GETTING CUSTOMER IAM RIGHT - CDM MediaWHITE PAPER GETTING CUSTOMER IAM RIGHT 5 USABILITY Providing a...

GETTINGCUSTOMER IAM

RIGHT

WHITE PAPER

GETTING CUSTOMER IAM RIGHTWHITE PAPER

2

TABLE OF CONTENTS

INTRODUCTION

COMMON BUSINESS DRIVERS

FUNCTIONAL REQUIREMENTS OF CIAM

DEFINING A SOLUTION TO MEET EVERYONE’S NEEDS

THE STAGES OF CUSTOMER ENGAGEMENT

Self-service Registration

Multi-factor Authentication

Account Validation

Seamless User Experience

Customer Profile Management

Personlization & Preference Management

COMMON CONSIDERATIONS

CONCLUSION

03

04

05

07

08

13

13


3

INTRODUCTION

When most people think about identity and access management (IAM), they think of traditional solutions built to manage employee access to

on-premises applications. Consumer access has been needed since the dawn of the Internet, but the use cases were typically treated as one-off

projects and pieced together accordingly. It wasn’t unusual for companies to build their own version of IAM to address customer-facing projects.

Fast forward to today, and the need for a new breed of IAM is apparent, particularly in the consumer-facing enterprise. As customers increasingly

buy online using new devices, applications and channels, companies are faced with a whole new set of IAM challenges.

Aside from the customer identity information your company needs to know—like name, email address, payment types and shipping addresses—

there are deeper insights like buying behavior, product/offering preferences, communications preferences and privacy choices that companies can

use to deliver personalized customer experiences. In the digital world, the degree to which companies know and understand their customers, and

can make things easier for them, can mean the difference between successfully delivering the differentiated products and services that encourage

loyalty or conversely losing those customers to competitors.

Typically, the capturing, storing and managing of these customer identities and profiles falls to the IT department and IAM pros. You’ve managed

employee identities for years, so how much different can it be, right?

Unfortunately, it’s not that simple. Managing IAM for customers can be vastly

different than for employees. For starters, customer IAM (CIAM) requires greater

scalability to manage millions, if not hundreds of millions, of identities and a

unique set of customer-specific functionality. Combine these requirements with

an unparalleled need for usability, convenience, security, privacy and support for

seamless multi-channel interactions, and the delta widens. For these reasons,

CIAM requirements are commonly regarded by leading industry analysts and

others as separate and distinct from typical enterprise IAM.

Just as the requirements are different, so is the approach to defining and

implementing a solution. While IT typically holds responsibility for the

technology, CIAM can’t be siloed. It has to address the considerations of—and

integrate with the systems managed by—other areas of the business, including

sales, marketing and business analytics.

While employee IAM often focuses on bottom-line concerns, your CIAM solution has significant top-line impact. When implementing CIAM, you

must align your goals to the goals of the business teams you are supporting and their digital business initiatives. The right CIAM solution can be a

key digital business enabler that delivers value by driving revenue and growth.

Digital transformation has become pervasive across many industries, but limited CIAM capabilities are slowing its pace. Your company can’t

move forward until you’re able to manage and secure the vast amounts of identity data that digital business generates and uses across varying

technologies and limitless application locations. Further, you’re expected to provide a superior customer experience, while addressing security and

privacy concerns that pose significant potential for negative ramifications.

So, how do you optimize the experience for customers, while simultaneously protecting them and your organization? Read on to learn the best

practices for defining and evaluating a CIAM solution that meets both enterprise needs and customer expectations.

1 Gartner Finding the Right Consumer IAM Products, Gregg Kreizman, Felix Gaehtgens and Brian Iverson, April 8, 2015.

By 2018, 50% of IT/IAM programswill be responsible for both enterprise

and consumer infrastructure,more than double today’s number.


4

It probably goes without saying, but before diving into functional and technical requirements, first look at your business requirements. While it’s

helpful to focus on immediate business drivers, one of the primary values in a well-designed CIAM solution is its extensibility across the entire

organization, alleviating the pain of multiple customer identity silos.

When starting off, look for projects where you can deliver immediate value and the ability to prove out an approach that will benefit the entire

organization. Six often-mentioned business initiatives driving the need for CIAM are:

1. Digital business transformation

Analysts predict that by 2018, 67% of CEOs of Global 2000 enterprises will have digital transformation at the center of their

corporate strategy2. CIAM is a key enabler for digital business strategies because it supports positive customer interactions and

personalization across all channels and apps.

2. Increasing security threats

The alarming rise in data breach scale and frequency—and the costly damage that it can cause brands—puts data security at the top

of the IT team’s priority list. Identity-centric security goes beyond protecting your data at the perimeter with a firewall. It helps protect

data everywhere that it is used, a crucial capability for today’s multi-channel business strategies and the growing number of mobile

apps and devices.

3. Internet of Things (IoT) adoption

CIAM capabilities such as scale, security, data linking, performance and preference management are fundamental to supporting IoT

initiatives. As companies seek to offer innovative IoT products and services, CIAM will be required to manage and secure interactions

between devices and humans.

4. Privacy regulation compliance

Data privacy is a growing concern for customers as they share more information with more organizations. As a result, the regulatory

landscape is rapidly evolving and creating a complex environment that varies widely by geography and demographics. Organizations

need ways to enforce fine-grained access governance policies in order to comply.

5. Development and delivery of mobile applications

Mobile applications offer the opportunity to centralize CIAM capabilities, support a unified view of customers across all business

units and support a consistent customer experience across disparate applications or properties.

6. Partnerships, mergers and acquisitions

The dynamic nature of business means that data often needs to be shared or migrated across organizations, web properties and

applications. The integration of multiple web properties under a single brand—often due to new business partnerships or M&A

activity—requires varying levels of authentication. Additionally, third-party applications often require access to unified customer data

in order to deliver a seamless customer experience across multiple web properties and mobile apps.

2 https://whatsthebigdata.com/2015/12/27/gartner-idc-and-forrester-on-the-future-of-digital-transformation/

COMMON BUSINESS DRIVERS


5

USABILITYProviding a user-friendly experience is a make-or-break aspect of CIAM. Your customers have a choice about doing

business with you. If they deem your process too tedious, too demanding or too risky, they can and will opt out.

SCALABILITY AND PERFORMANCECustomer identity solutions must be able to scale up to handle increased traffic, including unpredictable demand

spikes and usage patterns. Employee IAM solutions may be able to support thousands of employees at relatively

predictable times, but few are designed to meet the elastic demands and peak usage requirements of customer-

facing applications. Peak usage outages are not only the most likely to occur, but also the most costly; consider the

implications of your tax service going down during peak usage on April 15, or a retail site dropping on Black Friday.

CIAM must be able to handle many millions of customers, often simultaneously and with high performance.

CONSISTENCY ACROSS ENGAGEMENT CHANNELSConsumers can interact with your brand across many channels. Whether they use a web or mobile browser, a

mobile app, an in-store kiosk or even make a phone call or visit in person, your customers expect a seamless,

consistent experience. Plus, being able to capture and adhere to customer product preferences and privacy consent

at every touchpoint strengthens brand affinity as well as regulatory compliance. Your customer identity solution

plays a key role in delivering a fluid experience across multiple channels. It can and should make things easier for

your customer.

MAXIMIZING CONVERSION RATESHow you handle customer identity directly impacts your bottom line. Get it right, and conversion and adoption

rates will improve. Get it wrong, and the opposite occurs. The key lies in simplifying everything and balancing

convenience with security. If you minimize friction points from the initial touchpoint (like leveraging existing, known

logins) through the password recovery process and everything in between, you’ll maximize conversions. Similarly,

if you leverage knowledge of customer preference across engagement points, you’ll be able to build more relevant,

higher-converting customer experiences across all channels.

Your employees may grudgingly put up with a clunky identity management process, but your customers have options. They can and will abandon the

process if it becomes too complex, too time consuming or if it doesn’t provide the right level of security.

Today’s hyper-connected consumers expect instant and seamless access whenever and wherever they want it. You need to provide a frictionless

customer experience to increasingly savvy and fickle consumers across multiple channels and devices—or risk losing them to competitors that do.

Delivering customer-friendly experiences is multi-faceted. It requires several CIAM capabilities working together to capture high volumes of customer

data, securely store it, aggregate it across multiple data silos and govern access at a variety of touchpoints. This isn’t a comprehensive list, but the

following considerations are inherent in CIAM and present unique challenges:

FUNCTIONALREQUIREMENTS OF CIAM


6

UNIFIED CUSTOMER VIEWWhen a company implements separate customer engagement channels over time, or acquires new brands or products,

the probability is high that an individual customer exists across multiple properties and directories. The right customer

identity solution will provide the business with a unified view of the customer across all forms of contact, including

internal and third-party online data sources. A unified view of the customer allows for more personalized engagement and

deeper insights that can drive revenue-generating opportunities and more effective marketing strategies.

END-TO-END SECURITYConsumers are increasingly protective of their personal data and fearful of potential threats. The frequency of headlines

announcing the latest breach has heightened awareness of the damage a customer data breach can cause and the need

for security and fraud protection. Having a centralized CIAM solution is the core of a strong security posture, providing

end-to-end data encryption and security to provide a higher degree of confidence and put customer concerns at bay.

PRIVACY AND DATA SHARING CONSENTConsumers are increasingly concerned about how their personal data is used and shared. It’s become a critical

competitive requirement that leading brands not only provide privacy and consent options, but make these options user

friendly. If the customer can’t easily find or use them, they might as well not exist. Further, regulations to enforce privacy

and management of customer data sharing consent continue to proliferate. Your customer identity solution plays a

critical role in ensuring customer confidence, as well as compliance with privacy regulations across all the jurisdictions

in which you operate. This is particularly important with multi-national organizations that must adhere to varying data

storage location requirements.

MANAGING PERSONAL PREFERENCESCustomers expect a tailored experience that is relevant to their interests and needs. Capturing and managing these

preferences is an increasingly critical part of delivering successful customer experiences. Augmenting identity profiles

with preference data enables companies to personalize products, offers and communication frequency and methods.

3 Compendium: Customer Experience http://www.mckinsey.com/global-themes/customer-experience, Winter 2016

Review these requirements, and it becomes apparent that the demands of CIAM are highly customer-driven and require a cross-functional effort to

fulfill them. No longer just IT’s purview, defining your company’s solution has line of business implications and involves the interests of other functional

business areas.

It makes sense since your customer identity solution just might be the first interaction a customer has with your company or brand. Design it well, and

customers will be delighted. Design it poorly, and their frustration could easily lead to abandonment and missed opportunities for growth. It’s no secret

that consumers are unhappy with the current state of access and authentication to the majority of websites and applications they interact with today.

According to McKinsey and Company, improved customer experiences can grow revenue by 5-10% while costing 15-20% less over time.3


7

DEFINING A SOLUTIONTO MEET EVERYONE’S NEEDS

According to Forrester, poor customer experience often comes from poor CIAM.4 How you solve for the diverse needs of CIAM can dramatically

improve your customer interactions and your top line. But until recently, there’s been a clear lack of standard requirements. So how do you

evaluate solutions to ensure success?

Leading technology analysts have studied CIAM in depth to define a set of recommended solution capabilities. Gartner5 suggests a need for:

• Self-service capabilities (from registration through profile management)

• Social media integration

• Progressive profiling (building customer profile data over time)

• Adaptive authentication

• SSO to multiple applications

• Adaptive access control

• Identity APIs that enable fast time-to-market for new apps and services

• Support for multichannel engagement

4 Forrester Addresses the Emerging Consumer Identity and Access Management (CIAM) Market Landscape http://solutionsreview.com/identity-management/forrester-addresses-consumer-identity-ciam/, Jeff Edwards, March 3, 2016

5 Gartner Finding the Right Consumer IAM Products, Gregg Kreizman, Felix Gaehtgens and Brian Iverson, April 8, 2015.


8

THE STAGES OFCUSTOMER ENGAGEMENT

Another way to look at requirements is by their stage in customer engagement, beginning with initial registration through subsequent logins

and ongoing profile management.


9

SELF-SERVICE REGISTRATIONThe goal at registration is simple: to create the least amount of friction while delivering the appropriate level of security. By offering various

registration options, you provide the flexibility needed to accommodate multiple customer types.

SELF-SERVICE REGISTRATION

Begin by requesting the minimal amount of information necessary to create an account. Then, as the customer interacts with you,

you can ask for additional information. To accommodate this, CIAM solutions should offer one of the following:

• Customizable pre-built registration forms

• CSS or HTML templates that allow organizations to extend Web forms to include registration

• APIs that allow you to build your own forms

SOCIAL LOGIN

Providing customers the ability to use a known, trusted login (such as Facebook, Google, PayPal, student ID, etc.) reduces friction

and provides a simple user experience from the beginning. If you’re using social login, ensure customers are in control of what

attributes they agree to share from their social media account. You’ll not only enable new customer registration, you’ll have an

opportunity to collect more identity attributes than users might be willing to type in on their own. Plus, these attributes are updated

frequently so you always have the most current data.

DELEGATED ADMINISTRATION

Delegated administration is less common in CIAM than it is for employee IAM, but you still need to support your customer service

center’s ability to create user accounts on behalf of customers. Solutions should provide an administrative interface that allows

delegates to create, manage and delete user accounts and passwords on behalf of the user.

IDENTITY CREATION AND STORAGE

The registration process creates a user profile that must be securely stored in an identity repository. The consumer identity

repository is the foundation of the CIAM architecture. It not only houses consumer profile data and associated identity attributes,

but also facilitates the distribution of consumer identity information (within and outside an enterprise) and enforces security and

privacy policies.

An organization may have hundreds of thousands of customer accounts, if not tens or hundreds of millions (and billions of

attributes that constantly being created and updated). The identity repository must scale to support large volumes of users and

their associated identity data. CIAM vendors typically rely on directory and database technologies to house the identity repository.

The database serves as the primary repository for identity data and the directory services support authentication and authorization

functions, as well as storing and encrypting sensitive PII.

The identity repository may be on-premise or in the cloud and must be able to accommodate both structured and unstructured

data. Consumer identity data is often entered in an unstructured format. The CIAM solution must be able to normalize and store

the unstructured data so that it can be consumed alongside structured data.


10

MULTI-FACTOR AUTHENTICATIONMulti-factor authentication (MFA) is generally defined as an authentication procedure requiring the combination of multiple authentication factors,

including at least two of the following:

• Something you know (e.g., a password, a PIN)

• Something you have (e.g., mobile device, token, smart card)

• Something you are (e.g., proven by a fingerprint or iris scan)

Authentication beyond the scope of a username and password is a requirement for an increasing number of CIAM use cases, but striking

a balance between strong security and user experience is tricky. Strong authentication for consumers must introduce the least amount of

inconvenience and cover the broadest range of access methods and devices.

Two examples of strong consumer authentication can be found with Google and Facebook. Both support a second authentication factor when you

try to access your account from a new device.

ACCOUNT VALIDATIONThe level of account validation in CIAM should fluctuate based on the risk associated with the customer’s activity. There are many ways to validate

user accounts and their data:

COMPLETELY AUTOMATED PUBLIC TURING TEST TO TELL COMPUTERS AND HUMANS APART (CAPTCHA)

CAPTCHA is a program created to deter bots and other malicious attacks. CAPTCHA programs discern humans from computers

by presenting a user with a task that humans can perform, but computers cannot (e.g., requiring the user to enter characters from a

distorted image).

DATA INTEGRITY POLICIES

Simple rules and policies (e.g., required fields, field lengths, etc.) that are enforced at the time of registration can ensure the structure

and integrity of the data.

DATA VALIDATION

A step beyond data integrity, data validation ensures the accuracy and truthfulness of data entered by comparing it against known

good data (e.g., social identity data, credit reporting agency, etc.).

These can be paired with standard account validation procedures that are not risk-dependent. For example, simply validating that a user is an

actual person (without verifying identity) and not a bot is common.


11

On the other side of the account validation coin is Identity Proofing. There are instances where it makes sense to apply additional identity-proofing

techniques to ensure the authenticity of the user. The most common types of identity proofing are email verification and knowledge-based

authentication. There are methods offering a higher assurance of accuracy (e.g., identity-binding, device fingerprinting, geolocation analysis) that are

typically not employed in customer-facing scenarios due to the increased friction they introduce.

EMAIL VERIFICATION, USER VERIFIED

An automated email is sent to the user at the time of registration containing a link that redirects the user back to the website to finish

the registration process.

EMAIL VERIFICATION, THIRD-PARTY VERIFIED

Email verification software can be used to verify email addresses in a database. Here, the software checks email addresses against

domain names to ensure that they are valid addresses. This is a far less common approach, but can boost registration completion rates.

KNOWLEDGE-BASED AUTHENTICATION (KBA)

KBA requires the knowledge of private information of the individual to prove that the person providing the identity information is the

owner of the identity. There are two types of KBA:

• Static KBA is based on a pre-agreed set of “shared secrets”

• Dynamic KBA is based on questions generated from a wider base of personal information

SEAMLESS USER EXPERIENCEA seamless user experience is often accomplished via the use of single sign-on (SSO). SSO is common in enterprise IAM implementations today.

However, account linking represents a unique use case for CIAM, particularly if you have responsibility for multiple websites or mobile apps.

AUTOMATED ACCOUNT LINKING

Often, a customer will have multiple accounts within the same organization. This can occur as a result of separate business units

using discreet registration processes, mergers and acquisitions, or the use of social login. In cases where you’re absolutely certain

that multiple accounts belong to the same user, you may choose to automatically link that user’s accounts to provide SSO. You

should proceed with caution, however, since automatically linking the wrong accounts (or inadvertently linking accounts that the user

intentionally wants separated) can violate privacy and security or result in a poor customer experience.

ACCOUNT LINKING WITH CONSENT

Linking multiple social accounts to a single customer account

In some circumstances, users may want to associate multiple social logins with a single account (e.g., so they don’t need to remember

whether they registered to a website using their Google or Facebook account). In this situation, a user can be offered the opportunity to

link an existing account to an additional social login.

Linking multiple customer accounts together

If you have multiple divisions or brands (or multiple web sites or mobile apps), you may have customers with an account at each

discrete location or within each application. In this case, an analytics engine can determine if several of its user accounts actually

represent the same person and, consequently, offer the customer the opportunity to link the identified accounts.


12

CUSTOMER PROFILE MANAGEMENTThe customer’s identity data is the heart of a CIAM solution. The customer profile is comprised of both structured and unstructured data

captured throughout the organization across multiple channels and apps. It also includes data provided by customers through the registration

and preference management process. Customer profile management should be customizable, allowing your IAM team to determine the look

and feel, the workflows, and the data captured and stored within the customer profile. It should further provide your customer (and delegated

administrators) with self-service account management capabilities that make it convenient to share and update information.

SELF-SERVICE ACCOUNT MANAGEMENT

Customers quickly lose patience if they need to go through an administrator each time they need to update their account. Provide an

intuitive, easy-to-use interface so customers can directly access and make changes to their account.

PASSWORD MANAGEMENT

The customer should have the ability to update or change a username and password.

IDENTITY ATTRIBUTES

Customers should be allowed to update and change the identity attributes (e.g., name, location, contact information, etc.) in their

customer profile.

CUSTOMER PREFERENCE MANAGEMENT

Customers should be able to customize a host of preference settings, including security settings, communication preferences,

interests, UX settings, etc.

PRIVACY AND DATA SHARING CONSENT

The consumer profile should include clear privacy settings that give users control over their personal data and provide transparency.

Users must be able to give consent at the time of registration, as well as manage consent from the user profile.

PERSONALIZATION & PREFERENCE MANAGEMENTIn addition to structure variances, consumer identity data may be distributed across many different locations, such as the user profile, multiple

account records, third-party databases and marketing systems. To achieve a single view of consumers, organizations must aggregate data from

multiple sources into a single repository either at the time of registration or after. Whether during or after registration, there are two primary

methods for aggregating and augmenting consumer data:

ACCOUNT LINKING AND DATA SYNCHRONIZATION

Identity data synchronizes bi-directionally between the user profile and third-party applications (such as marketing systems, CRM

systems, directories, databases and a variety of other applications).

PROGRESSIVE PROFILING

Dynamic forms gradually gather demographic data and preferences over time. Rather than asking a customer to fill out a form with 10

required fields, you might only ask three to four questions initially and use subsequent forms at different points along the customer

journey to gather the additional data you need.

#3028 | 08.17 | v00c

ABOUT PING IDENTITY: Ping Identity leads a new era of digital enterprise freedom, ensuring seamless, secure access for every user to all applications across the hyper-connected, open digital enterprise. Protecting over one billion identities worldwide, more than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com. 13

Depending upon your organization’s priorities, your approach to CIAM will vary. Regardless of your drivers, there are a few key considerations

when evaluating solutions:

1. Balance the need for secure access to applications with ease of use for consumers and end users.

2. Architect for scalability and always-available access to a branded user experience.

3. Work at consumer speed, offering instant access to applications.

4. Create a unified view of the customer to improve security and multichannel experiences.

5. Accommodate diverse platforms across web, mobile and API to ensure alignment with current and future business needs

(e.g., IoT, marketing, loyalty, big data and risk management initiatives).

Until recently, customer identity solutions were typically customized one-offs or a combination of custom code, portals and employee IAM

solutions. But CIAM has different and distinct considerations and technical needs. Trying to bolt on functionality to your existing enterprise IAM

solution just doesn’t cut it.

A comprehensive CIAM solution must address familiar technological considerations (usability, scalability, privacy and security) and extend to

encompass marketing and business analytics requirements (consistency, conversion and a unified view of the customer). It needs to elastically

scale to handle millions of customers across every channel, while seamlessly integrating those channels to deliver a consistent and desirable

experience for consumers.

With the right CIAM solution, you can deliver the simple, frictionless experience your customers expect, while ensuring the security your

enterprise requires.

To learn more, visit pingidentity.com.

COMMON CONSIDERATIONS

CONCLUSION

http://www.pingidentity.com

GETTING CUSTOMER IAM RIGHT - CDM MediaWHITE PAPER GETTING CUSTOMER IAM RIGHT 5 USABILITY Providing a...

Documents

Transcript of GETTING CUSTOMER IAM RIGHT - CDM MediaWHITE PAPER GETTING CUSTOMER IAM RIGHT 5 USABILITY Providing a...