Why CIAM Doesn't Need Any More 10 Minute Abs
In the early days of Strivacity, one of the many reasons we were compelled to start the company quickly became apparent. Specifically, the sheer unnecessary amount of time and effort required to set up, evaluate, and deploy CIAM products. We saw the pain first hand; we knew there was a better way.
For months, my new phrase was ‘why does it have to be this hard’ while evaluating solutions in this space. This was usually followed by my daily challenge to our newly minted team - ’folks - this MUST be configurable and show value in 10 minutes or less’. My main challenge to our team was that even if I (the least technical person in the room) can set it up with vendor XYZ and do it in a few hours or even 20 minutes, we have to do it much faster. I had become the ‘10 Minute Abs’ guy.
Along the same lines, here are other quotes that have echoed through the halls:
- Why aren’t we pre-configuring that as a best practice? (we may know the correct way but we shouldn't expect the customer to)
- This has to work out of the box
- Does that change mean it's going to break our 10 minute setup threshold?
- What do you mean it now takes 13 minutes to build a new instance globally across 4 regions?
In my very humble opinion, IAM and CIAM solutions have historically been absolute beasts to set up, evaluate, deploy and manage. It is fair to say that SaaS-based IAM products changed that to some degree.
However, even with IAM SaaS offerings, I find myself asking questions like:
- Why do I still need to set up a third-party identity store?
- Why are these ‘best practices’ in a PDF document and not just implemented in the product?
- Oh you’re hybrid, so I need to install Docker on my on-prem servers now?
- Why do I need to sign up for other API services to send SMS?
- SMTP? No, I don't have an SMTP server easily available.
- I need an Apple Developer account to push what exactly!?
- 10 pages of Federation protocol configuration? Sigh.
I’m being flippant, but put yourself in the shoes of an app developer or app owner and ask yourself to do these things.
Don’t get me wrong, developer-level flexibility is super important - especially when solving CIAM problems - but developers should spend their time writing their own applications and solving problems for their business. They should not spend time setting up IAM configuration, researching (C)IAM best practices, or finding someone in their org that has a PhD in identity to help them configure the product. Similarly, the identity folks shouldn’t be required to find a developer whenever they want to change a policy or configuration across their applications.
So what's this have to do with abs? The idea for this blog came about after reading the positioning of another CIAM vendor (who I have a great deal of respect for). To paraphrase, their new positioning read ‘Implement our CIAM product to any application in just five minutes’. My heart sank, I looked for the hidden camera, and then Slacked a screenshot to Stephen Cox, our CTO. He replied this morning with ‘7 minute abs, that's the ticket!’
It then dawned on me that while showing value in a CIAM (or any IAM) product quickly is important for positioning and selling software, that's not the problem us peacocks are trying to truly solve. No CIO, CISO or portal owner in their right mind is going to expect their app developer to implement a CIAM solution in 10, 7, or 2 minutes. In the same way, you’re probably not going to get abs in 10 or 7 minutes (at least that's my excuse). The minutes do not matter.
This raises the need to talk about what does matter.
Whether you’re just kicking the tires, doing a POC or deploying into production - it should be easy and frictionless. Even more importantly, the (administrative) user experience must be delightful to use and intuitive. Best practices must be baked in and not tied up in product documentation or a separate PDF the sales engineer has forgotten to email over.
It's a noble goal to not require anyone to spend days setting up environmental prerequisites to evaluate a CIAM product. It should take single digit hours to a day - tops - to evaluate the features of the product that solve the problems you need to solve. What gets lost in this discussion is that it is even more important to easily manage, monitor and change the solutions as the business and customers evolve. This is the main issue a CIAM solution needs to solve, while also providing a quick and easy setup. The only constant in business is change. As your brand grows, you will likely need to change your authentication methods, modify how you interact with social logins and keep in line with changing privacy regulations. It is imperative that your CIAM system can quickly adapt to these changes so that your business can continue to grow.
Only focusing on quick setup and not evaluating how a solution can grow alongside your business is a mistake similar to buying a ThighMaster and not understanding why you don't have a beach body.
Carve out 20 minutes so we can show you how we can help solve your CIAM problems from both setup to long term success. I can guarantee that it will be more comfortable and rewarding than a couple of sets of 10 minute Abs.