Customer identity access management is hot -- and becoming hotter as organizations continue to struggle with ensuring that customers have the right access to the right data at the right time while also ensuring a seamless experience. Anyone evaluating a CIAM purchase may still have some lingering questions. What features are most relevant? What elements of a CIAM security system should they look at with the most scrutiny? What should they consider before implementation?
At one level, there are as many answers to these as there are organizations themselves. Specific use, risk appetite, customer expectations and other business-specific factors will govern what is most important. That said, there are a few features that are almost always salient to any deployment -- and a few steps that are almost always helpful in laying the groundwork for deployment.
It's useful to present two caveats before going into depth on these steps. The first is that critical features of customer identity access management must include both customer experience as well as security. Don't get me wrong -- obviously, security features are important -- but so too is a seamless and "frictionless" customer experience, since it really doesn't matter how secure your platform is if you don't have any customers. Second, as noted above, there are a multitude of other items not covered here. I've highlighted elements that are universally applicable, but business-specific factors are obviously germane and important. So just because something's not listed here doesn’t mean it's not also important. Once you've locked down the key essentials discussed in this article, it will be time to delve into your specific business needs for customer identity access management.
Noteworthy features for CIAM
So what are some important features to keep in mind as you evaluate customer identity access management products? The first is adaptability. By adaptability, I mean a few things. First, it relates to different customer interaction scenarios at scale -- meaning, how customers will interact with your services and applications. This includes issues like enhanced authentication where required (e.g., multifactor), device fingerprinting, user registration, password reset self-service and so on. This also includes the specific features to accommodate customers now, as well as flexibility for what you may wish to implement down the line.
It also refers to adaptability in the personalization and membership information that the system stores about a given customer and can retrieve (also at scale). For example, a system that just focuses on storing and fetching user IDs is pretty much what most organizations -- at least those that directly service customers -- already have now. Gaining sophistication means ensuring future extensibility. There are other relevant things about customers beyond user ID. What tier of service are they? How do they like to receive information? What are their privacy preferences? What color theme do they like? The customer identity access management product should help support the storage, retrieval and modification of all this information quickly, with no observable response impact.
Another important feature is the ability to federate internally and interact with identity providers in the outside world. A user that is presented with a convenient log in with <social media platform X> is much more likely to register than one faced with a long and time-consuming user account creation form. But social integration is just the surface. There's also seamless authorization once a customer is in your environment. And this is where standards support means added flexibility to support a seamless experience. For example, you might use OAuth 2.0 to take advantage of LinkedIn as an identity provider (to make customer acquisition easier) and Security Assertion Markup Language to hand the customer session off to your customer service chat provider partner (because that's what they support).
Also, don't forget your current and future security and compliance requirements.
Again, it's all about extensibility. For example, you might decide that device recognition and knowledge-based authentication is fine for password self-service today, but you'll probably want multifactor authentication when you implement funds transfer tomorrow. Beyond this, though, the ability to report on specific security-relevant customer parameters, such as GDPR, can be just as important to regulatory compliance as providing the customer with the ability to change them -- to opt out of marketing, for example.
Lastly, developer support is a critical aspect of CIAM to consider. Any CIAM tools you employ will closely interact with your customer-facing applications, so it’s essential that app developers be able to employ them for your CIAM to be effective.
Meaning, a customer identity access management product that's "developer friendly" isn't just a nice to have; it's paramount to security as well.
These factors are important to understand as you look at available products, but there is still work to be done to lay the groundwork. A useful starting point is with understanding, in detail, the intended flow of the customer interactions that you'll need to support out of the gate.
This sounds easier to do than it is for a few reasons. First, historically, many security groups were focused heavily on network security and less focused on application security, which means that often security teams don't understand or thoroughly examine the nuances of application flow, use cases or customer stories, or the protocols that govern how application components interact. Second, development cycles are becoming faster and faster as time goes by. Agile made release cycles faster than they were; DevOps made them faster still. Likewise, technologies like application containers, function as a service and others assist in development but can make understanding the "substrate" more complicated and more time-consuming to evaluate. It's ideal to build out an understanding of the application from a "flow" standpoint; if you already have threat-modeling artifacts, like data-flow diagrams, use them to save time during this process.
Once you have a clear idea of current and future application flow, discuss with both your customer support and customer service teams how user experience related to customer identity -- e.g., account management, user profiles and so on -- can be streamlined. Then compare the features of the CIAM you’re considering against that information. Likewise, discuss with developers where and how they can integrate the customer identity access management tool into services they’ve already built.