Customer identity access management

Last updated

Customer (or consumer) identity and access management (CIAM) is a subset of the larger concept of identity access management (IAM) that focuses on managing and controlling external parties' access to a business' applications, web portals and digital services. [1] [2]

Contents

The biggest difference between typical IAM and CIAM is that CIAM gives its users (consumers) significantly more control over their identity. [3] Unlike traditional (or inside-out) IAM, which is generally driven by operational efficiency, CIAM is built on a user-first, outside-in approach [4] that gives customers the agency to make changes to their security, privacy and personalization settings. [5] [6]

At its most basic level, CIAM is a system for establishing and maintaining persistent customer data, authenticating legitimate users, denying access to threat actors and authorizing customers to access digital assets. While there is a vast number of additional functions that CIAM solutions can provide, they are secondary to external-facing authentication and authorization. [7]

CIAM functionality

CIAM can be composed of a wide array of tools and applications, often combining software from multiple vendors to achieve the desired functionality. For this reason, businesses often take a phased approach to CIAM by implementing technologies that suit their most immediate needs rather than attempting to roll out a comprehensive solution. [8]

Rather than being defined by a specific set of tools, CIAM is more accurately described based on its capabilities. [9] Generally speaking, a CIAM environment includes:

CIAM solutions may also include but are not limited to: secured APIs, SDKs for mobile apps, single sign-on (SSO), social logins (BYOI) and fraud detection or behavior monitoring. [10] CIAM environments are designed to scale far beyond the typical scenarios of internal IAM, with millions of concurrent users. [11]

CRM

CIAM environments can also work adjunctively with a Customer Relationship Management (CRM) system to provide personalized content or manage user behavior. [12] The digital identities managed by a CIAM solution are used to give access to different business applications, portals and webshops. Due to the fact that all these transactions are logged, the data can be used for profiling purposes. Transaction data can be correlated to the digital identities of the customers, and that data can be seen as a relevant component of CRM systems.

CIAM and cybersecurity

CIAM environments protect their owners from a different set of cyber threats than traditional IAM solutions. Financially motivated threat actors attacking a CIAM solution will steal services or make illegitimate purchases rather than ransom business infrastructure. [13]

CIAM solutions are tasked with protecting customer accounts without significantly compromising a smooth or convenient experience. They do not have the benefit of dealing with internal users like employees, and thus CIAM environments are typically designed to contain self-service components for account maintenance or troubleshooting. For example, a CIAM customer might be able to easily reset their account's password through automated dialogues. However, this has led to self-service mechanisms becoming frequent targets for fraud schemes.

Because of this, many CIAM implementations are designed to authorize users based on their perceived level of trust, only enforcing a secondary step-up authentication when the user tries to take a particularly sensitive action.

Because of the nature of CIAM — which involves a user logging in, managing their profile and accessing services — CIAM solutions collect personally identifiable information. Privacy laws, such as the GDPR in the European Union, hold CIAM providers accountable for processing this kind of data, hence the providers have taken steps to restrict the processing of these data by implementing Consent Management services. For every data element, users can define whether a provider can process or transfer the personal data. For instance, a user can give or revoke consent to process transaction data for marketing purposes.

CIAM market

Vendors primarily identify their products and services as CIAM components as a way to appeal to potential clients. CIAM is still relatively new as a market apart from IAM, and few providers offer comprehensive solutions, or those that include all of the proposed functions of a CIAM implementation. Analysts are still divided on what the terminology includes, but it is generally accepted that CIAM represents an external and user-centric alternative to legacy IAM. [14] [15]

See also

Related Research Articles

Customer relationship management (CRM) is a process in which a business or other organization administers its interactions with customers, typically using data analysis to study large amounts of information.

In connection-oriented communication, a data stream is the transmission of sequence of digitally encoded coherent signals to convey information. Typically, the transmitted symbols are grouped into a series of packets.

Personalized marketing, also known as one-to-one marketing or individual marketing, is a marketing strategy by which companies leverage data analysis and digital technology to deliver individualized messages and product offerings to current or prospective customers. Advancements in data collection methods, analytics, digital electronics, and digital economics, have enabled marketers to deploy more effective real-time and prolonged customer experience personalization tactics.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

Shibboleth (software) Internet identity system

Shibboleth is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.

A digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. ISO/IEC 24760-1 defines identity as "set of attributes related to an entity".

OpenID Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by cooperating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

The eCRM or electronic customer relationship management coined by Oscar Gomes encompasses all standard CRM functions with the use of the net environment i.e., intranet, extranet and internet. Electronic CRM concerns all forms of managing relationships with customers through the use of information technology (IT).

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by services or applications. PETs use techniques to minimize possession of personal data without losing the functionality of an information system. Generally speaking, PETs can be categorized as hard and soft privacy technologies.

Information card

Information cards are personal digital identities that people can use online, and the key component of an identity metasystem. Visually, each i-card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. The information card metaphor is implemented by identity selectors like Windows CardSpace, DigitalMe or Higgins Identity Selector.

Web access management (WAM) is a form of identity management that controls access to web resources, providing authentication management, policy-based authorizations, audit and reporting services (optional) and single sign-on convenience.

Digital Security refers to various ways of protecting computer's internet account and files from intrusion by an outside user.

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Gigya

Gigya, Inc. is a technology company founded in Tel Aviv, Israel and headquartered in Mountain View, California with additional offices in New York, Tel Aviv, London, Paris, Hamburg, and Sydney.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

ForgeRock Identity management software company

ForgeRock is a multinational identity and access management software company headquartered in San Francisco, U.S.A. with offices in Bristol, London, Grenoble, Vancouver (USA), Oslo, Munich, Paris, Sydney, and Singapore. The ForgeRock Identity Platform is a full-suite IAM and identity governance and administration (IGA) solution, can be implemented across an organization for all identities, and offers feature parity across all delivery options, including on-premise, any cloud environment, multi-cloud, hybrid, and as a service (SaaS). Fran Rosch is the CEO of ForgeRock. ForgeRock has raised $250 million in venture funding from Accel Partners, Foundation Capital, Meritech Capital Partners, Riverwood Capital and KKR.

A data management platform (DMP) is a software platform used for collecting and managing data. They allow businesses to identify audience segments, which can be used to target specific users and contexts in online advertising campaigns. DMPs may use big data and artificial intelligence algorithms to process and analyze large data sets about users from various sources. Some advantages of using DMPs include data organization, increased insight on audiences and markets, and effective advertisement budgeting. On the other hand, DMPs often have to deal with privacy concerns due to the integration of third-party software with private data. This technology is continuously being developed by global entities such as Nielsen and Oracle.

Unified access management (UAM) refers to an identity management solution. It is used by enterprises to manage digital identities and provide secure access to users across multiple devices and applications, both cloud and on-premise. Unified access management solutions provide a single platform from which IT can manage access across a diverse set of users, devices, and applications, whether on-premise or in the cloud.

References

  1. "CIAM is a growing trend".
  2. "Tech Support Trends for 2018". blog.capterra.com.
  3. "IAM vs CIAM: What's the Difference?". Solutions Review.
  4. "CIAM as a Key Factor in the Digital Transformation". KuppingerCole.
  5. "What is Identity and Access Management (IAM)?". Oracle.
  6. "CIAM vs. IAM - Inversoft". www.inversoft.com.
  7. "Customer Identity and Access Management (CIAM)". Gartner.
  8. "Decoding Customer IAM (CIAM) vs. IAM". Okta. 7 July 2017.
  9. Moffatt, pp 69
  10. "What Is Customer Identity and Access Management (CIAM)?". Transmit Security. 8 August 2021.
  11. Moffatt, pp 285
  12. Moffatt, pp 75
  13. Moffatt, pp 116
  14. "Does your customer identity and access management (CIAM) inspire trust?". PwC.
  15. "What Is Customer Identity Access Management (CIAM)?". Security Intelligence. 28 September 2021.