CIAM Platforms: Why Security is Paramount

Keith Graham
Keith Graham
  • Mar 18, 2021
  • 4 min read

In our last blog, we discussed the top reasons to consider using a CIAM platform. Today, we’re going to continue that theme and discuss the top security specific reasons for why your organization should consider using a CIAM platform.

Reduce The Risk of a Security Incident

The use of identity information and the effectiveness of using stolen credentials by attackers is now widely accepted as a major attack vector that's used to orchestrate account take over and identity theft.

Any commercially available CIAM platform must help reduce any risks to both the brand and the customer by the detection - then swift remediation of an incident, not if, but when it occurs. Brands can only do this by ensuring they have following security related challenges adequately covered.

If a brand is considering building in-house, then they need to ensure they have these risk mitigating capabilities covered.

Misconfiguration of Customer-facing Services and Infrastructure

The reality is that the more customer-facing infrastructure an organization must operate and maintain, the more configuration they may also need to manage. Furthermore, additional knowledge and skillsets will be necessary to do so adequately. Misconfiguration can be exploited by attackers and is still a leading contributor to security incidents.

Patching and Security Maintenance

Any homegrown services (or even on-premises/hosted and open source CIAM implementations) will require some processes to ensure that they are adequately patched, and security updates are maintained. A major benefit of using a true native Cloud-based CIAM platform is that the ownership and responsibility for this is entirely on the platform provider, not the brand.

Visibility Within the SOC (Security Operations Center) of Customer-related Security Incidents

Any application owner responsible for a customer facing application may have certain security requirements that they have to fulfill. Customer facing applications may (as part of the requirements of a security program) need to provide security teams the necessary visibility they need to help mitigate threats to the application.

Any CIAM platform should be able to provide the necessary security insights and integrate these easily into any existing tools and/or services that are in use.

Adaptive Risk Analysis Methods for the Detection of Threats Against Customer Accounts and Takeover

In addition to the visibility into the security and threats against the application itself, any security program may require visibility and insight into any signals of risk against the customer accounts themselves. There is a well-proven number of risk analysis techniques that can be used to detect identity related threats such as:

  • Device-based signals of risk - events based on activity from new, unknown or tampered devices
  • Location-based signals of risk - events based on activity from undesired locations or based on improbable travel
  • Network-based signals of risk - events based on activity from anonymous, malicious, unknown or bot networks
  • Password-based signals of risk - events based on attempted activity using password stuffing, brute-forcing or breached passwords

Static Code Analysis and Code Assessment Tools

Any application owner responsible for a customer facing application may have certain security requirements that they have to fulfill. Customer facing applications may (as part of the requirements of a security program) need to provide security teams the necessary visibility they need to help mitigate against threats to the application.

Any CIAM platform should be able to provide the necessary security insights and integrate these easily into any existing tools and/or services that are in use.

Penetration Testing

Any in-house developed services and infrastructure should ideally be subjected to dynamic security analysis generally via third-party tooling or a third-party penetration test team. This may also require additional licensing or services cost. Penetration testing services usually have a very high cost associated with them.


This blog is an excerpt taken from the whitepaper, "An Evaluator's Guide to Buying or Building CIAM."

More articles from this author