for growth. It’s no secret
that consumers are unhappy with the current state of access and authentication to the majority of websites and applications they interact with today.
According to McKinsey and Company, improved customer experiences can grow revenue by 5-10% while costing 15-20% less over time.3
GETTING CUSTOMER IAM RIGHTWHITE PAPER
7
DEFINING A SOLUTIONTO MEET EVERYONE’S NEEDS
According to Forrester, poor customer experience often comes from poor CIAM.4 How you solve for the diverse needs of CIAM can dramatically
improve your customer interactions and your top line. But until recently, there’s been a clear lack of standard requirements. So how do you
evaluate solutions to ensure success?
Leading technology analysts have studied CIAM in depth to define a set of recommended solution capabilities. Gartner5 suggests a need for:
• Self-service capabilities (from registration through profile management)
• Social media integration
• Progressive profiling (building customer profile data over time)
• Adaptive authentication
• SSO to multiple applications
• Adaptive access control
• Identity APIs that enable fast time-to-market for new apps and services
• Support for multichannel engagement
4 Forrester Addresses the Emerging Consumer Identity and Access Management (CIAM) Market Landscape http://solutionsreview.com/identity-management/forrester-addresses-consumer-identity-ciam/, Jeff Edwards, March 3, 2016
5 Gartner Finding the Right Consumer IAM Products, Gregg Kreizman, Felix Gaehtgens and Brian Iverson, April 8, 2015.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
8
THE STAGES OFCUSTOMER ENGAGEMENT
Another way to look at requirements is by their stage in customer engagement, beginning with initial registration through subsequent logins
and ongoing profile management.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
9
SELF-SERVICE REGISTRATIONThe goal at registration is simple: to create the least amount of friction while delivering the appropriate level of security. By offering various
registration options, you provide the flexibility needed to accommodate multiple customer types.
SELF-SERVICE REGISTRATION
Begin by requesting the minimal amount of information necessary to create an account. Then, as the customer interacts with you,
you can ask for additional information. To accommodate this, CIAM solutions should offer one of the following:
• Customizable pre-built registration forms
• CSS or HTML templates that allow organizations to extend Web forms to include registration
• APIs that allow you to build your own forms
SOCIAL LOGIN
Providing customers the ability to use a known, trusted login (such as Facebook, Google, PayPal, student ID, etc.) reduces friction
and provides a simple user experience from the beginning. If you’re using social login, ensure customers are in control of what
attributes they agree to share from their social media account. You’ll not only enable new customer registration, you’ll have an
opportunity to collect more identity attributes than users might be willing to type in on their own. Plus, these attributes are updated
frequently so you always have the most current data.
DELEGATED ADMINISTRATION
Delegated administration is less common in CIAM than it is for employee IAM, but you still need to support your customer service
center’s ability to create user accounts on behalf of customers. Solutions should provide an administrative interface that allows
delegates to create, manage and delete user accounts and passwords on behalf of the user.
IDENTITY CREATION AND STORAGE
The registration process creates a user profile that must be securely stored in an identity repository. The consumer identity
repository is the foundation of the CIAM architecture. It not only houses consumer profile data and associated identity attributes,
but also facilitates the distribution of consumer identity information (within and outside an enterprise) and enforces security and
privacy policies.
An organization may have hundreds of thousands of customer accounts, if not tens or hundreds of millions (and billions of
attributes that constantly being created and updated). The identity repository must scale to support large volumes of users and
their associated identity data. CIAM vendors typically rely on directory and database technologies to house the identity repository.
The database serves as the primary repository for identity data and the directory services support authentication and authorization
functions, as well as storing and encrypting sensitive PII.
The identity repository may be on-premise or in the cloud and must be able to accommodate both structured and unstructured
data. Consumer identity data is often entered in an unstructured format. The CIAM solution must be able to normalize and store
the unstructured data so that it can be consumed alongside structured data.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
10
MULTI-FACTOR AUTHENTICATIONMulti-factor authentication (MFA) is generally defined as an authentication procedure requiring the combination of multiple authentication factors,
including at least two of the following:
• Something you know (e.g., a password, a PIN)
• Something you have (e.g., mobile device, token, smart card)
• Something you are (e.g., proven by a fingerprint or iris scan)
Authentication beyond the scope of a username and password is a requirement for an increasing number of CIAM use cases, but striking
a balance between strong security and user experience is tricky. Strong authentication for consumers must introduce the least amount of
inconvenience and cover the broadest range of access methods and devices.
Two examples of strong consumer authentication can be found with Google and Facebook. Both support a second authentication factor when you
try to access your account from a new device.
ACCOUNT VALIDATIONThe level of account validation in CIAM should fluctuate based on the risk associated with the customer’s activity. There are many ways to validate
user accounts and their data:
COMPLETELY AUTOMATED PUBLIC TURING TEST TO TELL COMPUTERS AND HUMANS APART (CAPTCHA)
CAPTCHA is a program created to deter bots and other malicious attacks. CAPTCHA programs discern humans from computers
by presenting a user with a task that humans can perform, but computers cannot (e.g., requiring the user to enter characters from a
distorted image).
DATA INTEGRITY POLICIES
Simple rules and policies (e.g., required fields, field lengths, etc.) that are enforced at the time of registration can ensure the structure
and integrity of the data.
DATA VALIDATION
A step beyond data integrity, data validation ensures the accuracy and truthfulness of data entered by comparing it against known
good data (e.g., social identity data, credit reporting agency, etc.).
These can be paired with standard account validation procedures that are not risk-dependent. For example, simply validating that a user is an
actual person (without verifying identity) and not a bot is common.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
11
On the other side of the account validation coin is Identity Proofing. There are instances where it makes sense to apply additional identity-proofing
techniques to ensure the authenticity of the user. The most common types of identity proofing are email verification and knowledge-based
authentication. There are methods offering a higher assurance of accuracy (e.g., identity-binding, device fingerprinting, geolocation analysis) that are
typically not employed in customer-facing scenarios due to the increased friction they introduce.
EMAIL VERIFICATION, USER VERIFIED
An automated email is sent to the user at the time of registration containing a link that redirects the user back to the website to finish
the registration process.
EMAIL VERIFICATION, THIRD-PARTY VERIFIED
Email verification software can be used to verify email addresses in a database. Here, the software checks email addresses against
domain names to ensure that they are valid addresses. This is a far less common approach, but can boost registration completion rates.
KNOWLEDGE-BASED AUTHENTICATION (KBA)
KBA requires the knowledge of private information of the individual to prove that the person providing the identity information is the
owner of the identity. There are two types of KBA:
• Static KBA is based on a pre-agreed set of “shared secrets”
• Dynamic KBA is based on questions generated from a wider base of personal information
SEAMLESS USER EXPERIENCEA seamless user experience is often accomplished via the use of single sign-on (SSO). SSO is common in enterprise IAM implementations today.
However, account linking represents a unique use case for CIAM, particularly if you have responsibility for multiple websites or mobile apps.
AUTOMATED ACCOUNT LINKING
Often, a customer will have multiple accounts within the same organization. This can occur as a result of separate business units
using discreet registration processes, mergers and acquisitions, or the use of social login. In cases where you’re absolutely certain
that multiple accounts belong to the same user, you may choose to automatically link that user’s accounts to provide SSO. You
should proceed with caution, however, since automatically linking the wrong accounts (or inadvertently linking accounts that the user
intentionally wants separated) can violate privacy and security or result in a poor customer experience.
ACCOUNT LINKING WITH CONSENT
Linking multiple social accounts to a single customer account
In some circumstances, users may want to associate multiple social logins with a single account (e.g., so they don’t need to remember
whether they registered to a website using their Google or Facebook account). In this situation, a user can be offered the opportunity to
link an existing account to an additional social login.
Linking multiple customer accounts together
If you have multiple divisions or brands (or multiple web sites or mobile apps), you may have customers with an account at each
discrete location or within each application. In this case, an analytics engine can determine if several of its user accounts actually
represent the same person and, consequently, offer the customer the opportunity to link the identified accounts.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
12
CUSTOMER PROFILE MANAGEMENTThe customer’s identity data is the heart of a CIAM solution. The customer profile is comprised of both structured and unstructured data
captured throughout the organization across multiple channels and apps. It also includes data provided by customers through the registration
and preference management process. Customer profile management should be customizable, allowing your IAM team to determine the look
and feel, the workflows, and the data captured and stored within the customer profile. It should further provide your customer (and delegated
administrators) with self-service account management capabilities that make it convenient to share and update information.
SELF-SERVICE ACCOUNT MANAGEMENT
Customers quickly lose patience if they need to go through an administrator each time they need to update their account. Provide an
intuitive, easy-to-use interface so customers can directly access and make changes to their account.
PASSWORD MANAGEMENT
The customer should have the ability to update or change a username and password.
IDENTITY ATTRIBUTES
Customers should be allowed to update and change the identity attributes (e.g., name, location, contact information, etc.) in their
customer profile.
CUSTOMER PREFERENCE MANAGEMENT
Customers should be able to customize a host of preference settings, including security settings, communication preferences,
interests, UX settings, etc.
PRIVACY AND DATA SHARING CONSENT
The consumer profile should include clear privacy settings that give users control over their personal data and provide transparency.
Users must be able to give consent at the time of registration, as well as manage consent from the user profile.
PERSONALIZATION & PREFERENCE MANAGEMENTIn addition to structure variances, consumer identity data may be distributed across many different locations, such as the user profile, multiple
account records, third-party databases and marketing systems. To achieve a single view of consumers, organizations must aggregate data from
multiple sources into a single repository either at the time of registration or after. Whether during or after registration, there are two primary
methods for aggregating and augmenting consumer data:
ACCOUNT LINKING AND DATA SYNCHRONIZATION
Identity data synchronizes bi-directionally between the user profile and third-party applications (such as marketing systems, CRM
systems, directories, databases and a variety of other applications).
PROGRESSIVE PROFILING
Dynamic forms gradually gather demographic data and preferences over time. Rather than asking a customer to fill out a form with 10
required fields, you might only ask three to four questions initially and use subsequent forms at different points along the customer
journey to gather the additional data you need.
#3028 | 08.17 | v00c
ABOUT PING IDENTITY: Ping Identity leads a new era of digital enterprise freedom, ensuring seamless, secure access for every user to all applications across the hyper-connected, open digital enterprise. Protecting over one billion identities worldwide, more than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com. 13
Depending upon your organization’s priorities, your approach to CIAM will vary. Regardless of your drivers, there are a few key considerations
when evaluating solutions:
1. Balance the need for secure access to applications with ease of use for consumers and end users.
2. Architect for scalability and always-available access to a branded user experience.
3. Work at consumer speed, offering instant access to applications.
4. Create a unified view of the customer to improve security and multichannel experiences.
5. Accommodate diverse platforms across web, mobile and API to ensure alignment with current and future business needs
(e.g., IoT, marketing, loyalty, big data and risk management initiatives).
Until recently, customer identity solutions were typically customized one-offs or a combination of custom code, portals and employee IAM
solutions. But CIAM has different and distinct considerations and technical needs. Trying to bolt on functionality to your existing enterprise IAM
solution just doesn’t cut it.
A comprehensive CIAM solution must address familiar technological considerations (usability, scalability, privacy and security) and extend to
encompass marketing and business analytics requirements (consistency, conversion and a unified view of the customer). It needs to elastically
scale to handle millions of customers across every channel, while seamlessly integrating those channels to deliver a consistent and desirable
experience for consumers.
With the right CIAM solution, you can deliver the simple, frictionless experience your customers expect, while ensuring the security your
enterprise requires.
To learn more, visit pingidentity.com.
COMMON CONSIDERATIONS
CONCLUSION