CIAM Fundamentals: How CIAM Differs from IAM and Why That’s Important
Welcome to a multi-part series of blogs where we will discuss many of the fundamentals of Customer Identity and Access Management (CIAM) and the problems that CIAM, when done properly, can solve for your brand. We’ll tackle topics like explaining what the capabilities of a CIAM offering should look like and why, and also why repurposing an IAM solution for CIAM use won’t cut the mustard.
So let’s start with a view of the basics. To understand CIAM better, it helps to understand a bit about IAM first.
So what is IAM anyway?
The definition of Identity and Access Management (IAM) is pretty broad as IAM solves a wide range of identity-related problems using a spectrum of technology and approaches. This spectrum includes access control, identity federation, provisioning, identity governance, and privilege access - to name a few.
Put simply, users of IAM are employees, i.e. part of the company workforce. These employees interactions with systems are generally internally facing. Employees use the capabilities of IAM to get secure and appropriate levels of access to their applications and data in order to do their jobs. The level of access that an employee has should be reflective of his/her role within a company. It is also worth pointing out that employees are given access in the first place because (apart from needing it to do their jobs), they are in a position of trust as a result of some agreement between an employee and a company. This also commonly builds on some level of background check to get the job in the first place.
Since IAM is typically controlled by IT and subject to internal IT policy and security controls, it means that employees should be using company approved ways of access. The systems and products they use are chosen for them (putting aside the rise and challenges of shadow IT). For instance, IT can enforce that an employee has to use multi-factor authentication and they typically won’t have a choice. The employee may complain, but very few people leave their paychecks because they don't agree with IT. By comparison, trying to force MFA or a specific MFA method onto a customer may just result in them taking their business elsewhere, but more on that below.
We should also talk about what happens when things go wrong in the world of IAM and an employee’s account is compromised. In this case, the employer is responsible for the detection and response of a breach and any costs, damage and liability will generally be on the shoulders of the employer not the employee.
How is CIAM different?
CIAM is in many ways similar to IAM, in terms of the capabilities, standards, and approaches that it uses. That's what can make understanding the differences and figuring out what solution to use and when so confusing. For example, IAM capabilities fit the use cases and user experience for employee interactions (a.k.a. business-to-enterprise or B2E) however, those same capabilities may not fit the use case or provide the correct customer experience for customers (a.k.a. business-to-consumer or B2C). More on the specific capabilities that work and don't work in a future blog.
CIAM “users” are customers and consumers of a website or an online portal. Customers typically obtain access through some form of self-registration process where they supply the information needed to create an account for access. It is also possible that a brand may have some pre-existing customer information which they can then associate to the account that’s self-registered by the customer. It is the customer's discretion as to how much information they want to provide and they are likely to be responsible for the accuracy of their information.
This is unlike employee access, where the account is typically created by IT and the employees identity is verified as part of the hiring process. It is worth noting that in CIAM some organizations may provision the customer account on their behalf and provide them temporary credentials for access. This is arguably an approach that’s declining in popularity, in favor of empowering the customer themselves. It is also arguably more secure, by eliminating temporary passwords floating around in emails or in the mail.
It is also today’s reality that CIAM needs to solve more problems for brands than it historically has. CIAM has been widely categorized as a subset of IAM, and while it is using some of the same approaches as its bigger brother, it is splintering off to solve many other problems.
There is an argument that we need to stop thinking of CIAM as a subset of IAM, as the reality is that traditional IAM capabilities are just a subset of the bigger CIAM problem. It's the actual definition of CIAM that needs to change to accommodate the creeping market needs.
Your brand's reputation and route to customers are some of your most valuable assets and CIAM needs to go much further than traditional IAM to protect them effectively. The expanded definition of CIAM needs to include addressing problems around regulatory compliance and consent management (think GDPR and CCPA), making the customer and omnichannel experiences core to every customer interaction, as well as provide brands the insight into their own customer base for more effective marketing. Doing all of this right means happier customers and more revenue and better growth for a brand. Again, a topic for another blog.
Then, what happens in CIAM when things go wrong and an attacker is able to steal a customer's login information? Well, it does depend on who is at fault, but either way it could wreak havoc for that individual. If you’ve ever had an on-line account compromised and not been able to log in to rectify it then you will know. Sadly when this happens, the path to resolving this or any fallout is often on the individual to resolve and deal with any PII and/or financial and payment information that may have been compromised. If the brand owner of the website or customer portal is at fault then the regulatory and economic repercussions can be severe, as can the damage to a brands reputation.
The final difference we’ll discuss is that a customer can choose who they want to do business with and they will make that decision pretty quickly depending on how easy or hard a brand makes their customer experience. While employees can obviously choose who they work for, let's face it - you're less likely to change employment due to not liking the hoops that an IAM system makes you jump through each day when you come to work. If you’re trying to buy something on-line and the checkout, registration, or log-in process is painfully complex, you may quickly make the decision to take your business elsewhere.
CIAM has to put customer experience at the center of everything and striking that balance between securing the customer, your brand, and privacy while not compromising or adding any friction to doing business is paramount.
TL;DR: Customers vote with their feet and their business. With CIAM, success always comes back to customer experience.
In our next blog we’ll go deeper and compare how similar capabilities, like multi-factor authentication and identity federation, are used in similar but different ways between IAM and CIAM.