GETTING CUSTOMER IAM RIGHT - Ping Identity
Transcript of GETTING CUSTOMER IAM RIGHT - Ping Identity
GETTINGCUSTOMER IAM
RIGHT
WHITE PAPER
GETTING CUSTOMER IAM RIGHTWHITE PAPER
2
TABLE OF CONTENTS
03
04
05
07
13
GETTING CUSTOMER IAM RIGHTWHITE PAPER
3
INTRODUCTIONWhen most people think about identity and access management (IAM), they think of traditional solutions built to manage employee access to
on-premises applications. Customer access has been needed since the dawn of the Internet, but the use cases were typically treated as one-off
projects and pieced together accordingly. It wasn’t unusual for companies to build their own version of IAM to address customer-facing projects.
Fast forward to today, and the need for customer-facing IAM is apparent. As customers increasingly buy online—using new devices, applications
and channels—companies are faced with a whole new set of IAM challenges.
Aside from the customer identity information your company needs to know—like name, email address, payment types and shipping addresses—
there are deeper insights like buying behavior, product/offering preferences, communications preferences and privacy choices that companies can
use to deliver personalized customer experiences. In the digital world, the degree to which companies know and understand their customers, and
can make things easier for them, can mean the difference between successfully delivering the differentiated products and services that encourage
loyalty or conversely losing those customers to competitors.
Typically, the capturing, storing and managing of these customer identity profiles falls to the IT department and IAM pros. They have managed
employee identities for years, so how much different can customer identities be, right?
Unfortunately, it’s not that simple. Customer IAM (CIAM) is vastly different from employee
IAM. For starters, CIAM requires greater security, performance and scalability to manage
millions, if not hundreds of millions, of identities. It also requires a unique set of customer-
specific functionality that includes preference and privacy management, social login, self-
service registration and account management, and more.
In its Market Overview: Customer Identity And Access Management (CIAM) Solutions,
Forrester states that “the unique requirements of customer identity, especially scale,
performance, usability and support for seamless multichannel interactions, have
necessitated the development of CIAM as its own market segment with competitive
offerings distinct from traditional solutions for employee IAM.” 2
Combine these requirements with an unparalleled need for usability and support for
seamless multi-channel interactions, and the delta widens. For these reasons, CIAM
requirements are increasingly regarded by leading industry analysts and others as separate
and distinct from typical enterprise IAM.
Just as the requirements are different, so is the approach to defining and implementing a solution. A CIAM solution must address multiple cross-
functional considerations and integrate with systems managed by other areas within a business.
1 KPMG, Identity and Access Management in the Digital Age, May 11, 2016.
2 Merritt Maxim and Andras Cser, Market Overview: Customer Identity And Access Management (CIAM) Solutions, Aug 4, 2015,accessed Feb 2, 2017 at http://www.servicecontrol.com/wp-content/uploads/2014/07/Forrester_Research_-_CIAM_Market_Overview.pdf
The number of senior IT decision makers who see consumer identities and applications as a factor in their next IAM
investment.1
GETTING CUSTOMER IAM RIGHTWHITE PAPER
4
While IT typically holds responsibility for the technology, collaboration with other key stakeholders, like marketing and legal, becomes critical. As
you align IT and technical goals to those of other business teams and their digital initiatives, the focus shifts from the bottom line to the top line.
The right CIAM solution can be a key digital business enabler that drives revenue and growth.
Digital transformation is a key business initiative for organizations across a wide range of industries. And CIAM capabilities are a requirement
to keep pace. Your company can’t move forward until you’re able to manage and secure the vast amounts of identity data that digital business
generates and uses across varying technologies. Further, you’re expected to provide a superior, seamless customer experience across channels,
while addressing security and privacy concerns that pose significant potential for negative ramifications.
So, how do you optimize the experience for customers, while simultaneously protecting them and your organization? Read on to learn the best
practices for defining and evaluating a CIAM solution that meets both enterprise needs and customer expectations.
BUSINESS DRIVERS OF CIAM
Before diving into CIAM functional and technical requirements, first look at your business requirements. A well-designed CIAM solution has
extensibility across the entire organization, providing value on several fronts and meeting a variety of business needs.
Start with projects where you can deliver immediate value and benefit the entire organization. Six often-mentioned business challenges
driving the need for CIAM are:
DIGITAL BUSINESS TRANSFORMATIONA recent study calls customer experience “the heart and soul of digital transformation,” reporting that 55 percent of those responsible
for digital transformation cite “evolving customer behaviors and preferences” as the primary catalyst of change.3 CIAM is a key
enabler for digital business strategies by supporting positive customer interactions and personalization across all channels and apps.
INCREASING SECURITY THREATSThe alarming rise in data breach scale and frequency—and the costly damage that it can cause brands—puts data security at the top
of the IT team’s priority list. CIAM provides identity-centric, end-to-end security that goes beyond protecting your data at the perimeter
with a firewall.
INTERNET OF THINGS (IoT) ADOPTIONCIAM capabilities—such as scale, security, performance and preference management—are fundamental to supporting IoT initiatives.
As companies seek to offer innovative IoT products and services, CIAM is key to securing interactions between devices and humans.
3 Brian Solis, Jaimy Szymanski, The 2016 State of Digital Transformation, Altimeter, accessed on Feb 2, 2017, at http://www2.prophet.com/The-2016-State-of-Digital-Transformation
GETTING CUSTOMER IAM RIGHTWHITE PAPER
5
PRIVACY REGULATION COMPLIANCEData privacy is a growing concern for customers as they share more information with more organizations and their partners. As a
result, the regulatory landscape is a complex environment that varies widely by geography, industry and other factors. Organizations
must adhere to dynamic sets of rules that vary from customer to customer. CIAM solutions offer centralized policies and data access
governance that can be used to enforce customer consent and adhere to regulations in a dynamic privacy landscape.
DEVELOPMENT & DELIVERY OF MOBILE APPSMobile applications can be an exciting new medium for customers, but providing a mobile customer experience that is consistent
with web apps and other channels requires a modern CIAM solution. Though mobile is only a single piece of the multi-channel puzzle,
mobile initiatives can be a catalyst to incorporate scale, performance, security, single sign-on (SSO) and other CIAM capabilities into
an enterprise.
PARTNERSHIPS, MERGERS & ACQUISITIONSThe integration of multiple web properties under a single brand—often due to new business partnerships or M&A activity—can create
disparate data silos that result in disjointed customer experiences and require varying levels of data unification. CIAM solutions have
single sign-on and data synchronization capabilities that can help create a single unified customer view across organizations, web
properties and applications.
FUNCTIONAL REQUIREMENTS OF CIAM
Your employees may grudgingly put up with a clunky identity management process, but your customers have options. Today’s hyper-connected
consumers expect instant and seamless access whenever and wherever they want it. You need to provide a frictionless experience to
increasingly savvy and fickle customers across multiple channels and devices—or risk losing them to competitors that do.
Customer standards are rising thanks to the growing number of customer experience leaders that provide amazing multi-channel customer
experiences. With expectations higher than ever before, customers can and will abandon your brand if their experience feels insecure or
becomes too complex, disjointed or time-consuming.
CIAM solutions provide a number of benefits that build customer trust and loyalty:
CUSTOMER EXPERIENCECustomer experience is the next competitive battleground for enterprises. Customers expect a smooth, seamless experience that
starts with a simple registration and continues to deliver relevant, personalized experiences through all interactions with a brand.
A CIAM solution can provide self-service registration with the option for social login, account management, account recovery, and
preference and privacy management, giving customers control over their experience.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
6
SCALABILITY AND PERFORMANCECustomers expect instant and secure access to your brand 24/7. Employee IAM solutions may support thousands of users at
relatively predictable times, but few are designed to meet the elastic demands and peak usage requirements of customer-facing
applications. CIAM solutions must be able to scale up to handle increased traffic, including unpredictable demand spikes and usage
patterns. Consider the implications of your tax service going down on April 15 or a retail site suffering from an outage on Black Friday.
A CIAM solution can handle many millions of customers simultaneously, while delivering the high performance and availability that
customers expect.
CONSISTENCY ACROSS ENGAGEMENT CHANNELSWhether your customers use a web or mobile browser, a mobile app, an in-store kiosk or even make a phone call to your support
department, they expect a consistent experience. CIAM solutions can deliver SSO capabilities—to ensure customers have consistent
registration and authentication experiences—and a unified customer profile that allows access to the same set of preferences, privacy
settings and identity data, across every application or channel they interact with.
END-TO-END SECURITYThe frequency of data breach headlines has made both enterprises and their customers aware of the damage a breach can cause.
CIAM solutions provide end-to-end security during authentication. This includes at the application and API layer—by centrally
controlling access to premium content—and at the data layer. They also deliver a long list of security features based on best practices,
giving enterprise security professionals a higher degree of confidence and putting customer concerns at bay.
PRIVACY AND DATA-SHARING CONSENTCustomers are more protective than ever of their personal data. Leading brands know that providing privacy and consent options
isn’t enough; they must also make these options user-friendly and accessible to customers. Enterprises must also adhere to privacy
regulations at the corporate, regional and industry level. CIAM solutions provide centralized policy controls that make it easy to meet
dynamic sets of regulatory requirements, while also meeting customer requirements for control over how their data is being used.
MANAGING PERSONAL PREFERENCESKeeping customers engaged requires delivering personalized experiences that are relevant to their interests and needs. A customer
should be able to access, view and manage their preferences from any channel or device. Enterprises should then store those
updates in a unified profile so they can be accessed and utilized from any other channel or device. Augmenting unified identity profiles
with preference data makes for happy customers and enables companies to personalize products, offers and communication with
customers consistently across channels.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
7
PUTTING CUSTOMER EXPERIENCEAT THE CENTER
According to Forrester, poor CIAM is often the cause of poor customer experience.4 In other words, design your solution well, and customers
will be delighted. But design it poorly, and they will quickly become frustrated.
Until recently, there weren’t defined standards, making it difficult to know how to evaluate solutions. But that has changed as analysts see the
need for customer IAM solutions that are distinct from traditional employee IAM.
Forrester suggests giving up the notion of building an in-house solution, given the unique capabilities and requirements of customer identity.5
So how do you evaluate competitive offerings? Gartner details a comprehensive list of capabilities:6
• Self-service registration and account management
• Scale and performance to support large customer-facing enterprises
• Social login
• Contextual multi-factor authentication (MFA)
• SSO to multiple applications
• Secure data storage and management
• Data sync and aggregation
• Password management and account recovery
• Identity APIs that enable fast time-to-market for new apps and services
• Support for multichannel engagement
Each of these plays a role in your customers’ overall experience with your brand. As they interact with it along several engagement points, your
ability to provide a streamlined, secure experience at each is key to creating loyalty and driving revenue.
4 Jeff Edwards, Forrester Addresses the Emerging Consumer Identity and Access Management (CIAM) Market Landscape, March 3, 2016,accessed Feb 2, 2017, at http://solutionsreview.com/identity-management/forrester-addresses-consumer-identity-ciam/
5 Merritt Maxim and Andras Cser, Market Overview: Customer Identity And Access Management (CIAM) Solutions, Aug 4, 2015,accessed Feb 2, 2017 at http://www.servicecontrol.com/wp-content/uploads/2014/07/Forrester_Research_-_CIAM_Market_Overview.pdf
6 Mary Ruddy and Lori Robinson, Consumer Identity and Access Management is a Digital Relationship Imperative, Gartner, Dec 30, 2015,accessed Feb 2, 2017, at https://www.gartner.com/doc/3182119/consumer-identity-access-management-digital
GETTING CUSTOMER IAM RIGHTWHITE PAPER
8
CUSTOMER ENGAGEMENT POINTS
SELF-SERVICEREGISTRATION
MFA
CONTEXTUAL
MA
NAG
EMENT
PR
IVA
CY
& CONSENT
MULTI-CHANNEL
ENGAGEMENT
AC
CO
UN
TVA
LID
AT
ION
PE
RS
ON
ALIZ
ATIO
N &
PR
EF
ER
EN
CE
MA
NA
GEM
ENT
IDENTITY-CENTRIC CUSTOMER ENGAGEMENT POINTS
CUSTOMER PROFILE
MANAGEMENT
GETTING CUSTOMER IAM RIGHTWHITE PAPER
9
SELF-SERVICE REGISTRATIONUnlike employees who are provisioned, customers must be able to self register and do so with the least amount of friction and an appropriate
level of security. By offering clean, simple registration forms and additional registration options, such as social login, you provide the flexibility
needed to streamline the experience for any customer. Enterprises also need to be able to add secure, consistent registration experiences when
launching new applications. To meet these requirements, CIAM provides the following capabilities:
• Customizable pre-built registration forms
• CSS or HTML assets that allow organizations to extend web forms to include registration
• APIs that allow you to build your own forms
REGISTRATION BEST PRACTICESCIAM solutions provide pre-built registration workflows, as well as HTML and CSS assets that contain best practices from responsive layouts and
password policies, to account recovery workflows. These forms should not only be customizable to match a brand’s existing user interfaces, but
have APIs to allow custom interface development.
SOCIAL LOGINMany consumers prefer social login. Providing customers the ability to use a known, trusted login (such as Facebook, Google, LinkedIn, etc.)
reduces friction and provides a simple user experience, which can improve conversion rates during the customer registration process.
IDENTITY CREATION AND STORAGEThe registration process creates a user profile that may contain personally identifiable information (PII) and must be securely stored in a high-
performance, scalable directory. This customer identity repository is the foundation of the CIAM architecture. It not only houses customer identity
and profile data, but also facilitates the distribution of customer identity information to internal and external applications and enforces security.
Organizations may have tens or hundreds of millions of customer accounts (and billions of attributes) that are constantly being created and
updated. The identity repository must scale to support large volumes of users and their associated identity data. These directories support
authentication and authorization functions, in addition to storing, securing and exposing identity and profile data at massive scale.
The identity repository may be on-premises or in the cloud and must be able to accommodate both structured and unstructured data. Customer
identity data is often entered in an unstructured format. The CIAM solution must be able to normalize and store the unstructured data so that it
can be consumed alongside structured data.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
10
CONTEXTUAL MFAMFA is generally defined as an authentication procedure requiring the combination of multiple authentication factors, including at least
two of the following:
• Something you know (e.g., a password, a PIN)
• Something you have (e.g., mobile device, token, smart card)
• Something you are (e.g., proven by a fingerprint or iris scan)
Authentication beyond a username and password is a requirement for an increasing number of CIAM use cases, but striking a balance
between strong security and user experience is tricky. Second factors should only be presented when necessary based on contextual
device and transaction risks. Contextual MFA is key to balancing security and convenience for customers. MFA must also be consistent
across all applications, channels and devices.
A common example of MFA can be found with Google. A second authentication factor is required when you try to access your
Google account from an unknown new device or location.
ACCOUNT VALIDATION For enterprises storing massive amounts of customer data, it is important to protect the integrity of your data. When validating
customer accounts, enterprises need to consider two things:
PREVENTING AUTOMATED PROGRAMS FOR REGISTERINGMethods like Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) display visual images that
are very difficult for automated programs to interpret. Email validation is another method that can be required during the registration
process that sends an automated email to the user containing a link that redirects the user back to the website to complete the
registration process. By implementing these types of methods during registration, enterprises can be sure that their customers are
real people, not automated programs.
IDENTITY PROOFINGOrganizations like banks or healthcare providers may find it necessary to further verify the identities of those who register to use their
products or services. Just because someone is a human completing a form, doesn’t mean they’re filling out accurate information.
Ensuring the accuracy and truthfulness of data entered can be achieved by comparing it against known, good data (e.g., social identity
data, credit reporting agency, etc.).
CIAM solutions provide many of these types of features, such as email-verification and CAPTCHA as a part of their registration forms,
and can easily integrate trusted sources of identity data for identity proofing.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
11
MULTI-CHANNEL ENGAGEMENTA seamless, multi-channel user experience starts with SSO during authentication and registration. However, as customers continue to
interact with a brand, a common unified profile at the data layer is also required to facilitate a cohesive multi-channel experience.
SSO ACROSS APPS & CHANNELSCustomers will encounter registration and authentication every time they interact with a brand. Even if your customers have access to several
different applications, their experience should be seamless and consistent at each. Providing SSO across all applications and channels is a
crucial first step to providing a seamless, multi-channel customer experience.
CREATING A UNIFIED PROFILECustomers often have multiple accounts within the same organization. These identity silos can result from separate business units using
discreet registration processes, applications built over time with different identity data repositories, as well as mergers and acquisitions.
CIAM solutions should contain data synchronization capabilities that can be used to create a unified profile at the data layer. This can be
achieved in a couple different ways. First, data can be migrated from disparate identity silos into a unified customer directory. A bi-directional
data sync can act as a safety net, keeping the original data source up and running throughout the process. Alternatively, if there is a need
to keep certain legacy directories up and running for a longer period of time, a permanent, real-time bi-directional sync can be maintained
between those identity data silos and the unified directory. In either case, the unified profile needs to be scalable, secure and easily
accessible by all applications.
CUSTOMER PROFILE MANAGEMENTThe customer’s identity data is the heart of a CIAM solution. The customer profile is comprised of both structured and unstructured data
captured throughout the organization across multiple channels and apps. It may include data provided by customers through the registration
and preference management process, as well as behind-the-scenes data captured by applications, like browser fingerprints.
Customer profile management should be customizable, allowing enterprises to determine the look and feel, workflows, and data captured
and stored within the customer profile. It should also provide customers (and delegated administrators) with self-service account
management capabilities that make it easy for them to manage their profile data.
SELF-SERVICE ACCOUNT MANAGEMENTCustomers have no patience for dealing with a customer service representative each time they need to update their account. Providing
an intuitive, easy-to-use interface so customers can directly access and make changes to their identity attributes, preferences and privacy
settings is vital.
DELEGATED ADMINISTRATIONIn instances where customer service needs to access or modify a customer’s account, CIAM solutions can provide delegated account
administration capabilities. This allows customer service to create, manage and reset passwords, or even delete customer accounts on the
customer’s behalf.
PASSWORD MANAGEMENT AND ACCOUNT RECOVERYCIAM solutions should also allow customers to update or change a username and password. Self-service features like resetting passwords
for lost or forgotten login credentials further improve the customer experience.
GETTING CUSTOMER IAM RIGHTWHITE PAPER
12
PERSONALIZATION & PREFERENCE MANAGEMENTPersonalization is what drives customer conversions and top-line revenue. If you present your customers with one-size-fits-all offers, promotions
and experiences, your conversion rates will suffer. On the flip side, presenting your customers with personalized content and promotions based
their explicit preferences, historical purchases, location or other identity and profile data can launch conversion rates and revenue per customer
to new heights. CIAM solutions can enable customer preferences in two ways:
COLLECTING EXPLICIT PREFERENCESBeyond implicit preferences typically derived from assumptions based on navigation history and other implicit variables, a CIAM solution
should also collect explicit customer preferences. There’s no substitute for having your customers tell you exactly what content, deals and
communication frequency they prefer. Collecting and storing these explicit preferences is vital to creating a personalized experience that will
drive loyalty and revenue.
LEVERAGING PREFERENCES AND PERSONALIZATION ACROSS CHANNELSTo truly leverage personalization across your entire enterprise, you must be able to collect explicit preference data from any channel to add to a
unified profile. Similarly, your customers need the ability to manage preferences wherever they interact with your brand.
CIAM solutions provide the ability to collect explicit preferences from any channel or application, store them in a unified profile and enforce
them on any other channel or app. This not only provides a consistent and personalized multi-channel experience for your customers, but it
also enables centralized management of preferences and personalization that is much easier to implement and maintain than trying to manage
preferences and personalization on an application-by-application basis.
PRIVACY & CONSENT MANAGEMENTEnterprises today face a complex assortment of regional, industry and corporate privacy regulations. These regulatory requirements must be
layered on top of one another and enforced differently from customer to customer. A customer who is an EU citizen, for example, may require
different consent or identity data storage requirements than a customer who is a U.S. citizen. If that customer is under the age of 18, there may
be yet another set of regulations that apply.
Failing to comply with regulations not only risks customer trust and loyalty, it can also result in costly fines, depending on which regulation
was violated. Given the frequency with which regulations change, privacy compliance can be a convoluted, risky engagement that requires
CIAM-specific capabilities:
CENTRALIZED POLICY CONTROLManaging separate sets of privacy compliance policies on an application-by-application basis is next to impossible. You must be able to
manage policies that control access to customer data in a centralized manner across all applications and channels. By doing this, you can
manage privacy and data-sharing rules in a single place, with little effect on individual application development teams.
CONSENT MANAGEMENTCollecting customer consent is required by several different regulations. Customers must clearly understand when they’re consenting to
share data and what value will be provided to them by sharing access to their data. They should be able to consent to individual attributes in
a fine-grain manner, versus more coarse-grain consent for sharing several attributes at a time. Finally, customers need to be able to view and
manage with whom they’re sharing data after initial consent, and be able to revoke access to their data if desired.
#3028 | 02.17
ABOUT PING IDENTITY: Ping Identity leads a new era of digital enterprise freedom, ensuring seamless, secure access for every user to all applications across the hyper-connected, open digital enterprise. Protecting over one billion identities worldwide, more than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com. 13
END-TO-END SECURITYFinally, all customer engagement points should be deployed with end-to-end security. Securing customer data throughout the customer
lifecycle is an important part of CIAM. Customers may not be aware of security when it’s working well, but if a breach occurs that puts their
personal data at risk, it can cost organizations customer trust, loyalty and revenue. CIAM solutions provide a multi-layered security approach:
AUTHENTICATION LAYER SECURITYCIAM solutions secure customers during authentication through registration and authentication best practices. They also implement
contextual MFA, which presents second authentication factors to customers based on contextual user and transactional risk.
APPLICATION / API LAYER SECURITYCIAM solutions can also centrally manage customer access to applications, down to the page/URL level. This is useful for controlling access
to premium content, for example. Application and API-level security should also implement session control and features like single logout
for customers.
DATA LAYER SECURITYEncrypting data at every stage—at rest, in motion and in use—can ensure that customer data, including sensitive PII, is protected from insider
attacks. CIAM solutions also provide other data-layer security features like tamper-evident logging, data access governance and many more.
CONCLUSION
Until recently, customer identity solutions were typically customized one-offs or a combination of custom code, portals and employee
IAM solutions. But CIAM has now been established as having different and distinct considerations and technical needs. Trying to bolt on
functionality to your existing enterprise IAM solution just doesn’t cut it.
A comprehensive CIAM solution needs to be centered around your customers. It should provide secure, cohesive customer experiences
through SSO and a high-performance, scalable, unified profile that is accessible across all applications and channels. It should build the trust
of your customers by providing centralized data access governance policies that enforce customer consent and adhere to privacy regulations.
And it should allow customers to easily register, view and manage their account information, data-sharing consents and preferences to
facilitate a personalized experience across channels.
With the right CIAM solution, you can deliver the consistent, frictionless experience that your customers expect, while ensuring the security
and regulatory compliance your enterprise requires.
To learn more, visit pingidentity.com.