By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
BACK TO BLOG

CIAM vs IAM: Why it matters and which one is right for you?

It's pretty straightforward: The difference is the "C" (AKA the customer).

A better question might be: "Why'd we have to bolt on another consonant to a perfectly good acronym?"

Well, it turns out that what customers and employees need in a login journey isn’t the same. (Shocking, right?). In fact, their needs couldn't be more different. This is why CIAM vs. IAM matters. You need different authenticating processes and procedures for internal employees vs. external customers.

Let’s look at some of the major differences between IAM and CIAM that can affect your custom experience and bottom line.

What is the difference between CIAM and IAM?

What is IAM?

Workforce IAM is designed to manage employees' access to the data and apps they need to get their jobs done. Those employees are likely using tech that you gave them or approved. IT is the gatekeeper, and even if your employees don't like the IAM software your org selected or they find multifactor authentication (MFA) a nuisance, they're not going to quit over it. You control their journey, whether they like it or not.

What is CIAM?

CIAM solutions are focused on letting your customers do business with you. Nobody "owns" their journey except them, and increasingly they're not willing to put up with a bad user experience. What's more, you've got lots of different types of customers – some are tech savvy, others aren't. Put up too many confusing hurdles in front of your customers and they'll take their money somewhere else.

While the "authentication basics" of verifying a user and granting access to the capabilities they need are the same for employees and customers, pretty much everything else is different.

The most important distinction is the cost of getting CIAM wrong. Create a bad experience for your customers and they'll click over to a competitor and take their revenue with them. While employees may grumble at having to jump through hoops, they generally grin and bear it.

We think a more accurate term for IAM might be WIAM: Workforce Identity and Access Management, but we don’t have official acronym-creating powers. Even though there's no official "W" in front of IAM, rest assured that it's there in spirit.

To help you out, we created this Cliff's Notes (or SparkNotes, if you prefer) version of the differences between CIAM and Workforce IAM.

What business problems do CIAM and IAM solve?

IAM: Ultimately, Workforce IAM is all about reducing risk. By using a Workforce IAM solution, you make it hard for evildoers to slip into your systems and you ensure your employees only have access to the data and tools they need. When something changes or an employee leaves, you can easily adjust user privileges or revoke access. Problem solved.

CIAM: CIAM, on the other hand, is primarily about increasing revenue and engagement. Done well, it makes it super easy and intuitive for your customers to get into your app or site without putting up unnecessary hurdles. Sure, when transactions are risky (think sharing credit card digits or personal info) you want to throw up some speed bumps. But otherwise, the more self-service you can make the customer experience, the better. Oh … and your CIAM solution has to work across the channels and devices (phone, email, web, mobile, kiosks, and more) your  customers use – all while making sure you're doing all the right stuff to align with GDPR, CCPA and other privacy requirements.

Who are the stakeholders that need to be involved?

IAM: Because Workforce IAM is focused on managing your employee access, your security, IT and HR teams run the show. And since they often collaborate on projects, a WIAM rollout is another place where they usually see eye to eye.

CIAM: It's a different cast and crew when it comes to CIAM. Security is still a key player since they're responsible for managing the risk. After that, the teams that "own" the customer experience get involved. Generally that includes marketing, customer support, digital experience, product management and even engineering. In many cases, a CIAM project will be the first time these groups come together and there's often a learning curve when it comes to understanding (or decoding) each other's lingo.

How do you measure the success of a CIAM or IAM implementation?

IAM: The metrics all tie back to the goals. In the case of Workforce IAM that means reducing risk. More specifically, Workforce IAM projects are aimed at reducing the likelihood of compromised credentials, insider threats and preventing successful phishing attacks and unauthorized access to your network.

CIAM: When it comes to CIAM projects, the goals tie much more directly to dollars and include both reduced risk and increased revenue. The customer-facing teams will want to track things like conversion rates and customer engagement. Risk is measured more by reduced fraud and fewer account takeovers.

Why do the differences between CIAM and IAM matter?

There's no argument that Workforce IAM and CIAM are both critically important.

But you can't treat those journeys the same way. The different audiences and use cases drive starkly different requirements.

Doing your due diligence up front on what your unique CIAM requirements are will pay huge dividends. Otherwise, you could end up with a classic square-peg-meets-round-hole situation when what you're really looking for is happier customers, more revenue and more growth for your brand … while simultaneously meeting all those fun security and compliance standards.

Getting started with CIAM

Ready to get started? Here's your first step. If you're on the security team, go find the person in marketing who owns the customer experience. Ask them what their goals are, what speed bumps they're running into and then think about how to translate those into requirements for the CIAM project (along with your own).

If you're in marketing, find your counterpart in security. But first, make a list of the riskiest transactions your customers make along different buyer journeys. Then, sit down and have a conversation with your security colleagues about the lowest-touch way that you can reduce the risk of those transactions without sacrificing the customer experience.

Looking for some additional conversation starters? We've put together this quick list of questions to help get your conversation going:

  • How are you managing our customers' digital experiences today?
  • Do you have specific customer personas you target? Can you tell me about them?
  • What do our customers' journeys look like now?
  • What goals do you have regarding customer conversion? Are you meeting those? What could help you and the marketing team achieve those?

Happy chatting!