Skip to main content
How Can We Help?
Table of Contents
< All Topics
Print

Online Consumerization Booms: Recalibrating Customer IAM(CIAM)

Initial Publication Date: 28 July 2021

Abstract:

Customer Identity and Access Management (CIAM) is a topic we’ve covered for a long time, but the pandemic changed the cadence of discussion. In our report four years ago, we characterized CIAM as an “emerging” category. Two years ago, we declared that CIAM had “emerged” and last year we described CIAM as maturing. With an unprecedented movement toward online consumerism during the pandemic lockdown continuing, we should now address the foundation to support the new requisite scale, security capabilities and privacy issues while we prioritize user experience. This report factors these new requirements into our updated vendor analysis/short-list and concludes with new enterprise CIAM recommendations.

CIAM is important and highly visible as it provides organizations with a public gateway to secure external engagement and is a critical element of any Digital Enterprise program. This report offers recommended customer-centric IAMstrategies, architectural approaches and pragmatic, experience-based advice. CIAM differs from traditional (inwardly focused, enterprise) IAM because of its greater emphasis on user experience, privacy and consent management, increasedscale, integration with CRM/marketing systems, and a business/sales focus.

This report provides strategic and tactical recommendations for enterprises building an IAM foundation for customer/prospective customer engagement and external stakeholders in the context of business goals. This report covers:

  • The enterprise CIAM value proposition, core updated requirements, business rationale and a risk assessment
  • Developing a CIAM strategy and action plan
  • The CIAM market and new vendor short list
  • Recommendations and next steps

Authors:

Gary Rowe
CEO & Principal Consulting Analyst
[email protected]		 Doug Simmons
Principal Consulting Analyst
[email protected]

 

Executive Summary

Customer IAM (CIAM) is a set of technologies and an approach towards engaging customers within every large organization that continues to increase in importance. CIAM has had a spotlight on it as the pandemic-driven “business model” abruptly and broadly accelerated digital business and how customers access products and services. Under this spotlight, this IAM category is rapidly evolving and has become critical to building trusted customer relationships and providing requisite security and privacy protection. This combination of engaging prospective customers, protecting them (and your enterprise) at scale and building businesses based on these relationships is elevating CIAM to one of the most important elements of the new Digital Enterprise.

A CIAM program – properly executed, is a conduit towards building lifetime digital customer relationships. Establishing trusted connections and building relationships that generate useful data and can be served by better customer knowledge are keys to digital business success – as was so apparent during the past 18 months. These digital relationships can bemaintained and enhanced over time with a steady flow of updated contextual and progressive profile-generated information that drives personalized customer offerings and improves your own organization’s business decisions. CIAM is particularly adept at supporting key Sales and Marketing objectives including enticing and engaging prospective customers, better serving and retaining current customers and establishing trusted, secure and sustainable relationships.

It is hard to over-emphasize the impact of Customer IAM. Simply put, it is different than many infrastructure technologies in that the business benefits are so directly tangible. In many cases the customer engagement process can make or break a lifetime relationship; get CIAM right and you can build a strong digital presence and with tangible business results; get it wrong and your competitive advantage can be forever lost.

In building a CIAM program, organizations should start by focusing on the customer experience and how CIAM can support the evolution of this experience throughout the suspect/prospect/customer lifecycle. Relationships to be managed may be initiated by anonymous users investigating your website and grow as offers are responded to and trust isestablished. During this process, data is securely aggregated while customer profile information naturally evolvesthroughout the lifetime of the relationship. This method of gaining customer insights as the customer journey evolves isoften referred to as “progressive profiling” and is a key part of a strong CIAM offering.

CIAM is different in many ways from traditional IAM while leveraging some common elements. The major focus within CIAM is on the customer – with an emphasis on minimizing friction and enticing engagement. This is different from employee facing IAM, where employees are generally required to use the system as a condition of employment with an emphasis on access control, data security, and compliance. With CIAM, however, prospects and customers may be lost forever if the registration, log-in, update process, personalization, consent management and other CIAM services are not deemed to be an intuitive, responsive, and overall positive experience.

However, be aware that most customers expect some control over how their data is collected, managed, stored, and shared – and the CIAM service needs to support this. In the era of more rigorous data protection and privacy regulations such as the General Data Protection Regulation (GDPR) in Europe, the Canada Privacy Act and the California Consumer Privacy Act require elevated security and privacy controls and policies and are becoming necessary prerequisites for any CIAM program.

TechVision recommends that CIAM programs be considered a priority area of investment in most large customer facing enterprises given the direct business benefits and risks if customer data isn’t properly managed. Digitally connecting with customers and building sustainable business relationships requires a strong and flexible Customer IAM foundation. Typically, traditional, enterprise focused IAM is generally not the best solution to support customer facing applications and services, while CIAM is architected to specifically support the needs of current and prospective customers while minimize external risks. That said, traditional IAM solutions are expanding to include and improve CIAM capabilities and are another alternative to consider.

This report describes the difference between CIAM and traditional IAM, key end-user requirements (including survey data results), CIAM architecture considerations, design guidelines, a short-list of vendors to consider and summary recommendations.

Introduction – A Customer IAM Platform

For the past 25 years, most organizations have focused the bulk of their IAM investments in support of employees and contractors. This internally focused product/service has traditionally been called Identity and Access Management (IAM) or Enterprise IAM. Most large enterprises recognize that IAM needs to be extended to broaden its reach. Digital Enterprise (often called Digital Transformation) programs are extending digital connections to include customers and external stakeholders. CIAM can optimally support these connections and relationships throughout the prospect/customerlifecycle.

CIAM reflects an expanding set of IAM requirements that are not fully accommodated by traditional, enterprise centric IAM solutions. The increased scale, diverse contextual information requirements, the focus on an engaging user experience, key privacy considerations/ regulations and support for and integration with Sales/Marketing and business critical applications such as CRM and ERP are areas of particular emphasis in CIAM. Simply put, identifying, securing, contextualizing, supporting, and providing a greater focus on the user experience while ensuring appropriate protection for Personally Identifiable Information (PII) is critical in supporting current and future customers.

Most enterprises that don’t have a separate CIAM solution still have an IAM service that supports customers, but they are often just extensions of existing enterprise focused IAM platforms. Customers still must be supported, so theseorganizations use legacy systems with different schemas (internal and external), different security processes/policies andphysical separation between customer and internally facing IAM services. This can be a workable solution – perhaps for the short term, but the problem over time is that traditional EIAM platforms have not been optimized for the customer experience and privacy – and are often not optimized for scale or for the cloud.

All enterprises have access to a growing base of customer data, but this data is often in disparate silos, not structured or simply not being leveraged in an optimal way. For competitive reasons, the business benefits of providing a secure, seamless, and unified customer experience across multiple channels (i.e., mobile, web) as part of Digital Enterprise/ Transformation programs is driving the CIAM market especially given the pandemic impact.

The immediate benefits to the customer are to reduce friction by offering choices of interfaces and channels with simplified-yet-secure login, providing self-service capabilities and relevant contextual data leading to personalization, progressive profiling, privacy protection and transaction efficiency. These factors lead to increased customer engagement and the likelihood of brand loyalty.

From a business perspective, the upfront investment in CIAM offers faster time to market (immediately connecting with customers), a reduction in administrative overhead (automated, electronic processes) and ultimately, an on-going increasein revenue and client retention. But the use of CIAM and the collection and use of contextual data provides much more than just engaging the customer; the consistent use of these platforms are core business opportunities to get to know and serve customers better and more efficiently.

The challenge for both CIAM and customer data in general is that typically most customer data is stored in distinct database instances that are uncoordinated and unsynchronized, providing minimal value-added functionality. In fact, the very lack of coherence between multiple forms of Customer Relationship Management (CRM) and customer databases systems can lead to customer frustration, security vulnerabilities and lost opportunities for the organization. The right customer facing IAM service can provide valuable profile information, preference data, consent management and other contextual information to support the integration of the right data with the right customers/prospects. In short, it can support key business goals through efficiency, accuracy, and security.

Hence, it not only makes sense, but it becomes a business necessity to address the issue by adopting a CIAM strategy thatwill give your customers’ data at the very least the same level of care as that of your employees and at the same time improve their online experience.

It would be easy for an organization to view CIAM as simply an extension of their existing EIAM or CRM systems – or both. At one level, CIAM does provide a similar degree of access to company resources as compared to EIAM, but CIAM requires greater usability and autonomy in managing profiles and preferences in support of developing long-term relationships and uncovering business opportunities. We’ll now look at how CIAM is developing as a separate IAMcategory and how it differs from traditional, internally focused IAM.

Enterprise (traditional) IAM vs. Customer IAM

While CIAM is based on long-standing Identity Management principles originating within the enterprise, there are major differences and areas of emphasis that are driving the Customer IAM category. Key deltas include increased scale, new types of contextual information/ relationships, personal data control, a high priority placed on the user experience with personalization, and key privacy considerations/regulations. CIAM is optimized for customer engagement while protecting the company and customer.

This specialized class of IAM services requires links into marketing systems, CRM systems, customer databases and reporting systems and must handle both the scale and the imprecision in engaging with customers and prospective customers. These stakeholders are also increasingly technology-savvy and expect a fast, pleasant, and secure user experience or they may simply find that experience elsewhere.

Remember, employees generally won’t leave if there is a poor IAM user experience, but customers and potential customers need to be enticed and motivated to engage and reengage. Building a customer-oriented identity managementsystem demands a significant shift in the way vendors and their clients approach the management and use of identities. Employees and contractors are a captive audience and will generally tolerate cumbersome identity registration, update, login, or provisioning processes. This is largely because enterprise IAM has traditionally been confined to a predictable, often static environment, based on a set of mandated policies that, to date, have security and access control as their design goal – often leaving the user experience as a lower priority.

Customer IAM on the other hand is driven by an organization’s desire to engage prospective customers and build loyalty with existing clients. CIAM also provides more insight into its customers and plants the seeds for long-term businessrelationships, enabling closer online responsiveness based on behaviors and both observed and customer-provided preferences. In contrast with EIAM, CIAM is, by its very nature, open to the Internet and involves scaling to hundreds ofthousands or potentially many millions of personal identities. Scale apart, there are considerable differences between the approaches taken by traditional IAM solutions, which focus on managing employees and, in some cases partners in contract with a new breed of CIAM services intended to manage interactions and relationships with customers and consumers. The key drivers for both are radically different, driven by different parts of the business and requiring different technical solutions and architectures.

Stricter data protection and privacy regulations supported by the threat of heavy fines and penalties are also increasing the stakes for better organizing, managing, and protecting customer data. Marketing systems, CRM and CIAM services houselarge volumes or personal information – if customer data isn’t properly managed it isn’t just an administrative headache, it can also become a significant potential legal liability to businesses and their brands.

While a small number of vendors offer CIAM-only solutions, most of the EIAM market leaders are extending their B2Eportfolio to address the requirements of Business to Customer (B2C) to affect the convergence addressed in this document. Others, however, will continue to differentiate between the two – at least for the time being – often partnering with aspecialist vendor for CIAM. As we’ll describe later in this report, we are beginning to see vendors (e.g., Microsoft, ForgeRock, Ping, Okta, among others) offering core IAM services with different views or configurations for customerengagement.

The following table provides a summary of the more important differentiators between CIAM and EIAM requirements and characteristics. These deltas as well as the increasing investment in the CIAM area (by both the vendors and their customers) are driving the movement towards purpose specific CIAM service offerings.

Characteristic Enterprise IAM Customer/Consumer IAM
Business
Purpose Platform for employee engagement and the encouragement/enforcement of good corporate behavior Platform for discovery and development of a relationship with the customer to drive consumption, brand loyalty and revenue
Drivers Security risk and cost reduction, employee productivity, on- boarding and off-boarding efficiency Acquisition, engagement, recommendation & retention; revenue-driven
Intelligence Static, rules-driven intelligence; but changing with increased use of

contextual awareness

 Dynamic, real-time, analytics-based; Progressive profiling, personalized,

frictionless security based on analytics
Governance, Risk and Compliance
Access Management Information protection and appropriate access is key to the enterprise Dynamically balance ease of use/engagement against risks
Access Governance High priority Low-to-medium priority, transaction value- based
Policies & Permissions CIO/IT/CISO with perhaps some input from LOBs LOB/Marketing and CIO/IT/CISO as well as (increasingly) the customer directly
Privacy Compliance Centralized policy-driven with further controls for regulatory compliance; Implicit consent Policy-driven as well as customer-driven and opt-in/opt-out and explicit consent management. Protection of PII is key as is privacy regulation compliance
Architecture
Adaptability Integration with back-end systems such as HR and Active Directory, with growing SaaS integration Dynamic schema required to support managing consent, opt-ins and preferences; Integration with CRM and customer reporting solutions
Agility Traditionally monolithic and

predictable

 Modular and adaptable
Architecture SOAP/REST, principally desktop/laptop centered REST, often “mobile device first”
Extent Perimeter-based, enterprise-defined; but evolving to perimeter-less Borderless, inclusive, internet-scale
Network On-premise, moving to cloud/hybrid as well as BYOD/BYOI/BYON Mobile and cloud-first; on-premise/hybrid if necessary
Performance Higher latency using captive IDs, primarily for security Lower latency for frictionless user experience, taking account of busy hours (evenings and weekends)
Scalability Tens or hundreds of thousands, relatively stable size Hundreds of thousands or millions, sometimes expanding with Sales & Marketing campaigns
Velocity Corporate or LOB requirements for on- boarding, often slow and methodical Internet speed with risk awareness
Data
Data Predefined by IT, stored in directories and relational databases Derived from many sources, often using unstructured data requiring dynamic schema and progressive profiling, increasingly adding IoT devices and data
Enrollment Triggered by employer Initiated by consumer or through registration invitation link
Profile & Preferences HR and employee with limited scope LOB from CRM and consumer through self-service, with personalization a key to long- term engagement
Provisioning HR-driven, defined by CIO/IT policies Users voluntarily register through self- service or registration invitation link, define desired interactions
Scope Employees, contractors, consultants and sometimes partners Customers/prospects/consumers; optionally employees, contractors, partners, service providers who are also customers (e.g., Retail employees)
User Experience
User Experience Priority Generally low priority, but gradually improving, driven by more by non- security focused departments, such as

HR or Engineering

 Unified user experience is high priority, further enhanced by self-service, fast response time and simple registration
Personalization Limited but beginning to add personalization/birth rights, largely driven by HR Considered a differentiator and a benefit to both enterprise Marketing-focused LOBs and consumers

Table 1: Enterprise IAM vs. Customer IAM Comparison

CIAM Opportunities and Business Benefits

One of the areas TechVision spends a lot of time covering is the ever-expanding digital world enterprises are facing – and this world is accelerating at unprecedented speed in the wake of the COVID-19 global lockdown. We believe that organizations aren’t just transforming, they are becoming Digital Enterprises. The transformation is on-going and pervasive as the Digital Enterprise is evolving to better enable the way we do business. One of the most critical factors towards securing and managing this new digital reality is a robust and inclusive Identity Management foundation. And the most visible part of this IAM foundation is how organizations engage their customers via CIAM.

The business benefit that CIAM brings is so much more direct than other “infrastructure” services; CIAM allows anenterprise to better connect with and better understand customers and prospective customers by observing their activity and collecting data while on their website(s). If this is done right and supported by other services, there can be a positive impact on revenue and customer satisfaction; it is hard to make such a strong claim with other infrastructure technologies. CIAM, done right, drives revenue growth by connecting with customers, responsibly collecting data, and using theinsights from that data to acquire, retain and grow customer revenue and loyalty. CIAM truly merges technology and business.

Functional areas that drive CIAM-based business benefits fit into almost every element of external relationships, but IT, Marketing, Sales, Legal/Privacy Office, and a variety of LOBs benefit directly from a strong CIAM program. The most visible area of CIAM is Sales/Marketing given their involvement in engaging, analyzing and selling and we’ll discuss these direct benefits next.

CIAM is all about engaging current and future customers and it can be a game changer for enterprise sales and marketing teams by efficiently improving connections and insights at scale. Marketing is all about understanding and categorizing a target market and gaining insights as to user preferences, buying patterns, intent, and influencers. CIAM in the context of the new Digital Enterprise provide a wide range of connections and generate data to be analyzed at scale to increase insights, brand loyalty and, ultimately sales.

But remember, collecting customer data also increases enterprise risk as regulatory controls increase in volume and complexity. Collecting data without consent or in amounts deemed excessive can damage trusted relationships and canalso create legal and regulatory headaches. The good news is that proactively and transparently addressing the security and privacy challenges (like clear and simple privacy policies, implementing Privacy by Design, carefully managing Opt-In capabilities, etc.) can also build customer loyalty and is a foundational principle in good CIAM programs. Customer connections and building relationships supported by CIAM is a major business benefit so long as you maintain the trustyour customers and prospective customers are implicitly offering by engaging with you.

A key component of the Digital Enterprise is getting to know your customer and prospective customers better and CIAM is perfectly positioned to support this. The principles of Know Your Customer (KYC) require financial institutions to verify who their clients are and specifically determine that they are neither laundering money nor engaged in fraud, not involved in terrorist activities or any form of illicit trafficking and are anti-bribery compliant. Although KYC is mandated for the banking and finance community, enterprises of all sizes engaged in any financial transaction have a need to know that their customers are legitimate; in other words, ‘they are who they say they are’, not on any transactional blacklist, and of low or accepted risk. One of the key capabilities of CIAM services is to identify anomalous or suspicious behavior, notonly at the beginning of a customer relationship but throughout the full customer lifecycle.

Most organizations benefit from improving their knowledge of targeted customers and prospects. Behavior patterns are discernible from a variety of different input sources, such as purchasing preferences, location-based information, social media feeds, and data collected/verified from identity profiling. CIAM services, often in combination with Marketing systems and CRM services, can provide insights to business leaders (Marketing, Sales, LOB executives) about customer trends, leads generated, conversion rates by market segment, cross-selling opportunities and of course, projected, and actual sales results.

Correlating customer patterns/usage data with identity data can provide insights as to who the customer is, with whom theyassociate, and what they are likely to buy. The primary goals of present day commercial digital marketing are to determine who you are, who your friends are, and your habits to predict what you’re going to want next and figure out how to offer it to you at a compelling price point. CIAM services combined with the right privacy controls can enhance customer confidence and trust that is critical in determining if the brand reputation is strengthened rather than compromised. Your customers need to be protected from fraud as well as your organization does

For instance, some of the most valuable sources of marketing and sales data comes from customer self-interest and usage. When someone identifies himself or herself online, they voluntarily give up a certain amount of data before participating in a loyalty program or even before making their first purchase. The more confidence this individual has in the brand and the privacy protection, the more complete and genuine the responses, will generally be. For example, if a consumer doesn’t trust the brand, doesn’t like the digital experience, isn’t confident as to how the data generated will be used orshared, then the data they provide (if they provide any data) may not be accurate, complete, or useful. This is a critical business area that can be supported by the right CIAM infrastructure.

It is important to understand that CIAM is a critical element of an externally facing Digital Enterprise program, but only a piece of the puzzle. While CIAM helps to identify and contribute to decisions concerning appropriate access, these services do not replace marketing automation or CRM systems. They integrate with and augment these systems to helporganizations get maximum business value out them. We’ll next net out some of the key Customer IAM requirements we typically discover in working with large organizations and believe is a good starting point as you build out your own requirements and strategies in the CIAM area.

CIAM Requirements for Large Enterprises

TechVision Research has extensive experience “on the ground” working with large enterprises in helping to develop strategies, architectures, tactical plans, collecting requirements, developing vendor RFIs and RFPs and helping to establish how CIAM fits within the overall IAM, Business and Security portfolios. While every organization is different, we’ll now describe key features and capabilities generally required for large enterprise CIAM programs. Many of thesetopics were previously addressed at a high-level in comparing CIAM to EIAM, but we’ll now look at it from the context of the core capabilities enterprises need in their CIAM program and note that these needs and wants have expanded given the lessons learned during the pandemic. This will also be a foundation as we describe how the core requirements and pieces fit together in the TechVision CIAM Reference Architecture we’ll describe later in this report.

Let’s start by netting out the most important aspect of CIAM: engaging your customer/prospect in an easy, compelling way. It is all about that experience; connecting with your current/future customer should be seamless, fast, mobile device optimized and provide the perception that the user controls the experience. This needs to be done in a way that complies with regulatory controls, data protection legislation and provides the requisite security controls, but remember that if you can’t engage your prospects/customers on an on-going basis, none of this matter. So start with the user experience.

The core CIAM requirements enterprises are seeking include the following areas we’ll break out by category. We’ll start with the business benefit, then user/customer facing requirements and then consider some of the technical requirements by category or service offerings.

  • CIAM Business Benefit: Maximizing Conversion Rates and Building the Brand: This is where business goals meet CIAM. Turning suspects into prospects, into customers, into loyal customers can be greatly enhanced by a strong CIAM program. It bears mentioning, though, that such strong CIAM business benefits can also contribute to LOBs sometimes circumventing IT (especially when using Identity as a Service (IDaaS) solutions) and establishing their own CIAM-based customer interactions without fully considering governance. While TechVision doesn’t advocate building a CIAM program in the absence of governance, it bears mentioning that this is a significant risk to be weighed against the business benefit of a LOB moving fast. This happened a lot during the COVID-19 lockdown.
  • On-Boarding and Registration: This is where the customer experience really begins. This experience must be “frictionless”, a word we’ll use a lot in CIAM (and in IAM and security in general) as it is all about enticing your (prospective) customer to engage and build the relationship. This can be supported by an attractive user interface that is fully optimized for both the web and mobile devices, simple on-boarding requiring minimal user information initially, perhaps pre-built registration forms, self-service support, and API support to seamlessly integrate with various social logins – should you choose to enable them. The easier and faster this is for your customer the better.
  • Identity Proofing/Verification: The amount of data and degree of required proof of identity (also called identity vetting) can be progressive based on the point a user is in the lifecycle (e.g., just registered, long-time customer) and the related security and risk management policies. Flexibility in terms of choices for the user is of value but remember to evaluate the risks associated with lower quality identity proofing (e.g., accepting social logins) and the value of the customer transactions before accepting that
  • Customer Profile Management: This involves understanding your customer, their likes, dislikes and usage Customer profile management includes preference management (how the customer manages their interactions), self-service, opt-in, consent management, privacy/data protection (GDPR, CCPA…) compliance and support/management of both structured and unstructured data.
  • Progressive Profiling: This process gradually collects and aggregates data about users. The concept is that you start small and don’t scare off prospective customers and then throughout the lifecycle continue to refresh and update your profile data. This can both increase conversion rates and support acquiring more contextually relevant data. There must be a balance between the amount of profile information being captured and the point where a customer feels he or she is being ‘spied on’ or their information is being sold to 3rd
  • Unified Customer View: This is of tremendous value especially for large organizations with related but different product lines or businesses (LOBs). This became even more important over the past 18 months as everything went digital. This should also support consistency across multiple channels. Typically, this is enabled via Single Sign-On (SSO) and allows an organization to view an individual customer across multiple properties or LOBs. The CIAM service can also help to normalize and correlate all customer interactions and integrate third party data sources for this comprehensive customer view. This is important for the business, but also of value to the customer in providing a more seamless user experience. One of the most commonly heard customer complaint is that a business doesn’t “remember them” because they have not normalized customer identities across multiple lines of business, forcing the customer to reenter or correct data, or create multiple accounts and profiles and log in multiple times.
  • Scalability/Performance: CIAM solution must be able to handle millions of users across multiple channels with no perceived performance degradation and this is expanding rapidly. The CIAM system must be able to accommodate large volumes of users, data and spikes in registrations and access requests while maintaining a high level of This is of particular importance when the business rolls out a new sales and marketing campaign that causes both new registrations and logins to spike dramatically. It is also extremely important to factor in Business Continuity and Disaster Recovery plans that consider geography – so the ‘sales light’ can never go out.
  • Cloud/Hybrid Support: Most enterprises are moving to or have moved to a cloud first strategy in engaging external users. That said, many organizations have substantial legacy systems and services on premise – such as CRM and may not be ready to “jump into the deep end” when it comes to complete cloud engagement. Flexibility in this area is of considerable value and often required by large organizations. Specific capabilities such as Identity Federation enabling SSO using standard protocols like OIDC, OAuth2 and SAML are critical to providing seamless customer identity integration across multi-cloud and hybrid
  • API Support, Integration and Orchestration: Support for APIs and developer toolkits overall is critical in integrating current and future environments. Few large organizations have “greenfields” and support should include support for simple integration with CRM, ERP, Marketing Automation, Reporting and internal external data For this reason a CIAM strategy that creates an Identity Data Service that supports discrete IAM services such as Login/SSO, Register, Self-Service, Opt-in/opt-out and so forth is critical to consistent and secure adoption of CIAM features embedded in multiple customer-facing apps – both commercial off-the-shelf and homegrown. This is a core part of what we work with clients on in building out reference architectures; these “use cases”.
  • Advanced Analytics: The use of AI/ML, big data to better understand customer intentions, understand your customer and support for security through anomaly detection, adaptive access control, User Entity Behavior Analytics, Insider Threat monitoring and so

We’ll now describe a few areas that are particularly important in greater detail and then summarize key enterpriserequirements later as we use that as a basis for enterprises to use our capabilities-based reference architecture in developing the framework for your CIAM strategy and, ultimately, implementation. CIAM always starts with theCustomer Experience; if you can’t entice and engage the customer, nothing else matters.

Customer Experience

A positive result of a strong CIAM and customer engagement program is that enterprises can cement customer loyalty bytaking the opportunity to streamline and personalize users’ online experience. This is more important than ever as we move to largely digital businesses. Think about CIAM engagement as analogous to how a high-end brick and mortar retail store associate uses customer knowledge to recognize and welcome customers when they enter a store, remember their buying preferences and steer them towards profile- relevant deals or promotions. This was particularly apparent over the past 18 months when many “brick and mortar” retail establishments were closed and replaced by on-line experiences. CIAM and supporting applications should digitally replicate and improve upon this positive in-store experience and help support all phases of a customer’s digital journey through your “online store”.

The key here is to regularly update and adapt the customer experience based on customer input (direct or observed) throughout their online relationship and journey with your organization. There may be times when there are buying signals and times when they are getting too much information and may completely disengage if there is not an option to“dial back” the interactions – this is about striking that balance between helpful and intrusive, as we mentioned previously.To achieve this balance, the CIAM platform and supporting ecosystems must be flexible, adaptive and contextually aware while conforming to regulatory controls and honorable principles, which we’ll cover next.

CIAM Regulatory and Security Control Considerations

In connecting with customers and prospects there are different expectations, different security controls and evolving regulations to consider. GDPR, CCPA and other privacy and data protection regulations are adding significant financial penalties to those enterprises that don’t comply. That said, there is a balancing act in that the customer experience must be fully optimized and business insights collected – but not at the expense of customer data protection and regulatory compliance.

The best implementations provide “frictionless security” while using Big Data, analytics and perhaps AI/ML to provide strong underlying security controls. The CIAM solution should support both basic compliance requirements (consent management, right to be forgotten, etc.) while meeting the marketing and sales requirements.

Security/Risk

Introducing a CIAM system brings with it a new set of challenges required to balance meeting the usability expectations ofcustomers and maintaining a high degree of security.  This is another area where requirements were often put on the back burner as organizations scrambled to digitally engage customers during the pandemic.

Most CIAM vendors provide a range of security levels including multi-factor, adaptive and/or step-up authentication and increasing contextual awareness regarding the geo-location, device and usage patterns normally associated with each customer. This provides an additional level of security for those applications or use cases requiring it but can also strain the path towards engagement in initial interactions with prospective customers or in support of low value/low riskinteractions. This level of step-up authentication within CIAM security is becoming the norm.

When designing CIAM programs, it is important to be flexible in the early stages of the relationship with a prospective customer and not let invasive security controls derail the ‘preliminary’ relationship. In these earliest stages, often no identification is required (typically low value, non-financial applications) and this can generally ramp up to some “light-weight” identification or registration leveraging social login, federation, or simple username/password – ultimately consummating with multi-factor authentication (MFA) when the business relationship is established, and the financial/fraud risks warrant it. This is what we refer to as step up authentication supported by progressive profiling. Most users desire a “frictionless” registration process and will show a degree of intolerance if engagement is difficult, time consuming or requires too much personal information to be disclosed in relation to the value of the transaction being conducted.

A key concept to remember is that the levels of security controls need to be carefully evaluated in the context of the user experience and where the user is in terms of the relationship with your organization. This is necessary for what we call “frictionless security”. These decisions are, of course, based on risk management as well as your business assessment.Most enterprises have invested heavily in risk management over the past decade, principally through the deployment of Governance, Risk and Compliance (GRC) systems that help decision-makers and enterprise governance bodies monitor the level of risk associated with their IT and business-related environments. That said, enterprise LOBs that are more heavily focused on sales and marketing have a vested self interest in operating outside the influence of enterprise GRC andsometimes do; be careful to not let this happen.

Proper institutional governance with an understanding of the often not-so-subtle nuances between the two missions (business and risk/compliance) will go a long way towards achieving balance of CIAM right controls and a strong customer user experience. It is important to understand that such governance is ongoing, as well. Technologies change, perceptions change, risks change, laws change and so on. Customers are sometimes more aware of these evolutionary changes than the business is, so it is crucial to stay out in front of expectations and risks.

Privacy & Consent

While the benefits and opportunities of extending IAM systems to incorporate context and relationships are substantial, there is a real danger of a gradual encroachment on the dividing line between what customers and regulators find acceptable. This customer discomfort is increasingly being addressed by legislation such as GDPR and CCPA that define obligations for protection of consumer data, the right to be forgotten and various privacy rights.  While the attention during the pandemic has not been as focused on privacy, we expect this to change.

Privacy controls get increasingly complicated as enterprises collect and leverage big data, gain identity insights, and develop nested relationships with consumers around the globe and in differing privacy regulation jurisdictions. TechVisionhas written several reports on privacy, regulatory controls and consent management if you want additional details butunderstand that customer-facing interactions will have high visibility and scrutiny from a privacy and regulatory perspective.

To achieve compliance with data protection legislation in any jurisdiction, and at the same time achieve an acceptable levelof business agility, separate views on a user’s identity are not feasible: it is vital to have a unified, single view of a customer’s identity profile, consents (opt-ins) and preferences. To bring about this coherent picture and support diverse regional privacy regulations, stringent business rules will need to be captured, modeled and codified in systems. Juggling the constraints imposed by one jurisdiction over another places higher demands on the modeling than in most other systemrollouts and may have more than GRC ramifications. In this sense, the best course of action is to view a regulation such as GDPR as the common denominator for regulatory compliance controls worldwide, unless the enterprise steadfastly only intends to operate in a single ‘regulatory region’ with little or no privacy regulations – which should still be considered very risky. Features such as consent management are critical in achieving GDPR compliance and protecting yourorganization.

In addition to basic identity data, there are also categories of derived data based on behavior patterns such as social, retail, travel as well as device usage that need to be managed and secured. Putting habit and usage data together with identity data can enrich the customer experience and drive business results. As stated earlier, the primary goals of present-day commercial marketing are to determine who you are, who your friends are, and your habits to predict what you’re going to want next and figure out how to offer it to you at a compelling price point without appearing overly intrusive. Properly correlated customer data strongly supports those goals.

Lastly, there are many occasions when simply conforming to privacy regulations is not enough. As we mentioned above,there is a growing need for honorable principles that show the customer that you have spent miles in their shoes, and that you truly have their best interests at heart. It may be perfectly legal to ask for some piece of personal information – but you must ask yourself why you really need it. Customers are increasingly sensitive to the collection and subsequent sharing (or blatant misuse) of information, and this can impact your brand. Just because it is not illegal, does not alwaysmake it right or necessary and can impact your trusted relationship with the customer.

Building a CIAM program

Most large enterprises are architecting and viewing Customer IAM as a separate and distinct program. TechVision has been working with several large clients in helping to build their CIAM strategies, reference architectures, vendor evaluations and implementation plans so we’ll be providing insights here based on real-world experience. We’ll now describe key strategies, major architectural elements, and design guidelines to consider in building your CIAM program.

These programs are often initiated by major customer facing digital programs and more pervasive Digital Enterprise programs. The core theme is to better connect with and engage customers with the proper balance between security, privacy, and business goals. Note that while virtually all large enterprises have some level of Customer- facing IAM inplace, many of these solutions are static older generation iterations on existing Enterprise IAM, repurposed for customers. They are generally not mobile device friendly, not user friendly, have little integration with marketing systems and were put in place long before more stringent privacy regulations came to bear.

Whether your enterprise is starting CIAM up in a green field mode or you’re replacing/ enhancing an existing CIAMsolution base, the recommendation of separating and upgrading your CIAM services are germane.

TechVision recommends starting any CIAM program (or any key IT infrastructure initiative) by engaging key stakeholders and developing a baseline set of requirements. While our assessment of typical CIAM requirements may not fullyrepresent your organization’s needs and was broadly covered earlier in this document, we find that stakeholders are oftenbetter equipped to modify a base-line set of requirements than to start from scratch. We’ll provide this guidance in the next section.

Identify Stakeholders, Understand Current State/Requirements

Step one is to identify key stakeholders in the CIAM area. This often includes LOB leaders, Application Development teams, IT, Information Security, Marketing, Sales, Legal/Privacy Office, Customer Support, and digital transformation teams. You’ll want to understand key initiatives and how CIAM might help support these programs. You’ll also need to understand the current state of your CIAM program, other IAM efforts/data sources and customer-facing initiatives.Interviewing key stakeholders will help frame the initial requirements. This is typically what TechVision does early in our consulting engagements, and this nets out the following general CIAM requirements:

Requirement Description
User (Customer) Experience This is typically the most important area in a CIAM program as it is all about engaging current and future customers. Any CIAM service should prioritize the user experience. Key elements of this engaging user experience include response time (less than 2 seconds), ease use and flexible sign-on process allowing user choice, an engaging/easy to understand user interface, simple self- registration and update capabilities as well as a reduction in repetitive user processes.
Support for Single-Sign-On (SSO) Across Multiple Customer Facing Applications In a TechVision work with large end-user organizations, SSO is oftenthe number one requirement. Signing-in multiple times from various applications and sites across a large organization is a major end-userpain point and should be an area of emphasis in evaluating CIAM solutions.
Customer Self-Registration and Update Users want to control their information and make sure it is accurate. There is also greater trust in the data (and the organization keeping the data) if the users can control their own PII. This also generally results in more accurate data.
Cloud Integration and Cloud Native Support Most IAM solutions are moving to the cloud, but CIAM is moving even faster to the cloud than Enterprise IAM and is a key requirementfor many enterprises. The fact that the customers are generally, geographically distributed and leverage various SaaS applications also drive the requirement for cloud support.
Customer Enrollment/Provisioning/De- Provisioning These are critical areas for most clients in that they can either grow therelationship or end it at enrollment and provisioning time. The enrollment needs to be seamless and the deprovisioning needs to be fast, complete and transparent (all connected systems/applications deprovisioned) from a security and regulatory perspective.
Bring Your Own Identity (BYOI)/Social Media and Login/Federation This is critical for the extensibility and flexibility of the CIAM service and is also a key trend; especially with the COVID-19 lockdown. Withuser environments now known and without direct governance support for federated authentication, mobile IDs/phone numbers and other BYOIs as well as social media credentials will increase adoption and lower risk. The mantra is federate what you can’t directly manage/control.
Customer Identity Data Management and Integration with Authoritative Source Systems The two successful CIAM and Digital Enterprise programs is the inclusion of multiple applications, systems, data sources and servicesand tools to support this integration are critical to support inclusion and/or migration of these types of data sources while maintaining security controls.
CIAM Integration with Applications CIAM is an important infrastructure, but still a tool in larger customer-facing programs and business initiatives. Single sign-on and more seamless integration, often via RESTful APIs is critical.  As more organizations adopt Agile development techniques, the CIAM functions must be available as secure “services” that can be easily integrated into myriad applications, often through API gateways – both on premises and in the cloud(s).
Incorporating IoT and other New Object Classes CIAM services will increasingly need to incorporate IoT devices and the sometimes-complex set of relationships within the IAM service. This may dramatically increase scale and provide challenges in terms of the identification of smart meters, home security systems, set-top boxes and devices ranging from dumb to very complex.
Scalability Even exceptionally large enterprise IAM services may only get up to a few hundred thousand-person objects in their Enterprise identity store. CIAM may move this number to the hundreds of millions – and if you add IoT devices, RPA processes and relationship data the numbers can get much larger. This increased set of connected objects combined with faster response increases the importance of scalability for CIAM solutions.
Compliance with Regional Privacy Regulations Consideration The Global Data Protection Regulation (GDPR) in Europe and privacy laws in California, Brazil, Canada and other parts of the world are increasing the stakes. This includes gaining explicit consent for the use of data and having the right to erase data including the “right to be forgotten” based on user requests. It is incumbent upon the CIAM service to support these capabilities including the means of maintaining user consent data and proper audit trails.
Future State Technology Adoption An often understated but important requirement is the ability to integrate with and migration to emerging technologies such as edge computing, microservices, DevOps, passwordless authentication, blockchain, verifiable claims and new self-sovereign identity models. Some of these emerging initiatives include bring your own identity (BYOI) ecosystems that should seamlessly integrate and with and be recognized by your CIAM solution. As TechVision has always maintained, it is important for your CIAM (and EIAM) architectures to remain loosely coupled and federated to best ensure an easier adoption path for these emerging approaches to identifying oneself in the digital world.
Mobile Device Support Many CIAM and most EIAM environments were not initially designed for mobile devices and have been put into device wrappers that do a poor job of facilitating registration and login from mobile device. Mobile is a key capability and must be designed in from inception.

Table 2 – CIAM Requirements

The above list is a starting point for key requirements organizations may consider in evaluating the need and possible solutions for Customer-facing IAM services. Note that we also covered typical CIAM requirements earlier in this report and our clients should use these as starting points and then build your own set of requirements as you see fit. A strong set of core requirements is a necessary pre-requisite for developing your CIAM reference architecture.

Development of a CIAM Capabilities-Based Reference Architecture

After assembling a team of key stakeholders, assessing the current state, and collecting prioritized requirements, we generally recommend organizations develop a Reference Architecture by leveraging our templates and mapping these requirements into the key capabilities associated with a CIAM solution. This is an iterative process and should involve key stakeholders.

The TechVision Research Reference Architecture for IAM is this starting point; a master template, shown in Figure 1,below, identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing businessstakeholders and technical architects to achieve a common language for IAM functions, which can then be refined over time. While this is the same definition that we apply to people identity-oriented use cases, there are specific challenges aswe’ve discussed in managing things and the relationships they support. This high-level template starts the journey.

Figure 1: IAM/IDoT Master Template

The capabilities that frame the CIAM architecture illustrated above are described at a high – level as:

Interact – how end-users and application developers interact with the IAM platform. In the case of CIAM this will involve how a wide customer, prospect and application interactions.

Access – the rules that define the roles, rights, and obligations of any actor or proxy wishing to access enterprise or connected external assets.

Change – the capability to define and manage the relationships between the user/ application developer and the enterprise assets.

Manage – the capabilities required to manage and upgrade the IAM solution itself.

Measure – the capabilities required to audit and improve IAM activities.

Store – the capabilities required to share identity information and relationships between the components of the IAM solution. The scale and responsiveness requirements for connected devices may impact this element.

Figure 2, below, highlights our more detailed capabilities portfolio to consider in the context of technical interactionsbetween the typical components comprising a comprehensive CIAM ecosystem.

Figure 2: Elements of a Combined Portfolio Architecture

Generally, enterprises should consider CIAM in the context of their overall IAM program, but as we have said – it is important to understand the specific context of and risks associated with connecting to customers and prospective customers, defining their inter-relationships and managing those data generated by these users. It is also important to recognize that the reference architecture patterns of interfaces, authentication, authorization, lifecycle management, persistent storage, and analytics are supported as CIAM. Figure 3 below illustrates an example of how an enterprise consumer IAM reference configuration could be deployed relative to cloud-based customer-facing identity and accessservices.

Figure 3: High Level CIAM Architecture and Flows

 

Of note in Figure 3 are the multiple cloud-based and on-premise customer data repositories and systems, such as CRM and reporting systems that all work together to capture, retain and provide relevant customer identity data that can be augmented with behavioral and contextual data to really help enterprises better know their customers, serve them with what they want and improve the user experience by federation and looser-coupling. Even though most large organizations are moving to a “cloud-first” strategy, many legacy on-premise applications and data sources will exist for many years and must be properly managed and integrated.

Achieving this flexibility and loose coupling often requires federation, virtualization and connectors to bring in bothlegacy and new environments, whether on premises or in the cloud. Vendors such as Radiant Logic are often leveraged as part of the “integration glue” to provide better Identity inclusion.

Additionally, note the predominant usage of RESTful APIs and federation protocols in use to better support Application Development and mobile device integration – and multiple backend system integration in general, along with establishinga firm base for federated authentication that leverages social login, MFA and multi-party service offerings integrated through single sign-on.

After understanding key stakeholder requirements, assessing current state, and building reference architecture most organizations are ready to consider vendor alternatives. We’ll consider CIAM vendor alternatives next.

TechVision Research Vendor Shortlist

CIAM has been a major area of vendor and enterprise investment over the past few years and as a result, the bar has beenraised in terms of expected capability and performance. As CIAM capabilities were tested during the pandemic expectations are higher and several organizations are reevaluating their CIAM program including their incumbent vendors. The vendors that have answered that call are those the firms we are including in this short list. Remember, the TechVision Researchshort-list is tightly aligned with our consulting business and represents our initial recommendations for vendors to consider for further evaluation in RFIs, RFPs, POCs and other methods of selecting vendor partners. This doesn’t necessarily mean that the vendors selected on our shortlist are the best overall identity management providers or the only vendors toconsider in the CIAM space for your organization. We highly recommend a formal evaluation process starting with key stakeholder requirements, Reference Architecture and an overarching CIAM deployment and governance strategy, butwhen you are narrowing down potential vendor partners, this short-list should likely be a starting point.

Over the past few years, several vendors have leveraged their core IAM service and have offered a “customer view” ratherthan a separate CIAM offering. To varying degrees this is what we have been hearing in our interviews with and researchof Ping Identity, Okta, Microsoft and ForgeRock. Other vendors such as SAP/Gigya, Akamai/Janrain, OneWelcome (formerly iWelcome and Onegini) and Cloudentity offer more CIAM-centric services (i.e., CIAM from scratch). There is also a disruptive CIAM model called Decentralized Identity that vendors such as IBM, Microsoft, Ping Identity and SAP are pursuing and worth consideration in longer-term IAM plans.

In characterizing how and why vendors are on this shortlist, our primary considerations include the scalability of their solutions, the strength of the user experience, progressive profiling capabilities, global support, security/compliance controls, scale/performance, GDPR/privacy support, consent management, single sign on support, federation, integration tools (connectors, synchronization, meta-directories, virtualization), how effectively contextual information is used, the sophistication of the relationships that are being managed, marketing/sales system integration, and the accessibility of information to users.

From this point of view TechVision’s CIAM vendor short-list in 2021 includes Akamai, Cloudentity, ForgeRock, OneWelcome, Microsoft, Okta, Salesforce.com and SAP. It is also important to understand that there are other viable approaches to directly supporting Customer IAM and providing the integration capabilities, ecosystems and governance services that will help to achieve success in major Customer IAM programs. These vendors include Google, Amazon, SailPoint, Micro Focus and Radiant Logic.

We’ll provide a brief background on each shortlist vendor in the main CIAM category and a brief description of their solution and TechVision’s perspective on each vendor in alphabetical order as follows:

Akamai

Akamai’s acquisition of Janrain in 2019 has propelled them into a leadership position in the CIAM space. Janrain had made all previous TechVision short-lists as a leading early vendor in this space and they are still a major player in theCIAM area. Akamai subsequently rebranded the service the Akamai Identity Cloud and is increasingly integrating their Customer IAM IDaaS service with other core company services.

Figure 4: The Akamai Identity Cloud

 

Akamai’s Identity Cloud is designed to be an end-to-end IDaaS CIAM solution engineered with a cloud-native architecture. This allows the solution to scale with application capacity needs as well as to accommodate spikes in trafficfor managed performance and availability.

The Akamai solution offers a centralized, standardized, but configurable user experience and open protocols focusing on minimizing client-side complexity. Their CIAM solution has moved all identity components to the cloud and abstractsidentity from applications. Akamai Identity Cloud provides:

  • Customizable registration and data collection forms designed to be customized and styled to its customers’
  • Optimized registration screens for mobile and IoT to create device-aware registration
  • Support for an array of authentication and SSO methods, including social media login, directory services, and OpenID Connect (OIDC) — as well as role-based and attribute-based access control (RBAC and ABAC), and risk-based and multi-factor authentication options.
  • API-first deployment methods to support a wide array of customizations and use cases while SDK-based deployments. Their flexible data schemas were designed from origin to support the widest array of customer-facing use cases.
  • Real-time field validation on form fields, bad word filters, and terms of service and privacy policy acceptance. Validate email address or postal code formats in real- time, verify age or password requirements.
  • Fraud Scoring recognizes fraudulent and fake accounts at registration time, before they enter connected systems and
  • Conditional workflows for progressive profiling designed to dynamically trigger personalized form fields and distinct user flows based on customer profile
  • Support for social login from Facebook, Twitter, Google, LinkedIn, and more than 30 other social
  • Support for authentication options including MFA, Push, OTP and phone-based. Adaptive authentication to modulate authentication requirements based on fraud analytics or other factors the enterprise defines.
  • Consent management for users to control multiple areas of consent — including email and other communication preferences andapp Customers can also view consent profile.
  • Customer analytics by leveraging path analysis, enhanced fingerprinting, and predictive modeling – stated goal to help enterprises build a holistic view of user interactions, increase ‘match rates’ and combine journeys across

Janrain was one of the leaders in the CIAM IDaaS market before the Akamai acquisition two years ago and we see continued investment by Akamai into their widely deployed solution as they look to leverage core Akamai strengths. As a result, TechVision continues to recommend to our customers that Akamai be a short-list vendor in the CIAM IDaaS market.

Cloudentity

Cloudentity, based in Seattle, WA, has been in business for several years as a security and IAM consulting company and has transitioned to a product/service vendor. Cloudentity describes their offering as fitting into the modern DevOps model serving up microservices to support application specific security, micro-perimeter security and intelligent risk scoring.Modern IAM is becoming more OIDC-based and the challenge is how to bring all   applications into this environment.IAM teams have struggled to keep up with onboarding of traditional / legacy applications. Cloudentity feels that API adoption accelerates innovation, that developers are leading the way and the challenges are around how-to onboard applications more quickly with a consistent, secure and frictionless user experience. According to Cloudentity, CIAM is centered around:

  1. Session – how authenticating and bringing users and machines into the application
  2. Context – meeting at the API with distributed policy decision points and distributed

The illustration below, provided by Cloudentity shows these relationships.

Figure 5: Cloudentity Model for App Modernization with Session & Context

 

Key to their model is the Authorization Control Plane (ACP), which can leverage principal Identity Providers (IdPs) andincorporate those identities into a finer-grained authorization context for distributed policy enforcement of users, things and APIs. The functions and features of the ACP and supported Cloudentity components are shown below.

Figure 6: Cloudentity API-centric Ecosystem

In concert with ACP and Pyron, Cloudentity’s API security gateway and their MicroPerimeter Authorizer (MP) work in conjunction to apply authorization rules regardless irrespective of location. Their co-founder Nathanael Coffing explained to TechVision that this is the fastest way to onboard an application into the IAM ecosystem, because it offloads much of the authorization decision-making from the applications themselves.

With their relationship with AWS, customers can use AWS API gateway in the same way. AWS Cognito can be incorporated by connecting with ACP’s Identity Hub that provides the ability to normalize identities from multiple backends, such as AWS – almost like a virtual directory. The Identity Hub helps developers create simple, no-code, drag and drop customer journeys with registration trees. It can also use out-of-the-box registration trees designed for ease of use. For instance, Identity Hub and ACP can be used to create an adaptive customer journey for gathering consent, providing a prioritization of customer data is collected and only collecting data after the user has given consent. Azure and Azure B2C can also be integrated in a similar manner. In fact, all of these external IdPs can be integrated and normalized within ACP.

The graphic below illustrates the integration points and flows between ACP Identity Hub and multiple authoritative identity sources, authentication and authorization frameworks.

Figure 7: Cloudentity Authoritative Sources of User Identity Data

 

Cloudentity’s identity security products were specifically designed to work with leading container orchestration platforms. For example, once deployed in a Kubernetes cluster, the sidecar automatically registers with the central repository to provide East/West tracking and security. Additionally, each Cloudentity product is distributed as a Docker container or an installable Linux package. Cloudentity is strong technically and has a model that fits within the next generation of microservices and DevOps programs many enterprises are moving towards. Cloudentity uses a microservices approach supporting strong delegated administration, identity proofing, provisioning, authentication and authorization services. For an enterprise with “develop first” IT principles, this modern approach and deep technical strength has positioned Cloudentity as an “up and coming” CIAM vendor.

ForgeRock

ForgeRock’s IAM market share continues to grow substantially, as many organizations continue to modernize their IAM infrastructures – both EIAM and CIAM, migrate their IAM workloads to the public cloud and embark further on their digital transformation journeys.

ForgeRock’s strategy is focused on enabling brand trust by providing a centralized platform and tool sets to better manage the way customer data is used. ForgeRock envisages the future of identity management as a combination of people,services and things that are increasingly context-aware. ForgeRock characterizes all these elements as “first class citizens” in describing their deep support and granular access control for a variety of object types. ForgeRock asserts that the next generation IAM will become identity relationship management (IRM) with a focus on establishing end-to-end IoT/CIAM solutions with identity management coupled with IoT, consent and privacy controls. TechVision agrees with this relationship-centric IAM approach.

As illustrated below, the ForgeRock Identity Platform heavily leverages AI and is intended to be comprehensive and simple-to-use. The platform includes full-suite IAM and identity governance and administration (IGA) capabilities that can be implemented across an organization for all identities (workforce, consumers, things), and offers feature parity across all delivery options, including on-premises, any cloud environment, and as a service.

Figure 8: ForgeRock’s Platform Overview

The ForgeRock Identity Platform consists of a series of modules built from open-source projects and is an identity administration and provisioning solution focused on managing relationships across users, devices and things. ForgeRock’s Intelligent Access model, based on their well-known “authentication trees” model, allows developer/ administrators integrating CIAM adaptive access (i.e., authentication and authorization) to use a visual, drag-and-drop interface to create/wire-in the adaptive flows. These adaptive flows can take into account myriad variables during the customer’s login process, including device, location, and so forth, as well as to wire-in the consent form, etc. Changes to the adaptive flows do not require any change to the actual client application code, making it very straightforward to modify underlying CIAMfunctions without impacting existing application distribution.

Some notable features in ForgeRock’s 7.1 release include:

  • Username-less and password-less authentication – Supports password-less authentication leveraging biometric capabilities of the user’s registered/known device. This even allows for the omission of a user ID during authentication, and then can select the user ID / account to use after authenticating without providing a user ID or This offers a more frictionless, ‘fast-lane experience’ means of authenticating. The user information is stored in OpenDJ, the backend ForgeRock directory service.
  • Federated SSO offers federated single sign-on based on open standards such as OAuth, WS-Federation, WS-Trust, OIDC and SAML. ForgeRock provides native support for social registration, allowing users to register new accounts using information from social identity providers including Google, Facebook, LinkedIn, Amazon, and many others. You can set up any custom social identity provider, if they are fully compliant with the OAuth 2.0 authorization framework or OIDC standards.
  • Supports course and fine-grained contextual, continuous, and transactional authorization. The platform also supports all common forms of access control: Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), Policy Based Access Control (PBAC), Risk-Adaptable Access Controls (RAdAC) and Relationship Based Access Control (RelBAC).
  • Provides user self-service capabilities that include user registration or sign-up, forgotten password reset and username retrieval. This is supported by a “fully brandable and customizable” user interface (UI) but is also available via a REST API service which allows the services to be integrated into an existing or custom site. This can be used to integrate with other systems and enable the consolidation of multiple identity silos to create a single view of the customer organization wide.
  • Leverages contextual authentication and authorization factors at any point during a session to assess risk -invoking stronger authentication mechanisms only when necessary, by evaluating who the user is and their context.
  • Provides out-of-the-box authenticators, the ability to custom build authenticators, and have rapid integration with third-party authentication, fraud, and risk providers in a centralized place.
  • Microsoft InTune integration to leverage mobile device management (MDM) information that can assist in user device
  • Identity management functions infused directly into their Intelligent Access Trees

– user registration, progressive profiling and forgotten credentials can be handled directly in the workflow to maintain a more intuitive and streamlined user experience. This means that if a user forgets her password, she is not ‘dumped off’ in another code base that leaves the user ‘outside’ the initial authentication experience.

  • Autonomous Identity – ForgeRock’s AI engine gives real time visibility into identity data, with a global view of identities, access review and autonomous remediation where risk-allowed and predictive provisioning. ForgeRock is increasing their use of AI and ML to “delight and protect” users (per ForgeRock), and continuously inspect and adapt real-time access based on user behavior and to orchestrate real-time response and
  • Administration/Configuration UI improvements and enhancements, providing a ‘fast-lane’ for configuration and administration to streamline the overall administrative

Figure 9: ForgeRock Intelligent Access Trees

 

TechVision Research has assisted several large, global enterprises architect and deploy ForgeRock EIAM and CIAM components on public clouds (e.g., AWS and GCP) and on- premise. Overall, the experience has been positive, and we feel that ForgeRock’s current 7.1 release only enhances this experience. ForgeRock remains a strong CIAM and EIAM solution platform and bears consideration if your organization is embarking on a CIAM modernization program.

IBM

IBM has a long and storied past in the EIAM space and now has begun to venture into the burgeoning CIAM market. Per IBM, about 50% of their customers are using their IAM platform for CIAM use cases, which is indicative of an increased focus in this area.

The existing IBM solution for both EIAM and CIAM is called IBM Security Verify. Their investment is focusing on the solution set called IBM Cloud Paks; their stated intent is to be lightweight, enterprise-grade, modular cloud solutions, integrating a container platform, containerized IBM middleware and open-source components, as well as common software services for development and management. IBM Cloud Paks are designed to run anywhere, are open and secure and consumable. Leveraging Cloud Pak foundation, the Security Verify IAM stack is built on top of Kubernetes infrastructure running on Docker containers so that it is dynamically scalable. The EIAM/CIAM platform is built on IBM’s RedHat, acquired in 2019, and this is further integrated with CloudPath on the OpenShift layer to enable Zero Trustsecurity services leveraging identity data.

IBM is investing in more cloud-native implementations of their CIAM platform. The central theme of their platform isContinuous Access Control, which in a nutshell looks at the device, risk of the location, risks associated with the person/device/location/information risk level to determine access privileges during runtime. By incorporating IBM’s application gateway technology based on Docker, Security Verify allows applications to leverage a centralized policy framework for continuous access control.

Furthermore, by leveraging Trusteer, an acquisition by IBM in 2013, Security Verify identifies online fraud and determines if malware is present on the client machine. This has been integrated with the IAM platform to leverage Trusteer’s risk management capabilities. Together with the Security Verify access policy framework, IBM has taken a significant step forward in the area of adaptive access based on contextual awareness, AI and ML.

With Intelligent Governance – though not traditionally a CIAM set of capabilities, it bears mentioning that IBM has stepped deeply into the pool of Identity Governance and Administration (IGA) functionality.

With Identity Analytics, the Security Verify solution helps InfoSec understand who or what the outliers are, dormant accounts, over-provisioned accounts and so on are monitored and risk analyzed. This set of features can provide the bulk ofthe monitoring, analytics, reporting and remediation information an organization requires to detect and address anomalies.

So, it appears that this is not your grandfather’s IBM with respect to their CIAM (and EIAM) solution. The once-aging IBM Identity Management suite has been completely re-factored into a cloud-ready, currently tooled and forward-looking suite that should make most enterprise short-lists for deeper evaluation regarding meeting your CIAM requirements.

OneWelcome

In July 2021, iWelcome announced a merger with Onegini, also headquartered in the Netherlands. Onegini’s Mobile Security Platform serves as both an authenticator app and end-to-end mobile security platform that secures the app, its communication with backend systems, and verifies users’ devices. OneWelcome has a strong, customer friendly CIAM service with the primary limitation being geography: they primarily sell to and service organizations in Europe. As a European-centric CIAM provider they have a heavy emphasis on privacy, flexibility in terms of data residency and strong consent management capabilities. They also have strong marketing integration and progressive profiling capabilities.

OneWelcome’s Identity as a Service (IDaaS) CIAM solution has traditionally provided a single- tenant private cloudCIAM (and B2B) infrastructure in the past, and now augments their value proposition by providing a multi-tenant cloud deployed on Amazon (AWS). This environment is completely “per-customer isolated”, with customer geographic region-specific data residency in support of GDPR. Of note is the fact that OneWelcome will continue to support its single-tenant model for both existing customers and going forward for its customers that require a single-tenant cloud infrastructure. Also, of note is that OneWelcome also provides a B2E (Enterprise IAM) IDaaS suite, which is outside the scope of this research document.

Figure 11: OneWelcome High-Level Proposition Portfolio

 

The illustration above shows OneWelcome’s high-level proposition portfolio, which provides a good level-set for where the company is focused. Of prime consideration is OneWelcome’s growing relationship with AWS. With more of theirown customers embarking on an AWS strategy, OneWelcome is building new services on AWS to actively promote a multi-tenancy OneWelcome solution offering. As illustrated above, their as-a-service product line is comprised of:

  1. Customer Journey Management – this is the onboarding feature set that helps bring customers online and convert website visitors to customers with a frictionless process. This process is supported by capabilities like social registration, account matching, identity verification and progressive profiling. These capabilities are offered via out-of-the-box templates or can be built and customized by developers using OneWelcome’s
  2. Mobile SDK – supports secure and intelligent authentication natively into their customers’ apps via welcome’s API architecture. Using the Mobile SDK customers can add authentication to apps or update facilitates orchestration of customer journeys by changing registration, activation and progressive profiling flows. By merging with Onegini, TechVision expects mobile capabilities to expand rapidly to include more device-resident controls, as described above.
  3. Consent Lifecycle Management (CLM) – All data information that is linked to consents and preferences are stored in this separate CLM module. This includes data attributes, data values, consent information, processing purposes, the retention data and ‘consentable documents’ (documents that need consumer’s consent such as revised privacy policy documents). This information is captured and made available for self-service portals by RESTful APIs.
  4. eID – eIDAS is the EU-standard for electronic identification, which is implemented via domestic eID schemes in Inthe Netherlands, the domestic scheme for eIDAS transactions is called eHerkenning. OneWelcome supports a variety of organizations with its eHerkenning solution. As one of the founding partners of eHerkenning, OneWelcome has been certified by the Dutch Government since 2010
  5. RITM – This module is B2B-focused, supporting delegated administration, using roles and attributes. RITM provides a multi-level delegation model that allows its customers to onboard and manage business partners and applications through delegation, entitlements, and customizations, according to the B2B relationship’s needs. In addition to traditional one-time-passwords (OTP) over SMS, OneWelcome provides an MFA App, available for Apple and Android, which supports OTP as well as the more popular push/swipe (i.e., a push notification on the admin’s phone to accept or reject the authentication )

Core to these modules is OneWelcome’s Identity Synchronization feature, which provides synchronization interfaces for users and groups:

  • Inbound SCIM API to manage the intake of Identity and group information and relationship from external systems such as CRM,HR, AD, LDAP or any other Identity Management Systems or Master Data Management
  • Outbound Notification API to propagate user attributes and user consent changes for the integration with CRM, Marketing Automation, or any other Identity Management

OneWelcome has a very strong and growing European customer base – certainly across the Netherlands. TechVision feels their IDaaS solution for CIAM is a very strong candidate that EU-centric enterprises should consider, especially after their merger with mobile application security specialists Onegini. Due to their focus on GDPR and privacy in general, as well as their relatively robust set of features across their integrated modules and single-tenant and multi-tenant cloud deployment models, OneWelcome should be viewed as a leader in the EU CIAM market. Stay tuned as we publish more information about the product capabilities as TechVision speaks with the OneWelcome leadership team regarding the iWelcome/Onegini merger just now announced.

Microsoft

Microsoft via Active Directory (AD), Azure Active Directory (Azure AD) and Office 365 has a massive footprint in most enterprises and to a certain degree is an incumbent in many large organizations. This has resulted in Microsoft, in our consulting engagements (RFPs, RFIs, Short-lists) being considered as a CIAM provider, but historically not having enough of the core CIAM capabilities to emerge as a primary solution. So why is Microsoft on our short-list? The short answer is that their combination of existing platform strengths, their current/renewed focus on CIAM with the MicrosoftAzure Active Directory B2C offering, their roadmap and investments in the CIAM space and innovation in areas such as Decentralized Identity make them impossible to ignore.

Microsoft will certainly continue to partner with other organizations (or enterprises will simply integrate other services with their Microsoft portfolio) to address some of the gaps in their service offerings. For example, certain areas such as IGA may be more heavily relegated to partners at least for a while. Microsoft may also be attractive to organizations with large Microsoft bases that may benefit from the economics of licensing agreements supporting IAM services with a relatively modest (or no) incremental licensing investment.

Microsoft, like many, are increasing their investments in B2C scenarios and the overall ease of use and core set of IAM services. Their focus in the near term is as follows:

  • Connect all applications and cloud resources to improve access controls and the user experience
  • Enable boundary-less collaboration and automated access lifecycle for all users
  • Go password-less to make security effortless for users
  • Empower developers to integrate Identity into their applications and improve security
  • Start your Zero Trust journey to protect your organization as they digitally transform

The following chart summarizes Microsoft’s portfolio of current, preview and general investment areas for IAMcapabilities. This gives us a sense for the “single technology stack” centered on Azure that Microsoft is highlighting.

Figure 12: Microsoft Critical Capabilities Summary

Note that while Customer IAM is a specific capability category within the overall Microsoft Identity and AccessManagement model, it also leverages the portfolio of core capabilities in their IAM suite – including Active Directory. Areas like adaptive access, user and device authentication, SSO and other functions critical to Customer IAM users are embedded within the Microsoft platform offering.

Microsoft’s increasing investment in CIAM is also evidenced by their new External Identities preview that offers self-service sign-on using social IDs such as Google and Facebook, the ability to customize user attributes and apply lightbranding, and API connectors that enable identity proofing, verification, and plug-in support for Decentralized Identifiers (DIDs). External Identities expands on the B2B collaboration capabilities in Azure AD by enabling self-service sign-up and greater flexibility to customize the user experience.

In summary, Microsoft is making significant progress in the CIAM space and is an option to consider for organizations that already have a large investment in Microsoft platform services. Microsoft may also be attractive to organizations with large Microsoft bases that may benefit from the economics of licensing agreements supporting IAM services with a relatively modest (or no) incremental licensing investment. While you may still use partner products and services, Microsoft continues to fill in the gaps in their CIAM portfolio.

Okta

Okta is a strong, scalable IDaaS solution. Okta has placed a major emphasis on supporting develops subsequent to their acquisition of Stormpath in 2017 with most technical/ APIs/federation capabilities addressed. Okta is a traditional Enterprise IAM vendor successfully moving to the CIAM space with an enterprise IDaaS-centric model that has been transformed to support CIAM. Okta continues to add to its portfolio of CIAM capabilities and intends to leveragecommonality between enterprise user and customer use cases.Okta’s CIAM platform overview is illustrated below.

Figure 13: Okta CIAM Platform Overview

 

As illustrated above, some of the important capabilities that the Okta CIAM platform supports include:

  • Adaptive MFA – Leverages a range of password-less authentication options for customers using email magic links, WebAuthN or factor
  • Lifecycle Management – enables the customer onboarding journey including progressive profiling and consent
  • Access Gateway – enforces location, device and network
  • API Access Management – Controls which apps and APIs users and developers have access to using attribute-based policies enforced through SAML and OAuth 2 protocols. This module can be integrated with many of the leading API gateways, including Apigee, AWS, Google Cloud, MuleSoft, NGNIX and more.
  • Authentication – Granular user, group, app and contextual sign-on policies that can be paired with password complexity and logout experience requirements. Authentication can be embedded into customer apps with open standards such as SAML and OIDC. This can also be used to connect users to 3rd party cloud apps using over 6,000 pre-built SaaS integrations. Additionally, password-less authentication using an email-based “magic link” is supported. From a user behavior analytics standpoint, Okta establishes a baseline login behavior for each individual user and responds to anomalous activity with the appropriate set of strong factors for both high and low risk login
  • Authorization – Assign granular application-level access controls using easy-to- administer application entitlement policies that can be assigned to groups of users without having to write
  • User Management – Create and manage customer profiles and assign access rights via the Okta User Admin Console or via
  • User Content – Allows downstream 3rd-party applications to prompt users for permission to access a set of entitlement scopes. User consent remains valid until users choose to revoke these
  • Advanced Server Access – this is Okta’s privileged access management (PAM)
  • solution for administering and configuring the Okta environment, supporting MFA.
  • Universal Directory – Marketed as a highly scalable cloud-based user store to manage all customer users, groups and devices, mastered in Okta or from authoritative sources.

Okta’s partnership with OneTrust and DataGrail enables the CIAM platform to manage customer privacy and consent much more granularly and can automatically propagate updated consent preferences across all relevant apps in real time

There is a good deal of functionality that Okta views as being shared across customer-centric use cases. Okta is also aggressively investing in and acquiring companies to build out their portfolio and TechVision expects this to continue. With Okta the proverbial 800-pound gorilla in the IDaaS enterprise market coupled with the significant investment they are making in the CIAM market, they are sure to be on many enterprise vendor short-lists and we believe this is prudent.

Ping Identity

As TechVision reported in our CIAM report 18 months ago; Ping Identity has a viable CIAM solution that leverages their traditional IAM capabilities paired with their developer- friendly, API-oriented platform from their acquisitions of UnboundID and Elastic Beam. The challenge 18 months ago was the capabilities gap between their on-premise and cloud-based CIAM offerings. Ping has traditionally provided strong integration and federation capabilities but has expanded their cloud and hybrid capabilities over the past few years.

For an enterprise that has Ping-centric IAM services (and there are many) this is a solid offering and should be considered.As Ping continues to build out its core platform to support CIAM-centric services, it should also be considered for customers without an existing Ping base. Ping has clearly elevated their offerings over the past 18 months.

As a public company, Ping has shown good growth, which we feel bodes well for its customers, given that a strengthening revenue stream is an important metric for long-term vendor viability. Ping currently has over 60% of the Fortune 100 within their customer base and they have a strong footprint in the largest US banks, pharmas and retail organizations.

The CIAM market share for Ping is growing around their PingOne and PingCloud services, which offer both public and private SaaS models. They have a sizeable number of channel partnerships, including Accenture, PwC, Deloitte, Optiv – reporting over 300 such partnerships worldwide.

PingOne for Customers is their CIAM authentication solution package, which is meant to address broader businessproblems while providing a lower overall price point. The solution package includes authentication, directory, multi-factor authentication, and delegated administration functionality, alongside professional services, 3rd party integrations and more. Ping’s solutions are a templatized means of offering core underlying code that enables a CIAM solution that is built on a uniform, core set of IAM services offered by Ping. This differentiation is important as Ping is offering a core platformthat supports CIAM as opposed to a CIAM-specific platform.

Figure 15: Ping Product Roadmap Themes

 The in-cloud or on-premises models can be deployed selectively, in a hybrid manner. The key takeaway from Ping’sstrategy is the ability for their customers to selectively deploy software and services in an architecture that best fits their customers’ organizations (i.e., cloud, on-premises, SaaS, etc.) It is apparent that Ping is continually investing in developing their cloud platform on PingOne in order to better meet their customers’ requirements for a flexible and effective CIAM platform.

Figure 16: Ping Platform/Capability Alignment

While still a leading enterprise IAM solution vendor, Ping is focusing more heavily on CIAM. The foundational CIAM customer database resides within Ping Directory—the PingOne for Customers cloud data store can also be leveraged—intended to enable centralized user profile management. Taking an “API first” approach, the platform supports microservices and DevOps automation in driving modern application development. They offer APIs for all services tomake it relatively straightforward to embed CIAM functionality into applications, including MFA, continuous and adaptive authentication, consent management and self- service.

Adaptive authentication features allow customers to link and manage trusted devices so they can securely login to applications using a face scan, fingerprint and other authentication methods. Using their mobile SDK, Ping’s customers can use their own branded mobile applications to enable password-less sign-on without having to download or use a third- party MFA application.

Expanding their vision of customer centricity, Ping, who acquired ShoCard in early 2020, will be investing in the Decentralized Identity model. We’ve covered ShoCard in several of our reports examining this disruptive model. While details of how this will look have been slow to materialize, TechVision will be watching these developments closely and will keep you apprised of Ping’s direction and offerings in the Decentralized Identity space.

While Ping has had challenges over the past few years in expanding on their base strengths in the EIAM/federation areas while building out their CIAM offering, moving to an annuity contract service model and migrating services to the cloud,we feel much more positive about their strategy and execution going forward. We feel that Ping has achieved solid footing in 2021 with their hybrid deployment model and much improved focus on key CIAM requirements. It appears that Pingis clearly focused in the right direction, their solutions have matured to better meet the needs of the industry and their channel partnerships have grown and strengthened to the point that we feel Ping is a viable option for many organizations CIAM and EIAM needs.

SAP

The SAP Customer Data Cloud (former Gigya platform) is a well-proven CIAM solution and SAP’s acquisition hashelped SAP/Gigya remain a leader in the IDaaS CIAM market with a few caveats. SAP’s CIAM offering is called SAP Customer Data Cloud (CDC), a cloud based IDaaS service offering.


Certainly, for an enterprise that runs most of its back-office IT infrastructure on SAP software and wants to integrate its customer-facing e-commerce or support platforms with that SAP environment, SAP Customer Data Cloud should be one of the first CIAM solutions considered. To further support this, consider the trend that SAP has an ongoing vision thatbundles CDC with SAP’s commerce, marketing, sales and service offerings to foster a more complete journey for CIAM relationships on a global basis.

Figure 17: SAP’s Key Differentiators

 

As shown in the graphic above, SAP has invested in developing “global access”; this is designed to harnesses the increased scope, intelligence and modularization that can provide a low-latency, single identity that is globally accessible. Their UI is focused on enabling multi-channel registration and login to improve the customer experience. Integration with SAP-supported end-to-end business processes extends CIAM out to multiple customer experience solutions and services. In addition to investing in global access, SAP has improved several key capabilities driven by their customers’ requests, including:

  • Native push authentication in support of MFA, as well as support for phone number login
  • Enrichment extensions to better enable progressive profiling of customer data
  • Consent documents and support for CCPA, in addition to GDPR
  • More out-of-the-box connectors to source and target customer-centric systems to ease integration wherever

This level of focus has begun to help SAP improve the large-scale, end-to-end customer experience for SAP’s largest customers. As example, SAP mentioned a large, global CPG company, who has over 23,000 web sites and digital properties that they collect customer data from. Already a sizeable customer of SAP’s products and services, the company makes an excellent example of how the SAP Customer Data Cloud extends the CIAM environment in an integrated multi-product and customer data management way. That said, SAP is still early in its quest to fully integrate the CDC andoverarching SAP worlds. We’ll continue to monitor progress in this area and keep our clients advised.

Even though the initial push is for SAP-centric clients (based on our direct observation since several of our large consulting clients also being SAP shops), it is important that we stress that CDC may also be a good fit for enterprises thatare not so SAP-centric or run little or no SAP at all. With Gigya’s pedigree as a bona fide technology agnostic CIAM platform, CDC can be a good candidate, as well. We have assisted in the design and deployment of CDC in organizations that are not running their business on SAP, and the user experience on multi- channel interfaces has been good.

Nevertheless, as we have stated previously in our research, there are often pitfalls when a larger, established company acquires a successful smaller company in that the original heterogeneity begins to suffer as the acquired platform gets swallowed up within the big vendor’s homogenous ambition. Time will only tell if that is what happens to Gigya, but as of this writing, the level of autonomy of the Gigya platform is still strong and has not been diluted by the acquirer. Our early read-out is positive.

Salesforce


Salesforce.com is a premier SaaS-based CRM solution, and in concert with this solution they offer Salesforce Identity is an IDaaS platform, competing with Gigya/SAP, Janrain/Akamai and OneWelcome. That said, with the largest repository of customer data already residing in their platform, Salesforce can provide a rich set of integrated CIAM services that will be hard for others to match. Their overall platform structure is illustrated below.

Figure 18: The Salesforce Platform

A big question in assessing Salesforce is how serious they are in building out an integrated CIAM service. However, they are positively answering our questions, with Salesforce Identity providing a deep and rich set of core identity services including the following features.

  • Cloud-based user directories, so user accounts and information are stored and maintained in one place, while available to other services or
  • Authentication services to verify users and keep granular control over user access. Organizations can require two-factorauthentication, select which apps users can use, and set how often individual users log in to maintain their
  • Access management and authorization for third-party apps, including UI integration,
  • so, a user’s apps and services are readily available.
  • Application user provisioning, which streamlines the process for providing and removing access to apps to multiple users
  • An API for viewing and managing Identity
  • Identity event logs for creating reports and dashboards on single sign-on (SSO) and connected app
  • Salesforce Identity Connect for integrating Microsoft Active Directory (AD) with Salesforce. Identity Connect allows you to manage AD users and Salesforce users simultaneously. You can configure Identity Connect to give AD users access to their Salesforce orgs without logging in
  • To implement Salesforce Identity, enterprises can use any of the following standards and other means of interfacing with their services:
  • Security Assertion Markup Language (SAML) – SAML is an XML-based protocol that allows you to transfer userinformation between services, for example, from Salesforce to Microsoft
  • Note that often Microsoft is an IDP to Salesforce. Apps use this information to authorize users and enable SSO. Salesforce supports SAML for SSO into Salesforce from a corporate portal or identity provider.
  • OAuth 2.0 – OAuth 2.0 is an open protocol used to allow secure authorization between apps. OAuth authorization flows describe the options for implementing OAuth in Salesforce orgs.
  • OpenID Connect – Open ID Connect is an authentication protocol based on OAuth 2.0 that sends identity information between services. With OpenID Connect, users can log in to another service, like Gmail, and then access their Salesforce org without logging in again.
  • My Domain – My Domain allows enterprises to define their own domain name within the Salesforce domain (for example, https://companyname.my.salesforce.com). My Domain makes it easier to manage login and authentication and allows for the customization of the consumer login page.
  • Connected Apps – A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connected apps use theseprotocols to authenticate, authorize, and provide single sign-on (SSO) for external apps. The external apps that areintegrated with Salesforce can run on the customer success platform, other platforms, devices, or SaaS subscriptions.
  • App Launcher – The App Launcher gives customer users straightforward access to apps that they use most often. Users go to the App Launcher to launch Salesforce, on-premises, and connected (third-party) apps without logging in again (e.g., single sign-on). The App Launcher displays tiles that link to the available apps.
  • Salesforce Identity Connect – Identity Connect integrates Microsoft Active Directory (AD) with Salesforce. User information entered in AD is shared with Salesforce instantaneously. Companies that use AD for user managementcan use Identity Connect to manage Salesforce accounts.
  • Two-Factor Authentication – When two-factor authentication is enabled, users are required to log in with two piecesof information, such as a username and a one-time password (OTP). Admins enable two-factor authentication through permissions or profile settings. Users register for two-factor authentication through their own personal settings, or they can use an OTP generator app, such as Salesforce Authenticator or Google Authenticator. They also offer support for hardware devices, such as U2F security With two-factor authentication enabled, users are required to log in with two pieces of information, such as a username and a one-time password (OTP). Salesforce supports user-defined OTPs and OTPs generated from software or hardware devices. Their goal, as they indicate, is to have everyone using multi-factor authentication.

TechVision believes Salesforce Identity is a robust IDaaS that would bring CIAM capabilities to bear quite readily for enterprises who already run their CRM on Salesforce. It is clear that Salesforce Identity is a well-designed platform and its ability to readily integrate with their SaaS-based CRM solution is a key differentiator.

Other CIAM and partnering vendors to be considered

In addition to the previously mentioned short-list vendors there are other quality offerings to consider supporting your CIAM program that may rise to the top for your organization based on your current environment and business priorities. These vendors include Google, Amazon, and Radiant Logic. All these vendors can be a viable part of an organization’s CIAM program (and an extension of our short list) under certain conditions.

Google and Amazon also seem to be logical candidates for any customer-facing program given their world-class scale and pervasive cloud-based services. Building CIAM services within these platforms is a viable solution, but again this won’t be a full-featured CIAM service without a lot of custom development and/or partnerships. Organizations with heavy DevOps and cloud-first strategies may still build their CIAM programs on top of the Google Identity Platform or AmazonCognito services, but this will generally take a lot of work. Other vendors worth consideration are LoginRadius, Auth0 and Micro Focus.

Radiant Logic is vendor that can support identity integration capabilities as organizations build out their CIAM program but is not a stand-alone CIAM solution. Radiant Logic boasts a strong virtual directory platform and identity data integration solution enabled by their Identity Correlation Service (ICS), which provides a plethora of out-of-the-boxconnectors to authoritative source and target systems through a combination of virtual (real-time) integration between authoritative source systems. Their solution can also add to the relationship management and correlation capabilities that may not be as robust within the selected CIAM vendor’s portfolio.

We’ll close with some final thoughts about vendor selection and how TechVision Research can further support our clients in this area. First, the CIAM space is moving at Internet speed and updated vendor information is always available from TechVision for our research clients via dialogues/inquires. We develop the vendor short-list summary to provide a summary assessment of the vendors as a starting point, but we have deep information and additional perspectives on virtually every vendor in this space. TechVision is also available for more detailed consulting including the development of RFIs/RFPs, supporting the collection of cross-functional requirements and to support the development of your CIAM reference architecture. Our team has done over 1,000 enterprise consulting engagements in the IAM space and we are happy to further support our clients in all areas related to CIAM and IAM in general.

Conclusions/Action Plan

During the depths of the pandemic organizations were in survival mode and no area was more tested than Customer IAM. The early goal was survival, connecting with your customers during this unprecedented period. Now organizations have the opportunity to recalibrate and future-proof CIAM programs. The timing is right in that the vendors have significantly improved their services; disruptive technologies are being introduced and we have lots of lessons learned over the challenging past 18 months.

The Digital Enterprise requires consistent, clear, and secure identity management for every user, device, process, and assetacross all lines of business. Identity management is the ability to set up and manage the relationships between users and things and to enforce rules for access and security. At its simplest, identity management must answer two questions: who/what are you, and what can you do?

These sound simple but have never been more complicated. Nor have the stakes ever been higher. For enterprises, theability to manage the digital identities of every contributor, every customer, and every prospect is a fundamental requirement to realize the full benefits of cloud computing, mobility, and the Internet of Things (IoT)…and to do it securely for your enterprise and for your customers.

The bottom line is that every person (or “thing”) of interest to the business must be able to be identified, access the resources they need to produce, buy, use, and recommend the products and services of the company. And the business must be able to leverage the data generated by these customer interactions to help build customer relationships and grow revenue.

CIAM is a foundational capability to achieve transformation and is a major priority for most of our clients. While we’ve identified a vendor short-list in this report, we’ll also highlight some foundational recommendations to consider in moving forward with your CIAM recalibration.

So, what should you be focusing on as you build out your CIAM program? Remember, not deciding is deciding and on-going investments and architecture/strategy updates in the CIAM space are highly encouraged for most of our clients.We’ll conclude this report with 7 next steps to get the ball rolling with your CIAM program:

  1. Start with a clear understanding of requirements – Customer engagement requires that the CIAM platform supports a responsive customer experience across various digital business The people closest to the customers should be theconduit to this knowledge and should be engaged in the process. Note that there may be many new requirements discovered as organizations responded to the lockdown.
  2. Progressive profiling not “all or nothing” – Customers are willing to give more information as the relationship deepens and value increases. Think of the customer profile as a representation of the state of the relationship; the more the customer willingly shares, the deeper the
  3. Inclusion vs exclusion – Traditional IAM is about protection – keeping the bad guys at bay. CIAM is about inviting people in. While security is of course extremely important, it cannot be a barrier to “risk aware engagement”.
  4. Enterprise IAM should be on the team but shouldn’t always be leading the project – As the old saying goes, “When all you have is a hammer, everything looks like a nail”. While the identity processes look similar for employees and customers, they are different and should be led by the businesses with a customer focus, not the technical people who tend to try to fit the customer into a familiar model.
  5. Customer and employee relationships are different – The enterprise can define and enforce the relationship between the enterprise and the employee. The enterprise enforces the rules. Customers are increasingly in charge of not only the relationship, but the rules as well. Regulations such as GDPR are redefining the roles by putting the customer in
  6. Pay attention to privacy – Privacy and proper handling of customer data is an expectation, not an option. Not only is the company liable, but customer trust can be lost in an instant and take years to
  7. Correlation and context are important – Understanding the various connections the customer has with your enterprise are keys to customer engagement. How they prefer to communicate, how they are represented in various business functions, and how valuable they are to the business are all connected through a proper CIAM infrastructure.
  8. Prioritize user experience – This is the single most important priority for many organizations, and this was evident during the pandemic. As customers were in constant “on-line” mode, their patience for poor user experience became shorter. This is where business and technology converge; it is all about engaging prospective customers and serving them throughout their lifecycle. The CIAM solution needs to play in this theme and a great user experience should remain on the front burner.
  9. As always, we encourage your feedback and are available to discuss any of these topics and how they apply to your organization. Good luck in this critical area.

 About TechVision

World-class research requires world-class consulting analysts, and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of theinitiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well- rounded experience and strong analytical skills help usseparate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in thisreport.

About the Authors

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include identity and access management, blockchain, Internet of Things, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President (now Gartner for Technical Professionals) at Gartner. He formed TechVision Research in 2015 to provide world-class consulting and research services to large enterprises.

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and running all security and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, a

Tags:

We can help

If you want to find out more detail, we're happy to help. Just give us your business email so that we can start a conversation.

Thanks, we'll be in touch!

Stay in the know!

Keep informed of new speakers, topics, and activities as they are added. By registering now you are not making a firm commitment to attend.

Congrats! We'll be sending you updates on the progress of the conference.