What's the difference between CIAM and IAM (and why does it matter)?
It's pretty straightforward: The difference is the "C" (AKA the customer).
A better question might be: "Why'd we have to bolt on another consonant to a perfectly good acronym?"
Well, it turns out that customers and employees aren't the same. (Shocking, right?)
In fact, they couldn't be more different. When people talk about identity and access management (IAM) without the "C," 99 percent of the time they're talking about managing employees' access to the apps they need to do their job.
Occasionally you might run into a really diligent chap who calls it "Workforce IAM." But either way, they're not talking about customers. To make it crystal clear when people are talking about customer identity and access management (CIAM), the acronym gods creatively added the "C."
Linguistics aside, there are some fundamental differences between IAM and CIAM.
What is the difference between CIAM and IAM?
While the "authentication basics" of verifying a user and granting access to the capabilities they need is the same for both employees and customers, pretty much everything else is different.
The biggest difference, though, is the cost of getting CIAM wrong. Create a bad experience for your customers and they'll click over to a competitor and take their revenue with them. While employees may grumble at having to jump through hoops, they generally grin and bear it since you give them a paycheck.
We think a more accurate term for IAM would be WIAM: Workforce Identity and Access Management. Even though there's no official "W" in front of IAM, rest assured that it's there in spirit. So while we don't have official acronym-creating powers, we'll be using WIAM in this blog post to distinguish it from CIAM.
To help you out, we created this Cliff's Notes (or SparkNotes, if you prefer) version of the differences between Customer IAM and Workforce IAM.
#1: Whose access are you managing?
- WIAM: Workforce IAM is designed to manage employees' access to the data and apps they need to get their jobs done. Those employees are likely using tech that you gave them or approved. IT is the gatekeeper, and even if your employees don't like the IAM software your org selected or they find MFA a nuisance, they're not going to quit over it. You control their journey, whether they like it or not.
- CIAM: Customer IAM solutions are different. They're focused on letting your customers do business with you. Nobody "owns" their journey except them and increasingly they're not willing to put up with a bad user experience. What's more, you've got lots of different types of customers – some are tech savvy, others aren't. Put up too many confusing hurdles in front of your customers and they'll take their money somewhere else.
#2: What business problems does each solution solve?
- WIAM: Ultimately, WIAM is all about reducing risk. By using a WIAM solution, you make it hard for evildoers to slip into your systems and you ensure your employees only have access to the data and tools they need. When something changes or an employee leaves you can easily adjust user privileges or revoke access. Problem solved.
- CIAM: Customer IAM, on the other hand, is primarily about increasing revenue and engagement. Done well, it makes it super easy and intuitive for your customers to get into your app or site without putting up unnecessary hurdles. Sure, when transactions are risky (think sharing credit card digits or personal info) you want to throw up some speed bumps. But otherwise the more self-service you can make the customer experience, the better. Oh … and your CIAM solution has to work across any channel (phone, email, web, mobile, kiosks and more) and support whatever tech the customer is using – all while making sure you're doing all of the right stuff to align with GDPR, CCPA and other privacy requirements.
#3: Who are the stakeholders that need to be involved?
- WIAM: Because Workforce IAM is focused on managing your employees' access, your security, IT and HR teams run the show. And since they often collaborate on projects, a WIAM rollout is another place where they usually see eye to eye.
- CIAM: It's a different cast and crew when it comes to CIAM. Security is still a key player since they're responsible for managing the risk. After that, the teams that "own" the customer experience get involved. Generally that includes marketing, customer support, digital experience, product management and even engineering. In many cases a CIAM project will be the first time these groups are working together and there's often a learning curve when it comes to understanding (or decoding) each other's lingo.
#4: How do you measure success?
- WIAM: The metrics all tie back to the goals. In the case of Workforce IAM that means reducing risk. More specifically, WIAM projects are aimed at reducing the likelihood of compromised credentials, insider threats and preventing successful phishing attacks and unauthorized access to your org's network.
- CIAM: When it comes to customer IAM projects the goals tie much more directly to dollars and include both reduced risk and increased revenue. The customer-facing teams will want to track things like conversion rates and customer engagement. Risk is measured more by reduced fraud and fewer account takeovers.
Why do these differences matter?
There's no argument that Workforce IAM and Customer IAM are both critically important.
But you can't treat those journeys the same way. The different audiences and use cases can drive starkly different requirements.
Doing your due diligence up front on what your unique CIAM requirements are will pay huge dividends. Otherwise, you could end up with a classic square-peg-meets-round-hole situation when what you're really looking for is happier customers, more revenue and more growth for your brand … while simultaneously meeting all those fun security and compliance standards.
Getting started with CIAM
Ready to get started? Here's your first step. If you're on the security team, go find the person in marketing who owns the customer experience. Ask them what their goals are, what speed bumps they're running into and then think about how to translate those into requirements for the CIAM project (along with your own).
If you're in marketing, you'll also want to find your counterpart in security. But first, make a list of the riskiest transactions your customers make along different buyer journeys. Then, sit down and have a conversation with your security colleagues about the lowest-touch way that you can reduce the risk of those transactions without sacrificing the customer experience.
Looking for some additional conversation starters? We've put together this quick list of questions to help get your conversation going:
- How are you managing our customers' digital experiences today?
- Do you have specific customer personas you target? Can you tell me about them?
- What do our customers' journeys look like now?
- What goals do you have regarding customer conversion? Are you meeting those? What could help you and the marketing team achieve those?