Published 10 February 2021

Abstract

One of the areas most impacted by the pandemic is pervasive digital engagement by customers and prospects. Traditional brick and mortar interactions are now digital. Customer Identity and Access Management (CIAM) is critically important and highly visible as it provides a public gateway to secure external engagement. CIAM is often an organization’s first “touch point” with a prospect and an on-going reflection of a brand. The CIAM stakes are high and getting higher; get it right and you’ll attract customers, drive revenue and positively represent your organization; get it wrong and your business/image and revenue will suffer.

A CIAM program, properly executed, is a conduit towards building lifetime digital customer relationships. It is all about trusted connections and on-going relationships. These digital relationships can be maintained and enhanced over time with a steady flow of updated contextual and progressive profiling-generated information that drives personalized customer offerings and improves business decisions.

If you haven’t already, now is the time to formalize your CIAM Reference Architecture. This report provides a solid framework for developing a CIAM Reference Architecture at a time where how we interact digital with our customers is absolutely essential. We review common enterprise requirements for CIAM, then describe how to build a Reference Architecture for CIAM that can fit well within the context of leading vendor offerings/directions in an effort to help you understand how to match vendor solutions to your needs and how to deploy those solutions thoughtfully and effectively. Note that this is a foundation towards building your own reference architecture. This and all our reference architectures are designed to put the end-user organization (not the vendor or integrator) back in control of your own destiny.

Authors:

Doug Simmons Principal Consulting Analyst [email protected]

Gary Rowe CEO/ Principal Consulting Analyst [email protected]

 

Executive Summary

Customer IAM (CIAM) is an area every large organization should be paying attention to especially given the impact of the pandemic. It is one of the most important foundational areas organizations should be investing in to prepare to become a truly Digital Enterprise. This IAM category is rapidly evolving and is critical to building trusted customer relationships and providing requisite security and privacy protection. Enterprises are architecting customer centric IAM solutions and vendors are developing CIAM services that are differentiated from traditional Enterprise IAM solutions.

TechVision Research recommends that most large enterprises invest in a CIAM-centric, cloud-enabled service as opposed to simply fine-tuning traditional enterprise-centric IAM products and services—at least in the short-to-intermediate term. This is an area where fit for purpose solutions are of considerable and accelerating business value. CIAM is particularly adept at supporting key Sales and Marketing objectives including enticing and engaging prospective customers, better serving and retaining current customers and establishing trusted, secure and sustainable relationships.

CIAM is different in many ways from traditional IAM. The major focus within CIAM is on the customer – with an emphasis on minimizing friction and enticing engagement.  This is different from employee facing IAM in that employees are generally required to use the system as a condition of employment with an emphasis on security and provisioning.  Prospects and customers may be lost forever if the registration, log-in, update process, consent management and other CIAM services are not deemed to be an intuitive, responsive and overall positive experience.

Another key area of focus in building a CIAM program is ensuring that trust is established with the proper data security, consent and privacy protection. Customers expect some control over how their data is collected, managed, stored and shared and the CIAM service needs to support this.

TechVision Research feels that CIAM is one of the more critical elements of an enterprise security posture. Hackers and thieves want your customer data – whether in your data center or in the cloud and as we accelerate and expand our digital footprint the risks are growing exponentially. No matter how far along you are (or aren’t) in CIAM deployment, don’t delay developing a Reference Architecture for CIAM, which includes documented business and technical requirements, a comprehensive, defensible set of patterns mapped to existing and required capabilities and vendor solution capabilities. With these elements all addressed, you will be able to select the appropriate vendor and deploy the solution to fit your customer facing IAM environment and address specific information security risks.

As we state in this report, Reference Architectures are standardized frameworks that provide a model for a domain, sector, or field of interest. Reference models or architectures provide a common vocabulary, reusable designs and industry best practices. They are not solution designs and as such are not meant to be implemented directly. Rather, they are used to guide more concrete efforts. Typically, a Reference Architecture includes common architecture principles, patterns, building blocks and standards. A Reference Architecture for CIAM is crucial to help identify the areas that require balanced usability and protection mechanisms for customer access management. Once a Reference Architecture that defines common architecture principles, patterns, building blocks and standards is developed, your organization can better evaluate vendor solutions and their ability to address the critical CIAM needs of your organization. This is an important step toward gaining control of your own destiny; not simply relying on what your vendor offers up.

Introduction

In our July 2020 report titled “Developing a Customer IAM (CIAM) Strategy and Roadmap”, TechVision Research classifies CIAM as a separate and distinct Identity and Access Management category from Enterprise IAM – and we expect this to remain the case for the next several years. CIAM reflects an expanding set of IAM requirements that are not fully accommodated by the traditional enterprise centric IAM solutions.  The increased scale, the diverse contextual information requirements, the focus on an engaging user experience, key privacy considerations/regulations and support for and integration with sales/marketing and business critical applications are areas of particular emphasis in CIAM. Simply put, identifying, securing, contextualizing, supporting and providing a greater focus on user experience while ensuring appropriate protection for Personally Identifiable Information (PII) is critical in supporting current and future customers.

Most enterprises that don’t have a separate CIAM solution still have an IAM service that supports customers, but they are often just extensions of existing enterprise focused IAM platforms. Customers still must be supported, so these organizations use legacy systems with different schemas (internal and external), different security processes/policies and physical separation between customer and internally facing IAM services. This can be a workable solution, but the problem over time is that traditional EIAM platforms have not been optimized for the customer experience and are not optimized for the cloud.

While most organizations recognize the importance of getting CIAM right, the challenges we have seen revolve around where, how and what CIAM services to deploy are not insignificant. The challenge for both CIAM and customer data in general is that typically most customer data is stored in distinct database instances that are uncoordinated and unsynchronized, providing minimal value-added functionality. In fact, the very lack of coherence between multiple forms of Customer Relationship Management (CRM) and customer databases systems can lead to customer frustration, security vulnerabilities and lost opportunities for the organization. The right customer-facing IAM service can provide valuable profile information, preference data, consent management and other supporting information to support the integration of the right data with the right customers/prospects.

While a small number of vendors offer CIAM-only solutions, most of the EIAM market leaders are extending their B2E portfolio to address the requirements of B2C to affect the convergence addressed in this document. Others, however, will continue to differentiate between the two – at least for the time being – often partnering with a specialist vendor for CIAM. We are beginning to see vendors (e.g., Ping, Microsoft, ForgeRock) offering a core IAM service with different views or configurations for customer engagement.  This means that they are standardizing on and investing in a primary IAM platform and then providing these views or CIAM, EIAM and perhaps areas like IoT in the future. Like most IT initiatives, it is extremely advantageous to have a strong Reference Architecture for enterprise identity and access management (EIAM) in general, as well as for CIAM in particular.

That is the objective of this report – to help you develop a viable Reference Architecture for your CIAM Program. As we describe in the TechVision report titled “IAM Reference Architecture”, published in September 2020, we provide guidance for how to develop and use a Reference Architecture to:

• Organize business requirements
• Tie the requirements to capabilities
• Identify strengths and gaps
• Measure progress

As we state in this report, Reference Architectures are standardized frameworks that provide a model for a domain, sector, or field of interest. Reference models or architectures provide a common vocabulary, reusable designs and industry best practices. They are not solution designs and as such are not meant to be implemented directly. Rather, they are used to guide more concrete efforts. Typically, a Reference Architecture includes common architecture principles, patterns, building blocks and standards. A Reference Architecture for CIAM is crucial to help identify the specific functional and data privacy protection mechanisms for customer access management. Once a Reference Architecture that defines common architecture principles, patterns, building blocks and standards is developed, your organization can better evaluate vendor solutions and their ability to address the critical CIAM needs of your organization. In retrospect, trying to deploy a vendor solution without a Reference Architecture acting as a functional map specific to your organization is like trying to drive cross-country without a map – or GPS.

Before we dig into the specifics of developing a Reference Architecture for CIAM, let’s quickly review ‘what CIAM is’.

A Review of the CIAM Technology Landscape

CIAM is based on long-standing Identity Management principles originating within the enterprise, there are major differences and areas of emphasis that are driving the Customer IAM category. Key deltas include increased scale, new types contextual information/relationships, personal data control, a high priority placed on the user experience and key privacy considerations/regulations. CIAM is optimized for customer engagement while protecting the company and the individuals engaging.

The core CIAM requirements enterprises are seeking include the following areas we’ll break out by category. We’ll start with the user/customer facing requirements, then look at enterprises business goals and how CIAM can support those goals, then at some of the technical requirements.

• CIAM Business Benefit: Maximizing Conversion Rates and Building the Brand: This is where business goals meet CIAM and this becoming a primary area of focus during the pandemic.  Turning suspects into prospects, into customers, into loyal customers can be greatly enhanced by a strong CIAM program. It bears mentioning, though, that such strong CIAM business benefits can also contribute to LOBs sometimes circumventing IT (especially using IDaaS solutions) and establishing their own CIAM-based customer interactions in order to achieve a better time-to-market that is perceived (often correctly) to be slowed down too much because of “governance bureaucracy”.  While TechVision doesn’t advocate building a CIAM program in the absence of governance, it bears mentioning that this a significant risk.
• On-Boarding and Registration: This is where it all starts. This experience must be “frictionless”, a word we’ll use a lot in CIAM as it is all about enticing your (prospective) customer to engage and build the relationship. If this early experience is not pleasant for your prospect, you may lose them forever. This can be supported by an attractive user interface that is fully optimized for both the web and mobile devices, simple on-boarding requiring minimal user information initially, perhaps pre-built registration forms, self-service support and API support to seamlessly integrate with various social logins. The easier and faster this is for your customer the better.
• Identity Proofing/Verification: The amount of data and degree of required proof of identity (also called identity vetting) can be progressive based on the point a user is in the lifecycle (e.g., just registered, long-time customer) and the related security and risk management policies. Flexibility in terms of choices for the user is of value but remember to evaluate the risks associated with lower quality identity proofing and the value of the customer transactions before accepting that risk.
• Customer Profile Management: This involves understanding your customer, their likes, dislikes and usage patterns. Customer profile management includes preference management (how the customer manages their interactions), self-service, consent management, privacy/data protection (GDPR, CCPA…) compliance and support/management of both structured and unstructured data.
• Progressive Profiling: This process gradually collects and aggregates data about users. The concept is that you start small and don’t scare off prospective customers and then throughout the lifecycle continue to refresh and update your profile data. This can both increase conversion rates and support acquiring more contextually relevant data. There must be a balance between the amount of profile information being captured and the point where a customer feels he or she is being ‘spied on’.
• Unified Customer View: This is of tremendous value especially for large organizations with related but different product lines or businesses. This should also support consistency across multiple channels. This allows an organization to view an individual customer across multiple properties or LOBs. The CIAM service can also help to normalize and correlate all customer interactions and integrate third party data sources for this comprehensive customer view. This is important for the business, but also of value to the customer in providing a more seamless user experience. One of the most commonly heard complaints from customers is when a business doesn’t do an appropriate job of normalizing customer identities across multiple lines of business, forcing the customer to create multiple accounts and profiles.
• Scalability/Performance: CIAM solution must be able to handle millions of users across multiple channels with no perceived performance degradation. The CIAM system must be able to accommodate large volumes of users, data and spikes in registrations and access requests while maintaining a high level of performance. This is of particular importance when the business rolls out a new sales and marketing campaign that causes both new registrations and logins to spike dramatically. It is also extremely important to factor in Business Continuity and Disaster Recovery plans – so the ‘sales light’ can never go out.
• Cloud/Hybrid Support: Most enterprises are moving to or have moved to a cloud first strategy in particular in engaging external users. That said, many organizations have substantial legacy systems and services on premise and may not be ready to “jump into the deep end” when it comes to complete cloud engagement. Flexibility in this area is of considerable value and often required by large organizations. Specific capabilities such as Federation using OIDC, OAuth2 and SAML are critical to providing seamless customer identity integration across multi-cloud and hybrid environments.
• API Support, Integration and Orchestration: Support for APIs and developer toolkits overall is critical in integrating current and future environments. Few large organizations have “green fields” and support should include support for simple integration with CRM, ERP, Marketing Automation and internal external data sources. For this reason in particular, a CIAM strategy that creates an Identity Data Service that supports discrete IAM services such as Login, Register, Self-Service and so forth is critical to consistent and secure adoption of CIAM features embedded in multiple customer-facing apps – both commercial off-the-shelf and homegrown.
• Advanced Analytics: The use of AI/ML, big data to better understand customer intentions, understand your customer and support for security through anomaly detection, adaptive access control, User Entity Behavior Analytics, Insider Threat monitoring, etc.

With this CIAM level-set in mind, we’ll now start delving into what it takes to build a Reference Architecture to help your organization make more consistent and better future state architecture, product, service and deployment decisions.

Building a Reference Architecture for CIAM

There are some logical steps to follow in order to develop an appropriate Reference Architecture for your organization, namely:

1. Identify and organize your key business requirements
2. Tie the requirements to specific capabilities that are necessary
3. Develop Reference Architecture patterns
4. Socialize the CIAM Reference Architecture across your organization
5. Map the CIAM Reference Architecture to specific vendors’ functional capabilities
6. Begin deployment
7. Measure progress

This is a process you may want to engage in yourself and you can use this document as a framework, or TechVision will be pleased to provide workshops and consulting support to guide you through this process. In subsequent sections of this document, we’ll dig into each of the above steps in detail.

Identify and Organize Your Key Business Requirements

Embarking on a major IT / security initiative such as CIAM without key stakeholder input is never recommended. Key stakeholders are most often those people within the organization who ‘run the business’ in conjunction with those who ‘secure the business’ IT’. Together, this broad group of stakeholders contain members who may each have a vision for what needs to be done. Requesting their input – and being sure to address their requirements is necessary to build ‘buy in’. Without stakeholder buy-in before embarking on the journey of solution procurement, deployment and operations, one is left wide-open for possibly catastrophic misunderstandings down the road. Know who you are building and operating this for and why.

Most organizations have multiple lines-of-business (LOBs) that have very specific operational mandates, driven by a number of factors, including time-to-market, profitability, brand reputation and so forth. Thoughtlessly deploying a security solution like CIAM that impedes their ability to succeed is not going to be successful. Discuss business and functional requirements with them, as well as key executives, department or division heads, relevant system architects, Sales and Marketing staff and anyone else who may have important input. Please refer to the business and functional objectives and requirements outlined in the previous section for a foundational level set of what you should be looking for and what you should expect.

This important input can be used as your own starting point in developing business and functional requirements, but the main point is that building and deploying CIAM with your stakeholder requirements firmly captured, documented and socialized is exceedingly important. Please also note that we have provided a very thorough list of CIAM functional / technical requirements in our July 2020 report titled “Developing a Customer IAM (CIAM) Strategy and Roadmap”. TechVision strongly recommends that this requirements collection and prioritization process and preferably the complete reference architecture process occur before evaluating and selecting a vendor solution. This allows your enterprise to be driving the dialogue based on your needs/priorities, not just accepting the path a vendor wants you to take.

In the next section, we’ll dive into TechVision’s IAM and CIAM Reference Architecture Capabilities and how to map requirements to these capabilities.

Tie Requirements to Specific Capabilities

As we describe in the TechVision report titled “IAM Reference Architecture”, the TechVision Research Reference Architecture for IAM is a master template that identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions, which can then be refined over time. ­­­For those that have read our other reports on developing Reference Architectures, this should look familiar. This high-level template starts the journey.

Figure 1: IAM Reference Architecture master template

These IAM capabilities are described at the highest level as:

1. Interact: Interact is a layer of user interaction (UI) and application programming interfaces (API) that simplify consumer and application developer interaction with the rest of the IAM infrastructure. In this way, non-experts can follow the best practices of IAM without having to be experts in the field.
2. Access: Access is the layer that answers the “Who has access to what?” question. It ensures customers can confidently exchange information and get the services they need to buy and use your products. It ensures employees and partners have all the digital resources they need to get the job done, nothing less and nothing more.
3. Change: Change manages the relationships between all the moving parts within the digital environment. Change establishes the connections between people, devices, applications, and data when they enter the environment, manages the connections while the relationship exists, and disconnects when access is no longer necessary.
4. Manage: Manage is where the administrators of the IAM platform upgrade, configure, tune, troubleshoot, document, and audit the platform and its components.
5. Measure: Measure is the lens into the digital environment. It allows live behavior observation, anomaly detection, platform health checks, and deeper analysis of usage and threats. It also provides the audit and reporting capabilities necessary to prove you are performing your duty to protect.
6. Store: Store is the shared place where the identity profiles, attributes, and relationships are kept and maintained.

The next level of the architecture outlines the functional capabilities that are the foundation for a best-in-class IAM Reference Architecture. Each category is broken up into multiple capabilities at a level of greater detail. For example, interfaces can be for applications / developers (APIs, messaging services), Lines of Business, self-service or even robotic processes. This applies to each category and, based on stakeholder input, use cases and priorities can be further developed into Reference Architecture patterns or templates for specific services.

It is important to understand that these functional capabilities consider all type of objects and use cases within the IAM foundation. For example, identifying, securing, and collecting data pertaining to IoT devices is expected to be accommodated within the IAM Reference Architecture.

As ultimately implemented, different enterprises use different IAM capabilities in different ways to meet different protection needs. And they do so differently for different content and business functions because of the different risks and potential consequences associated with failures and costs associated with protection. One size does not fit all.

Once the required business capabilities are identified, the next layer of the TechVision Research Reference Architecture for IAM allows us to explore each of the specific technology or process elements comprising each capability in the form of a combined portfolio architecture. This is illustrated in Figure 2, below.

Figure 2: Combined Portfolio Architecture

In the template below, we’ve now illustrated the IAM capabilities required for a typical organization’s CIAM environment, removing all other IAM capabilities that are not directly supporting the CIAM service. Note that this representation includes a typical ‘user story’ in the form of “As a Customer, I want to…”. User stories help keep the focus on the capabilities necessary to support it and we highly recommend you work through your key user stories. This is where we get CIAM-centric and you can drive your vendor partners toward supporting these key capabilities or find other partners.

Figure 3: Typical CIAM Capabilities Map

Note that this is intended to give you a sense for how to apply the reference architecture to CIAM specific capabilities and to give you a sense for typical relative timing. Note that this is just a starting point; this roadmap and the supporting prioritization should be framed by and properly documented using this approach. In our example, we have determined that the IAM-related capabilities necessary to support the CIAM Service for a large organization can be been color-coded as follows:

• Rose – requires significant investment over next 2 years. This typical organization does not currently support these IAM capabilities. An example is User Entity Behavior Analysis (UEBA).
• Orange – requires investment over next 2 years. The organization either currently does not support these IAM capabilities or they may require additional investment and deployment in order to achieve a requisite level of functionality. For example, most organizations currently support some form of MFA, but additional investment will generally be required to deploy MFA for customers.
• Grey – indicates capabilities that the organization IAM has in place in some capacity, although it could be likely that some augmentation may be required to improve functionality and ubiquity to fully meet the organization’s requirements. An example here is Federation/SSO which may be relatively mature in many organizations – but could be enhanced over the next few years.

Please recognize that your Capabilities Map is likely going to be different than the one shown in Figure 3. The important point is to start with the complete list of capabilities “building blocks” as shown in Figure 2, and pare that down to represent what your CIAM environment requires, color-coding to show where you will likely need additional investment or attention. TechVision can – via dialogues or full consulting engagements, work through this process with your team.

These CIAM Service IAM capabilities are used as input to the development of the Reference Architecture pattern illustrated and described in the next section.

Develop CIAM Reference Architecture Patterns

As we described above, CIAM looks to provide user friendly layer of security in support of customer access to portions of your underlying customer facing IT environment. The policies maintained in the CIAM control service dynamically evaluate the risk of a given operation based on a variety of environmental and risk factors and filter access if risk exceeds a defined threshold. This is what IAM does – and this is also what CIAM does, but with a different set of policies and processes. As the example CIAM Reference Architecture pattern illustrates below, the intent is to draw ‘what good looks like’ for your organization. This pattern should be indicative of what you want. It is completely vendor-agnostic in this instantiation so that you have the vision ready to query multiple vendors about how they can support this pattern via Request for Proposal (RFP) or Request for Information (RFI).

Figure 4: Example CIAM Reference Architecture Pattern

This CIAM pattern starts with providing as wide an array of access points as possible as we want to engage the customer and support for social login, decentralized identifiers (DIDs) in the future and federation to extend the range of access. The use of analytics is important for understanding customers, but also in providing insights to detect bad actors and security threats in a less customer-visible, frictionless way.

The CIAM pattern illustrates a SaaS/cloud instantiation of the CIAM solution. TechVision’s recent and continuing experience has shown that the more robust, user-friendly and feature-rich CIAM solutions are typically those that are purpose-built by leading vendors such as SAP/Gigya, Akamai/Janrain – now being joined in the CIAM marketplace by Okta, Microsoft, IBM and many others. This does not mean that a SaaS/cloud CIAM solution is right for your organization, though it is quite possible that this will be the case.

There are some core capabilities within CIAM that should be prioritized, including:

• Self-Service UI/Administration that is equally user-friendly whether accessing from a mobile device or a desktop/laptop
• Social Login and eventual support for Decentralized ID
• Alternative interfaces such as Chatbot and Interactive Voice Response (IVR)
• Consent Management
• Progressive Profiling
• Delegated Administration
• Support for MFA and Passwordless Authentication
• Adaptive Access (Authentication & Authorization)

Once you and your team have settled on appropriate Reference Architecture capabilities mapping and developed one or more patterns, it is important to socialize the CIAM Reference Architecture across your organization. This is typically done by presenting at your organization’s periodic Architecture Review Board meetings, as well as sharing drafts of your work with key stakeholders throughout the process in order to solicit feedback and enhance their engagement in the entire process.

Map to Vendors’ Functional Capabilities

As we have alluded to, there are a number of very capable vendors of CIAM solutions on the market today. This mapping is where your organization can better control its own destiny in both selecting vendors that better meet your needs and making deployment decisions in your best interest. In our July 2020 report titled “Developing a Customer IAM (CIAM) Strategy and Roadmap”, we reviewed many of these vendors, who include:

• Akamai/Janrain
• Cloudentity
• ForgeRock
• IBM
• iWelcome
• Microsoft
• Okta
• com
• SAP/Gigya

These are all CIAM “short list” vendors worth of considering, but for the purposes of illustrating this mapping process we’ll look at a single leading vendor, SAP/Gigya, and map this vendor’s capabilities to our CIAM Reference Architecture pattern (previously shown in Figure 4). This is where the rubber meets the road – and it becomes more evident how you will be able to deploy a chosen vendor’s CIAM solution to match your ‘what good looks like’ pattern.

We’ll now look at SAP/Gigya – perhaps the leading CIAM vendor (at least by market share) and see how their offering maps to our pattern. From a feature and functionality standpoint, SAP’s cloud-based Customer Data Cloud (CDC) maintained by SAP/Gigya, provides the following capabilities that map cleanly with the requirements set forth at the outset of this document for CIAM:

1. Use registration-as-a-service functionality with scalable, responsive forms and customizable workflows for most CIAM business cases.
2. Support authentication for more than 35 social networks.
3. Implement risk-based, multifactor, biometric, and one-time password (mobile SMS) authentication.
4. Enable single sign-on for all sites to provide a better customer experience across touchpoints.
5. Support identity federation standards using SAML and OpenID Connect protocols.
6. Capture and transform structured and unstructured data with a fully-indexed, dynamic schema.
7. Map and transfer or synchronize profiles with third-party applications and services using a powerful extract, transform, and load solution.
8. Benefit from more than 60 preconfigured technology integrations.
9. Protect customers with constant monitoring of digital identities and alerts about unusual account activities.

The path to a comprehensive migration from your current CIAM environment to SAP CDC will likely entail a data synchronization architecture to integrate the legacy CIAM and CRM authoritative customer source data. This ability will allow your organization to migrate in a thoughtful and safe manner until such time it can de-activate the legacy CIAM environment completely. Data integration solutions such as Radiant Logic’s Federated Identity virtual directory is often a very useful platform for integrating customer data from/to authoritative sources and the CIAM platform.

With this overview of SAP/Gigya’s capabilities in mind, the design considerations for implementing CIAM in your organization must encapsulate CDC within the vendor neutral CIAM Reference Architecture pattern established previously. The following design recommendations leverages the original, vendor neutral CIAM Pattern and overlays this with the SAP CDC Capabilities yielding the following illustrative pattern.

Figure 5: SAP/CDC Overlaying the Example CIAM Reference Architecture Pattern

As can be seen, the SAP solution components map cleanly to the future state, vendor neutral CIAM Reference Architecture pattern. This pattern should be the template for expanding the CIAM environment across the customer facing organization, in order to meet the following ‘sample’ overarching objectives:

CIAM platform	Evaluate CIAM solutions in terms of fit-for-purpose with your organization’s functional requirements.
MFA and CIAM	Identify a strategy for deploying MFA within the CIAM environment.
Social Logon and CIAM	Identify a strategy for enabling customer login with social media identities within the CIAM environment.
Standardize migration from legacy CIAM	A migration strategy for moving existing CIAM user account information from legacy CIAM to the target solution, such as CDC.
CIAM integration with Enterprise IAM	Customer Service Representatives and other internal staff must be able to access and administer the CIAM environment using their enterprise identities and credentials, including privileged access management (PAM).

You and your team can do this type of vendor solution-to-reference architecture mapping using any CIAM solution and leverage TechVision Research as appropriate, to support this process. In fact, your RFP and/or RFI instructions should demand that responding CIAM vendors do this initial mapping for you as a means of evaluating their solutions. Then, when a vendor makes a presentation to your stakeholders, this level of thinking has already been addressed by both you and the vendor, making the entire solution selection process much cleaner and easier.

Begin Deployment and Measure Progress

You can see that there is a logical progression of steps necessary to implement CIAM properly. Once your organization’s Reference Architecture pattern(s) have been identified, the IAM-related capabilities necessary to support the patterns have been identified (and where deficient- being addressed), and a vendor solution has been identified and procured, your team may now develop your deployment and roll out plans. There are far too many horror stories that tell of teams that ‘picked a vendor and deployed’ in the absence of this pre-work. Often, the CIAM solution deployment typically becomes almost completely vendor-driven, based on what the vendor or Systems Integrator feels they can do easiest and most profitably. Careers have been derailed by not doing this pre-work.

Your own organization’s deployment roadmap will depend on a number of factors specific to you:

• Business and functional requirements
• Risk levels germane to customer data protection and privacy
• The existence and maturity of IAM capabilities that will need to support CIAM

While there may be finer-grained inputs driving the deployment roadmap, these 3 factors will lead the way. Using your vendor-solution mapped pattern (i.e., Figure 5) as a visual cue, you can more readily decide which CIAM solution module to deploy where and for what purpose.

Summary

We hope you have found this report useful. TechVision Research feels that CIAM and its ability to protect customer data and ensure customer privacy is one of the more critical elements of an enterprise security posture and is becoming increasingly important. Enormous fines and significant brand damage can occur when customer data is breached – whether in your data center or in the cloud. No matter how far along you are (or aren’t) in CIAM deployment, don’t delay developing a Reference Architecture for CIAM, which includes documented business and technical requirements, a comprehensive, defensible set of patterns mapped to existing and required capabilities and vendor solution capabilities. With these elements all addressed, you will be able to select the appropriate vendor and deploy the solution to fit your CIAM environment and address specific customer engagement and satisfaction requirements.

About TechVision

World-class research requires world-class consulting analysts, and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include:

Identity and Access Management, blockchain, Internet of Things, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

Prior to starting TechVision Research he was President of Burton Group from 1999 to 2010, the leading technologyinfrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President (now Gartner for Technical Professionals) at Gartner.