developing a customer iam (ciam) strategy and roadmap

Developing a Customer IAM (CIAM) Strategy and Roadmap Initial Publication Date: 12 November 2018

Abstract A few years ago, TechVision released our research report on the “emerging” Customer Identity and Access Management (CIAM) market. Today CIAM is no longer emerging; it has “emerged” as most large enterprises are developing distinct customer-centric IAM strategies, architectures and programs. CIAM has several differences from traditional (internal enterprise-focused) IAM including a greater emphasis on ease of use, privacy and consent management, customer-centric data security and integration with CRM, marketing systems and key sales/business initiatives.

CIAM provides a gateway to the customer and is one of the most important elements of any Digital Transformation program. CIAM is often the first “touch point” an organization has with a prospect and is an on-going reflection of a brand. Get CIAM right and you will attract customers, drive revenue and represent your organization in the best light; get it wrong and your business will suffer.

In this report, we provide a foundation for enterprises looking to build an IAM foundation to support the engagement of customers, prospective customers and external stakeholders in the context of business goals.

This report covers:

• The CIAM value proposition and business rationale for the enterprise • Developing a CIAM strategy and action plan • The CIAM market and vendor short list

• Recommendations and next steps

Authors: Gary Rowe Doug Simmons

CEO & Principal Consulting Analyst Principal Consulting Analyst

[email protected] [email protected]

David Goodman

Principal Consulting Analyst

[email protected]

mailto:[email protected]



CIAM Strategy and Roadmap Rowe, Simmons, Goodman

2 © 2018 TechVision Research, all rights reserved www.techvisionresearch.com

Table of Contents

Abstract .................................................................................................................................................................................. 1

Table of Contents ............................................................................................................................................................... 2

Executive Summary .......................................................................................................................................................... 3

Introduction – A Platform for Customer IAM ....................................................................................................... 4

Enterprise (traditional) IAM vs. Customer IAM .................................................................................................. 6

CIAM Opportunities and Business Benefits .......................................................................................................... 9

Consumer/Customer Experience....................................................................................................................... 11

CIAM Regulatory and Security Control Considerations ............................................................................... 12

Security/Risk ............................................................................................................................................................... 12

Privacy & Consent...................................................................................................................................................... 13

Building a CIAM program............................................................................................................................................ 14

Identify Stakeholders, Understand Current State/requirements ...................................................... 15

Development of a CIAM Reference Architecture ........................................................................................ 18

TechVision Research Vendor Shortlist ................................................................................................................. 21

Cloudentity .................................................................................................................................................................... 22

Strengths ................................................................................................................................................................... 23

Weaknesses ............................................................................................................................................................. 23

ForgeRock ...................................................................................................................................................................... 23

Strengths ................................................................................................................................................................... 24

Weaknesses ............................................................................................................................................................. 24

Janrain ............................................................................................................................................................................. 25

Strengths ................................................................................................................................................................... 25

Weaknesses ............................................................................................................................................................. 26

Okta................................................................................................................................................................................... 26

Strengths ................................................................................................................................................................... 27

Weaknesses ............................................................................................................................................................. 27

SAP/Gigya ...................................................................................................................................................................... 27

Strengths ................................................................................................................................................................... 28

Weaknesses ............................................................................................................................................................. 28

Other CIAM Vendors to be considered ............................................................................................................ 29

Conclusions/Enterprise Recommendations ...................................................................................................... 30

About TechVision ............................................................................................................................................................ 32

About the Authors .......................................................................................................................................................... 33

http://www.techvisionresearch.com/



Executive Summary Customer IAM (CIAM) is an area every large organization should be paying attention to. This relatively new IAM category is rapidly evolving and is critical to building trusted customer relationships. Enterprises are architecting customer-centric IAM solutions and vendors are developing CIAM services that are differentiated from traditional Enterprise IAM solutions. TechVision Research recommends the use of CIAM-centric services; not just fine tuning traditional IAM products and services. Key areas of focus within CIAM include supporting key Sales and Marketing objectives including enticing and engaging prospective customers, better serving and retaining current customers and establishing a trusted, secure and sustainable relationship. Simply put, a CIAM program properly executed is a conduit towards building lifetime digital customer relationships. Establishing trusted connections and building relationships that generate useful data and can be served by better customer knowledge are keys to digital business success. These digital relationships can be maintained and enhanced over time with a steady flow of updated contextual information that drives personalized customer offerings and improves business decisions. CIAM is different than many infrastructure technologies in that the business benefits are so directly visible and impactful. In many cases the customer engagement process can make or break a lifetime relationship; get CIAM right and you can build a strong digital presence and business results; get it wrong and your competitive advantage can be forever lost. In building a CIAM program, organizations should start by focusing on the customer experience and how CIAM can support the evolution of this experience throughout the suspect/prospect/customer lifecycle. Relationships to be managed may be initiated by anonymous users investigating your website and grow as offers are responded to and trust is built-up. During this process data is aggregated and customer profile information naturally evolves throughout the lifetime of the relationship. This method of gaining customer insights as the customer journey evolves is characterized as progressive profiling and a key part of a strong CIAM offering. CIAM is different in many ways from traditional IAM. The major focus within CIAM is on the customer; with an emphasis on minimizing friction and enticing engagement. This is different from employee facing IAM in that employees are generally required to use the system as a condition of employment with an emphasis on security and provisioning. Prospects and customers may be lost forever if the registration, log-in, update process, data protection and other CIAM services are not deemed to be a responsive and overall positive experience.




Another key area of focus in building a CIAM program is ensuring that trust is established with the proper data security, consent and privacy protection. Customers expect some control over how their data is collected, managed, stored and shared and the CIAM service needs to support this. In the era of more rigorous data protection and privacy regulations such as GDPR in Europe, the Canada Privacy Act and the California Consumer Privacy Act of 2018 (AB 375), strong security and privacy controls are necessary prerequisites for any CIAM program. TechVision recommends that CIAM programs be considered an investment priority in most large enterprises given the direct business benefits and risks if customer data isn’t properly managed. Digitally connecting with customers and building sustainable business relationships require a strong Customer IAM foundation. This report describes the difference between CIAM and traditional IAM, key end-user requirements, CIAM architecture considerations, design guidelines and a short-list of vendors to consider. Traditional IAM is generally not the best solution to support customer facing applications and services, while CIAM is architected to support the needs of your customers and minimize external risks.

Introduction – A Platform for Customer IAM For the past 25 years, most organizations have focused the bulk of their IAM investments in support of employees and contractors. This internally focused product/service has traditionally been called Identity and Access Management (IAM) or Enterprise IAM. Most large enterprises recognize that IAM needs to be extended to broaden its reach. Digital Transformation programs are extending digital connections to include customers and external stakeholders. CIAM can optimally support these connections and relationships.

In our previous report on CIAM a few years ago, we characterized Customer IAM as an “emerging” category. At this point we believe CIAM has “emerged”. TechVision Research currently classifies CIAM as a separate and distinct Identity and Access Management category. An indication of the development of this space is that many of our clients have major initiatives focused on specifically on CIAM, whereas a few years ago Customer IAM was often just an extension of the incumbent (generally employee-centric IAM) Identity and Access Management service to accommodate customers. There are vendors and service providers that specifically focus on Customer IAM. TechVision also surveyed enterprise IAM decision makers and found an increasing percentage of large organizations were funding or planned to invest in CIAM-centric programs. So the stage is set and the right for CIAM to enter a rapid-growth track. The movement to CIAM reflects an expanding set of IAM requirements that are not fully accommodated by traditional IAM solutions. The increased scale, the diverse contextual information requirements, the focus on an engaging user experience, key privacy considerations/regulations and support for and integration with sales/marketing and business critical applications are areas of particular emphasis in CIAM. Simply put,




identifying, securing, contextualizing, supporting and providing a greater focus on user experience while ensuring appropriate protection for Personally Identifiable Information (PII) is critical in supporting current and future customers. Most enterprises currently have some separation of IAM services that support customers and services to support employees, but they are often just bolted onto existing enterprise-focused IAM platforms. Using legacy systems with different schemas (between internal and external), different security processes/policies and physical separation between customer and internally facing IAM services has been the status quo, but customers and LOB leaders are demanding more. The problem is that general purpose (internally-facing) platforms have not been optimized for the customer experience and are often on-premise only offerings. These enterprise IAM limitations have led to the development of specialized IAM services that integrate with marketing systems, CRM systems, customer/prospect data bases and reporting systems and can handle the scale and uncertainty in engaging with customers and prospective customers. These external customer “stakeholders” are increasingly technology-savvy and expect a fast, pleasant and secure user experience or they may simply find that experience from your competition. All enterprises have access to a wealth of data about their customers, but this data is often in disparate silos or just not being leveraged in an optimal way. For competitive reasons, the business benefits of providing a secure, seamless and unified customer experience across multiple channels (omni-channel experience) is driving the CIAM market. The immediate benefits to the customer are to reduce friction by offering choices of interfaces, offering simplified login, providing self-service capabilities and relevant contextual data leading to personalization and transaction efficiency. These factors lead to increased customer engagement and the likelihood of brand loyalty as long as security is maintained and privacy is respected.

From a business perspective, the upfront investment in CIAM offers faster time to market, a reduction in administrative overhead and ultimately an on-going increase in revenue and client retention. But the use of CIAM and the collection and use of contextual data provides so much more than just engaging the customer; there are opportunities to get to know and serve customers better and more efficiently.

CIAM systems need to also accommodate the wealth of data relating to external stakeholders that may include prospects, customers or partners. Typically most of that information is stored in distinct database instances is uncoordinated and unsynchronized, providing minimal value-added functionality to either the customer or the organization. In fact, the very lack of coherence between systems can lead to customer frustration and lost opportunities for the organization. The right customer facing IAM service can provide valuable profile information, preference data, consent management and other supporting information to support the integration of the right data with the right customers/prospects. In short, it can support key business goals.




Hence, it not only makes sense but it becomes a business necessity to address the issue by adopting a CIAM strategy that will give your customers’ data at least the same level of care as that of your employees and at the same time improve their online experience. It would be easy for an organization to view CIAM as ‘simply’ an extension of their existing EIAM or CRM systems – or both. At one level, CIAM does provide a similar degree of access to company resources as compared to EIAM, but CIAM requires greater autonomy in managing profiles and preferences in support of of developing long-term relationships and uncovering business opportunities. We’ll now take a look at how CIAM is developing into a separate IAM category and how it differs from traditional, internally focused IAM.

Enterprise (traditional) IAM vs. Customer IAM

While CIAM is based on long-standing Identity Management principles originating within the enterprise, there are some major differences that are driving the emergence of this new category of IAM. Key deltas that have emerged as we extend the reach of IAM to external users include increased scale, new types contextual information/relationships, personal data control, a high priority placed on the user experience and key privacy considerations/regulations. Simply put, enterprises need a platform that is optimized for consumer engagement. This specialized class of IAM services requires links into marketing systems, CRM systems, customer data bases and reporting systems and must handle both the scale and the imprecision in engaging with customers and prospective customers. Employees can be controlled (to a degree), but customers and potential customers need to be enticed and motivated to engage and reengage. These stakeholders are also increasingly technology-savvy and expect a fast, pleasant and secure user experience or they may simply find that experience elsewhere. Building a customer-oriented identity management system demands a significant shift in the way vendors and their clients approach the management and use of identities. The most fundamental difference is that employees are a captive audience; they generally won’t leave because of cumbersome identity registration, update, login or provisioning processes. Enterprise IAM has traditionally been confined to a predictable, often static environment, based on a set of mandated policies that, to date, have security and access control as their design goal, while often leaving the user experience as a lower priority.

Customer or consumer IAM on the other hand is driven by an organization’s desire to engage prospective customers and build loyalty with existing clients. CIAM also provides more




insight into its customers and plants the seeds for long-term business relationships, enabling closer online responsiveness based on behaviors and both observed and customer-provided preferences. By contrast with EIAM, CIAM is, by its very nature, open to the Internet and involves scaling to hundreds of thousands or potentially millions of personal identities. Scale apart, there are considerable differences between the approaches taken by traditional IAM solutions, which focus on managing employees and, in some cases partners and a new breed of CIAM services intended to manage interactions and relationships with customers and consumers. The key drivers for both are radically different, driven by different parts of the business and requiring different technical solutions and architectures.

Stricter data protection and privacy regulations supported by the threat of heavy fines and penalties are increasing the stakes for better organizing, managing and protecting customer data. Marketing systems, CRM and CIAM services house large volumes or personal information - if customer data isn’t properly managed it isn’t just an administrative headache, it can also become a significant potential liability to businesses and their brands. This is an issue with IAM systems supporting employees, but customer data presents new types of risks. While a small number of vendors offer CIAM-only solutions, most of the EIAM market leaders are extending their B2E portfolio to address the requirements of B2C to affect the convergence addressed in this document. Others, however, will continue to differentiate between the two – at least for the time being – often partnering with a specialist vendor for CIAM.

The following table provides a summary of the more important differentiators between CIAM and EIAM requirements and characteristics. These deltas as well as the increasing investment in the CIAM area (by both the vendors and their customers) are driving the movement towards stand-alone CIAM service offerings.




Characteristic Enterprise IAM Customer/Consumer IAM

Business

Purpose Platform for employee engagement and the encouragement/enforcement of good corporate behavior

A closer relationship with the consumer leading to product consumption and brand loyalty

Drivers Security risk and cost reduction, on boarding and off boarding efficiency

Acquisition, engagement, recommendation & retention; revenue-driven

Intelligence Static, rules-driven intelligence; but changing with increased use of contextual awareness

Dynamic, real-time, analytics-based; Progressive profiling

Governance, Risk and Compliance

Access Management

Information protection and appropriate access is key to the enterprise

Balance ease of use/engagement against risks

Access Governance

High priority Low-to-medium priority

Policies & Permissions

CIO/IT/CISO with perhaps some input from LOBs

LOB/Marketing and CIO/IT/CISO as well as the customer directly

Privacy Compliance

Centralized policy-driven with further controls for regulatory compliance

Policy-driven as well as customer-driven and opt-in/opt-out and associated consent management. Protection of PII is key as is privacy regulation compliance

Architecture

Adaptability Integration with back-end systems such as HR and Active Directory

Dynamic schema required to support managing consent, opt-ins and preferences; Integration with CRM and customer reporting solutions

Agility Traditionally monolithic and predictable

Modular and adaptable

Architecture SOAP/REST REST

Extent Perimeter-based, enterprise-defined; but evolving to perimeter-less

Borderless, internet-scale

Network On-premises as well as BYOD/BYOI/BYON

Mobile and cloud-first; on-premise if necessary

Performance High latency using captive IDs, primarily for security

Low latency for frictionless user experience, taking account of busy hours (evenings and weekends)

Scalability Tens or hundreds of thousands Hundreds of thousands or millions

Velocity LOB requirements for on-boarding Internet speed




Data

Data Predefined by IT, stored in directories and relational databases

Derived from many sources, often using unstructured data requiring dynamic schema and progressive profiling

Enrolment Triggered by employer Initiated by consumer

Profile & Preferences

HR and employee, to a degree LOB from CRM and consumer through self-service

Provisioning HR-driven, defined by CIO/IT policies Users voluntarily register through self-service

Scope Employees and contractors Customers/consumers; optionally employees, contractors, partners, service providers

User Experience

User Experience Priority

Generally low priority, but gradually improving, driven by CISO

Unified user experience is high priority, further enhanced by self-service, fast response time and simple registration

Personalization Limited but beginning to add personalization/birth rights, largely driven by HR

Considered a differentiator and a benefit to both enterprise Marketing-focused LOBs and consumers

Table 1: Enterprise IAM vs. Customer IAM Comparison

CIAM Opportunities and Business Benefits

CIAM allows an enterprise to better connect with and better understand customers and prospective customers by observing their activity and collecting data. This can, of course, directly impact sales and revenue. Digital Transformation is all about leveraging technology to improve on the business models, revenue opportunities and associated ability to connect, establish relationships and build loyalty with targeted customers. IAM and specifically CIAM is a key foundation for establishing the external connections that are key to a strong Digital Transformation program. In short, CIAM drives revenue growth by collecting data and using the insights from that data to acquire, retain and grow customer revenue. Functional areas that drive CIAM-based business benefits fit into almost every element of external relationships, but IT, Marketing, Sales, Legal and a variety of LOB benefits are areas we’ll explore deeper. Almost any customer facing digital program will benefit from a strong CIAM service. CIAM can be a game changer for enterprise sales and marketing teams by improving connections and insights at scale, but it can be a two-edged sword. Organizations must be careful in deploying CIAM in that it can also introduce risks in the security and privacy areas




that must be balanced and managed. Collecting data without consent or in amouts deemed excessive can damage the trusted relationship most organizations want to achieve and can also create legal and regulatory risks. The good news is that proactively and transparently addressing the security and privacy challenges can also build customer loyalty and is a key consideration in any CIAM program. A key component of Digital Transformation is getting to know your customer and prospective customers. The following three dimensions all can be improved and efficiently scaled with a strong CIAM program.

• Consumer/Customer Validation: To verify identities in compliance with KYC (Know Your Customer) requirements, particularly in the financial sector. This is key to necessary compliance and the foundation for virtually every customer facing use case.

• Marketing & Sales: Modern day sales and marketing leverage big data and advanced analytics to process the accelerating wealth of data available to directly support business goals. This often involves links to marketing systems, CRM systems, marketing campaigns and LOB initiatives.

• Consumer/Customer Experience: To improve both online and real world user or customer experience by understanding and, where possible, anticipating patterns of behavior as well as general and context-based preferences. This is key to customer engagement and retention.

KYC requires businesses to verify who their clients are and specifically determine that they are neither laundering money nor engaged in fraud, not involved in terrorist activities or any form of illicit trafficking and are anti-bribery compliant. Although KYC is mandated for the banking and finance community, enterprises of all sizes engaged in any financial transaction have a need to know that their customers are legitimate; in other words, ‘real,’ not on any transactional blacklist, and of low risk. One of the key capabilities of CIAM services is to identify anomalous or suspicious behavior, not only at the beginning of a customer relationship but throughout the full customer lifecycle.

Most organizations benefit from improving their knowledge of targeted customers and prospects. Behavior patterns are discernible from a variety of different input sources, such as purchasing preferences, location-based information, social media feeds, and data collected/verified from identity profiling. CIAM services, often in combination with Marketing systems and CRM services, can provide insights to business leaders (Marketing, Sales, LOB executives) about customer trends, leads generated, conversion rates by market segment, cross-selling opportunities and, of course projected and actual sales results.




Correlating customer patterns/usage data with identity data can provide insights as to who the customer is, with who they associate, and what they are likely to buy. The primary goals of present day commercial marketing are to determine who you are, who your friends are, and your habits in order to predict what you’re going to want next and figure out how to offer it to you at a compelling price point. CIAM services combined with the right privacy controls can enhance customer confidence and trust that is critical in determining if the brand reputation is strengthened rather than compromised. However, some of the most valuable sources of marketing and sales data comes from customer self-interest and usage. When someone identifies himself or herself online, they voluntarily give up a certain amount of data before participating in a loyalty program or even before making their first purchase. The more confidence this individual has in the brand and the privacy protection, the more complete and genuine the responses will generally be. For example if a consumer doesn’t trust the brand, doesn’t like the digital experience, isn’t confident as to how the data generated will be used…the data they provide may not be accurate or complete. It is important to understand that CIAM is a critical element of an externally facing digital transformation program, but only a piece of the puzzle. While CIAM helps to identify and contribute to decisions concerning appropriate access, these services do not replace marketing automation or CRM systems. They integrate with and augment these systems to help organizations get maximum business value out them.

Consumer/Customer Experience

A positive result of a strong CIAM and customer engagement program is that enterprises can cement customer loyalty by taking the opportunity to streamline and personalize users’ online experience. In the physical world such as a high-end retail store, big data analytics available in real-time can support can help sales associates recognize and welcome customers when they enter a store, remember their buying preferences or steer them towards profile-relevant deals or promotions. We want CIAM and supporting applications to replicate this positive in-store experience. CIAM can help support this as part of a customer’s digital journey. The challenge in connecting with prospective customers and a core function of a strong CIAM offering is help balance the availability of the opportunities these insights provide with increasingly onerous regulations concerning security, privacy and data protection…which leads us to the next topic.




CIAM Regulatory and Security Control Considerations

In connecting with customers and prospects there are different expectations, different security controls and evolving regulations to consider. While there are major business benefits associated with CIAM, it is critical that appropriate security controls and best practices in the area of data protection are applied. That said, there is a balancing act in that the customer experience must be fully optimized and business insights collected – but not at the expense of personal data protection and regulatory compliance. Failure in the areas of compliance and security controls can have a catastrophic impact on your business and your customer base. In evaluating CIAM systems, security should be a top priority and organizations need to be careful to not let the short-term sales/marketing program goals usurp security. A representative from the CISO team should be part of any cross-functional CIAM planning team.

Security/Risk Introducing a CIAM system brings with it a new set of challenges required to balance meeting the usability expectations of customers and maintaining a high degree of security. Most CIAM vendors provide a range of security levels including multi-factor and/or step-up authentication. This provides an additional level of security for those applications or use cases requiring it, but can ease the path towards engagement in initial interactions with prospective customers or in support of low value/low risk interactions. When designing CIAM programs, it is important to be flexible in the early stages of the relationship with a prospective customer and not let security controls derail the early relationship. In these earliest stages often no identification is required (typically low value, non-financial applications) and this can generally ramp up to some “light-weight” identification or registration leveraging social login, federation or simple user name/password. Most users are accustomed to a frictionless registration process at retail sites and will show a reasonable degree of intolerance if engagement does not at least match these experiences. With EIAM, employees have been traditionally stuck with the user experience they were presented with and, for better or worse, have had to learn to live with it, but this won’t work with customers. A key concept to remember is that the level of security controls needs to be carefully evaluated in the context of the user experience and where the user is in terms of the




relationship with your organization. These decisions are based on your risk management assessment. Most enterprises have invested heavily in risk management over the past decade, principally through the deployment of Governance, Risk and Compliance (GRC) systems that help decision-makers and enterprise governance bodies monitor the level of risk associated with their IT environments. That said, enterprise LOBs that are more heavily focused on sales and marketing have a vested self interest in operating outside the influence of enterprise GRC and sometimes do; be careful to not let this happen. As cloud computing has emerged so has ‘rogue IT’ often coming from customer-facing LOBs that feel the pressure of meeting business goals and don’t to be bogged down by IT. Many of these cloud-based rogue IT initiatives have been focused on getting a “quick-and-dirty” CIAM environment in place, without the concerted influence of the CISO and typically ‘asking for forgiveness rather than getting permission’, with respect to strictly following security policies. Don’t fall into this trap. These all-too-common scenarios leave big gaps between enterprise and customer-facing security policies. Additionally, this can lead to largely disparate IT environments that simply can’t be properly integrated later. TechVision’s recommendations to mitigate this risk follows:

1. Understand that CIAM is an critical and highly visible area that requires significant focus/attention, security controls and resources

2. Ensure that appropriate governance of CIAM at least on par with that of EIAM 3. Involve necessary stakeholders from the CISO, IT, CIO, LOB Marketing teams, privacy

teams and Legal to ensure an thoughtful, ongoing dialogue is taking place in support of good governance

The security and risk management requirements for internal IT and customer-facing IT are very different, subject to differing regulations and overall risk profiles of the users and data being addressed. However, good security practices are relevant in both camps – internal and external-facing. While there may be some overlap, there are key differences; for example internal security and risk management policies can be overly prescriptive and not pertinent to customer-facing interactions. Proper institutional governance with an understanding of the often not-so-subtle nuances between the two missions will go a long way towards ensuring the right controls are placed on CIAM without detriment to the customer user experience.

Privacy & Consent While the benefits and opportunities of extending IAM systems to incorporate context and relationships are substantial, there is the danger of a gradual encroachment on the dividing




line between what customers and regulators find acceptable. This customer discomfort is increasingly being supported by current and expected legislation such as GDPR that defining obligations for protection of consumer data, the right to be forgotten and various privacy rights. This gets increasingly complicated as enterprises leverage big data, gain identity insights and develop nested relationships with consumers around the globe and in differing privacy regulation jurisdictions. In order to achieve compliance with data protection legislation in any jurisdiction, and at the same time achieve an acceptable level of business agility, separate views on a user’s identity are not feasible: it is vital to have a unified, single view of a customer’s identity profile, consents (opt-ins) and preferences. In order to bring about this coherent picture and support diverse regional privacy regulations, stringent business rules will need to be captured, modeled and codified in systems. Juggling the constraints imposed by one jurisdiction over another places higher demands on the modeling than in most other system rollouts and may have more than GRC ramifications. In this sense, the best course of action is to view a regulation such as GDPR as the common denominator for regulatory compliance controls worldwide, unless the enterprise steadfastly only intends to operate in a single ‘regulatory region’. Areas such as consent management are critical in achieving GDPR compliance and protecting your organization. TechVision is currently developing a research report that focuses on the evolving consent management space. In addition to basic identity data, there are also categories of derived data based on behavior patterns such as social, retail, travel as well as device usage that need to be managed and secured. Putting habit and usage data together with identity data can enrich the customer experience and drive business results. As stated earlier, the primary goals of present day commercial marketing are to determine who you are, who your friends are, and your habits in order to predict what you’re going to want next and figure out how to offer it to you at a compelling price point. Properly correlated customer data strongly supports those goals.

Building a CIAM program

Most large enterprises are and should be building separate and distinct CIAM programs. TechVision has been working with several large clients in helping to build their Customer IAM strategies, reference architectures, vendor evaluations and implementation plans so we’ll be providing insights here based on real-world experience. We’ll now describe key strategies, major architectural elements and design guidelines to consider in building your CIAM program.




These programs are often initiated by major customer facing digital programs and support engaging and supporting customers with the proper balance between security, privacy and business goals. It bears mentioning that most enterprises typically already have some semblance of CIAM in place, but these solutions are often old and out-dated, not mobile device friendly, were put in place long before more stringent privacy regulations came to bear and so forth. Whether your enterprise is starting CIAM up in a green field mode or you’re replacing/enhancing an existing CIAM solution base, these recommendations are germane. The basic rationale for undertaking a thorough CIAM strategy is that the expectations of all external stakeholders, whether contractors, partners or consumers/customers, have gone up dramatically in terms of the user experience as well as secure access to relevant resources. TechVision recommends starting any CIAM program (or any key infrastructure initiative) by engaging key stakeholders and developing a base-line set of requirements. While our assessment of typical CIAM requirements may not fully represent your organization’s needs, we find that stakeholders are often better equipped to modify a base-line set of requirements than to start from scratch. We’ll provide this guidance in the next section.

Identify Stakeholders, Understand Current State/requirements Key stakeholders in the CIAM area often include LOB leaders, application development teams, IT, security, marketing, customer support and sales. You’ll want to understand key initiatives and how CIAM might help support these programs. You’ll also need to understand the current state of your CIAM program, other IAM efforts/data sources and customer-facing initiatives. Interviewing key stakeholders in the LOBs, Marketing, Sales and IT/security will help frame the initial requirements. Typical CIAM requirements include:

Requirement Description User (Customer) Experience This is typically the most important area in a CIAM

program and generally a much greater area of importance than with Enterprise IAM programs. A CIAM service should prioritize the user experience, as should any customer-facing applications that leverage CIAM. Key elements of the user experience include response time (less than 2 seconds), an easy to use and flexible sign-on process, and engaging/easy to understand user interface, simple self-registration and update capabilities as well as a reduction in repetitive user processes.




Requirement Description Support for Single-Sign-On (SSO) Across Multiple Customer Facing Applications

In a TechVision survey of large end-user organization, SSO was the number one requirement. Signing-in multiple times from various applications and sites across a large organization is a major end-user pain point and should be an area of emphasis in evaluating CIAM solutions.

Customer Self-Registration and Update

In a TechVision end-user survey, this was the second highest rated requirement. Users want to control their information and make sure it is accurate. There is also greater trust in the data (and the organization keeping the data) if the users can control their own PII. This also generally results in more accurate data.

Cloud Integration and Cloud Native Support

Most IAM solutions are moving to the cloud, but CIAM is moving even faster than Enterprise IAM and is a key requirement for many enterprises. The fact that the customers are generally geographically distributed and also leverage various SaaS applications, cloud support is critical.

Customer Enrollment/Provisioning/De-Provisioning

These are critical areas for most clients in that they can either grow the relationship or end it at enrollment and provisioning time. The enrollment needs to be seamless and the deprovisioning needs to be fast, complete and transparent (all connected systems/applications deprovisioned) from a security and regulatory perspective.

Bring Your Own Identity (BYOI)/Social Media and Login/Federation

This is critical for the extensibility and flexibility of the CIAM service. All environments are not known and/or can’t be governed directly, so support for federated authentication, mobile IDs/phone numbers and other BYOIs as well as social media credentials will increase adoption and lower risk. The mantra is federate what you can’t directly manage/control.

Customer Identity Data Management and Integration with Authoritative Source Systems

Key to successful CIAM and Digital Transformation programs is the inclusion of multiple applications, systems, data sources and services and tools to support this integration are critical to support inclusion and/or migration of these types of data sources while maintaining security controls.

CIAM Integration with Customer-facing Portals and Applications

CIAM is an important infrastructure, but still a tool in larger customer-facing programs and business initiatives. Single sign-on and more seamless integration, often via RESTful APIs is critical.




Requirement Description

Incorporating IoT and other New Object Classes

CIAM services will increasingly need to incorporate IoT devices and the sometimes complex set of relationships within the IAM service. This may dramatically increase scale and provide challenges in terms of the identification of smart meters, home security systems, set-top boxes and devices ranging from dumb to very complex. TechVision’s recent report on the IDentity of Things (IDoT) provides greater detail on this topic.

Scalability Even very large enterprise IAM services may get up to a few hundred thousand-person objects in the identity store. CIAM may move this number to the hundreds of millions and if you add IoT devices to this mix the numbers can get much larger. The increased scale combined with the response requirements to engage and retain customers increases the importance of scalability for CIAM solutions.

Compliance with Regional Privacy Regulations Consideration

The Global Data Protection Regulation (GDPR) in Europe and privacy laws in California, Brazil, Canada and other parts of the world are increasing the stakes to ensure enterprises protect and properly use customer data. This includes gaining explicit consent for the use of data and having the right to erase data, AKA the “right to be forgotten” based on user requests. It is incumbent upon the CIAM service to provide support for these capabilities including the means of maintaining user consent data and proper audit trails.

Future State Technology Adoption

An often understated but important requirement is the ability to integrate with and migration to emerging technologies such as edge computing, microservices, DevOps, blockchain, verifiable claims and new self-sovereign identity models. Some of these emerging initiatives include bring your own identity (BYOI) ecosystems that should seamlessly integrate and with and be recognized by your CIAM solution. As TechVision has always maintained, it is important for your CIAM and EIAM architectures to remain loosely-coupled and federated to best ensure an easier adoption path for these emerging approaches to identifying oneself in the digital world.

Table 2 – CIAM Requirements




The above list is a starting point for key requirements organizations may consider in evaluating the need and possible solutions for Customer-facing IAM services. This is a great foundation for developing CIAM reference architecture.

Development of a CIAM Reference Architecture

After assembling a team of key stakeholders, assessing the current state and collecting prioritized requirements, we generally recommend organizations develop a reference architecture taking our templates (or your favorite reference architecture model) and mapping these requirements into the key capabilities associated with a CIAM solution. The TechVision Research Reference Architecture for IAM is this starting point; a master template, shown in Figure 1, below, identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions, which can then be refined over time. While this is the same definition that we apply to people identity-oriented use cases, there are specific challenges as we’ve discussed in managing things and the relationships they support. This high-level template starts the journey.

Figure 1: IAM/IDoT Master Template




The capabilities that frame the CIAM architecture illustrated above are described at a high -level as: Interact – how end-users and application developers interact with the IAM platform. In the case of CIAM this will involve how a wide customer, prospect and application interactions. Access – the rules that define the roles, rights, and obligations of any actor or proxy wishing to access enterprise or connected external assets. Change – the capability to define and manage the relationships between the user/ application developer and the enterprise assets. Manage – the capabilities required to manage and upgrade the IAM solution itself. Measure – the capabilities required to audit and improve IAM activities. Store – the capabilities required to share identity information and relationships between the components of the IAM solution. The scale and responsiveness requirements for connected devices may impact this element. Figure 2, below, highlights our more detailed capabilities portfolio to consider in the context of technical interactions between the typical components comprising a comprehensive CIAM ecosystem.

Figure 2: Elements of a Combined Portfolio Architecture




Generally, enterprises should consider CIAM in the context of their overall IAM program, but as we have said - it is important to understand the specific context of and risks associated with connecting to customers and prospective customers, defining their inter-relationships and managing those data generated by these users. It is also important to recognize that the reference architecture patterns of interfaces, authentication, authorization, lifecycle management, persistent storage, and analytics are supported as CIAM. Figure 3 below illustrates an example of how an enterprise consumer IAM reference configuration could be deployed relative to cloud-based customer-facing identity and access services.

Figure 3: High Level CIAM Architecture and Flows

Of note in Figure 3 are the multiple cloud-based and on-premise customer data repositories and systems, such as CRM and reporting systems that all work together to capture, retain and provide relevant customer identity data that can be augmented with behavioral and contextual data to really help enterprises better know their customers, serve them with what they want and improve the user experience by federation and looser-coupling. Even though most large organizations are moving to a “cloud-first” strategy, many legacy on-premise applications and data sources will exist for many years and must be properly managed and integrated.




Achieving this flexibility and loose-coupling often requires federation, virtualization and connectors to bring in both legacy and new environments. Vendors such as Radiant Logic are often leveraged as part of the “integration glue” to provide better Identity inclusion. Additionally, note the predominant usage of RESTful APIs and federation protocols in use to better support mobile device integration – and multiple backend system integration in general, along with establishing a firm base for federated authentication that leverages social login and multi-party service offerings integrated through single sign-on. After understanding key stakeholder requirements, assessing current state and building reference architecture most organizations are ready to consider vendor alternatives. We’ll consider CIAM vendor alternatives next.

TechVision Research Vendor Shortlist TechVision generally recommends that enterprises start with native CIAM solutions in support of customer-centric initiatives. While traditional IAM vendors are adapting their products and services to better support Customer IAM, most large enterprises will have better results with “pure play” CIAM vendors. Traditional IAM vendors understand the challenges in supporting customer-centric use cases and requirements we’ve described in this report. TechVision recently discussed the challenges of moving from EIAM to CIAM with Jackson Shaw, the VP of Product Management with One Identity. He explained that One Identity has decided NOT to focus on the CIAM market, but stick with the intra-enterprise space. We give them credit for knowing what they do well and stay laser-focused in that space and also recognizing the differences in the CIAM space. Ping Identity and SAP have also acquired CIAM solutions (UnboundID and Gigya respectively) to accelerate their movement into Customer IAM; again recognizing that CIAM is a very different market. To further underscore the challenges in conflating enterprise and customer IAM offerings, we have also seen this in reverse; a major CIAM vendor has elected not to move into the Enterprise IAM space. In a recent interview with Jim Kaskade, Janrain’s CEO, he explained that Janrain is NOT moving to the EIAM space at this time given the diverse technical requirements and go to market approaches.

CIAM has been a major area of vendor and end-user investment over the past few years and as a result, the bar has been raised in terms of expected capability and performance. Several vendors have answered that call and those are the firms we are including in this short list. Remember, the TechVision Research short-list is tightly aligned with our consulting business and represents our initial recommendations for vendors to consider for further evaluation in RFIs, RFPs, POCs and other methods of selecting vendor partners. This doesn’t necessarily




mean that the vendors selected on our shortlist are the best overall identity management providers or the only vendors to consider in the CIAM space. We highly recommend a formal evaluation process starting with key stakeholder requirements, reference architecture and an overarching CIAM strategy, but when you are narrowing down potential vendor partners, this short-list may be a starting point. In characterizing how and why vendors are on this shortlist, our primary considerations include the scalability of the solutions, the strength of the user experience, progressive profiling capabilities, global support, security/compliance controls, GDPR/privacy support, consent management, single sign on support, federation, integration tools (connectors, synchronization, meta-directories, virtualization), how effectively contextual information is used, the sophistication of the relationships that are being managed and the accessibility of information to users. From this point of view, Janrain, Gigya/SAP, ForgeRock, Okta and Cloudentity are clearly short-list worthy vendors. That said, there are several other vendors worth considering in specific situations that we will mention at the end of this section. We’ll provide a brief background on each shortlist vendor and a brief description of their solution in alphabetical order.

Cloudentity Cloudentity, based in Seattle, WA, has been in business for several years as a security and IAM consulting company and has recently transitioned to a product/service vendor. TechVision had the opportunity to recently interview Nathaniel Coffing, their founder and CEO. He described their offering as fitting into the modern DevOps model serving up microservices to support application specific security, micro-perimeter security and intelligent risk scoring. Cloudentity is strong technically and has a model that fits within the next generation of microservices and DevOps programs many enterprises are moving towards. Cloudentity firmly builds on a comprehensive microservices approach with strong delegated administration, identity proofing, and provisioning, authentication and authorization services. However, their CIAM solution is built upon a relatively nascent IDaaS platform, so you may want to proceed carefully in terms of assessing the scalability, supportability and reliability of this service. That said, this modern approach and deep technical strength has positioned Cloudentity as an “up and coming” CIAM vendor.




Figure 4: Cloudentity Ecosystem

Strengths

• Microservices architecture at core provides flexibility • Identity and security services integration via microservices provides many options

for delegated administration and enrollment capabilities • Everything is API-driven • Fit within DevOps/Microservices future development environment

Weaknesses

• Early IDaaS platform (possible early growing pains) • Vendor doesn’t provide out of the box connectors, but provides tools/APIs • Smaller company with global support limitations

ForgeRock ForgeRock has a built a scalable platform that focuses on contextual awareness, identity-based relationship management and CIAM. They are also leaders in areas such as UMA (User-Managed Access) and are leveraging these capabilities to integrate additional consent-driven, privacy-based concepts to their relationship management offerings. TechVision had the opportunity to recently interview Peter Barker, ForgeRock’s Chief Product Officer and Eve Maeler, their VP of Innovation and Emerging Technology. Peter provided his vision for CIAM as supporting an environment he described as one where everything is connected and hyper-connected. An area of specific focus he described is in supporting brand trust by




providing a centralized platform and tool sets to better manage the way customer data is used.

ForgeRock envisages the future of identity management as a combination of people, services and things that are increasingly context-aware and, based on this combination of elements, allow different levels of access. ForgeRock asserts that the next generation IAM will become identity relationship management (IRM) with a focus on establishing end-to-end IoT/CIAM solutions with identity management coupled with IoT, consent and privacy controls.

Figure 5: ForgeRock’s Approach to architecting the relationship layer

The ForgeRock Identity Platform™ consists of a series of modules built from open source projects, and is an identity administration and provisioning solution focused on managing relationships across users, devices and things. The platform supports consent management from registration and through the user life cycle which is critical for GDPR compliance and supports building brand trust. Key ForgeRock strengths and weaknesses follow:

Strengths

• A strong, scalable IAM platform • Strong, UMA-based consent management features • Strong relationship management capabilities including strong IoT device and

relationship support • Comprehensive authentication choices with flexible policies • Progressive profiling capabilities

Weaknesses

• Traditionally an on-premise offering, although moving to cloud-based services • Limited, but improving analytic and business intelligence reporting




Janrain Janrain is one of the leaders in the CIAM space with a scalable native CIAM/IDaaS solution and many use case examples in virtually every sector. Janrain and Gigya have been the principal thought leaders in CIAM over the past decade or so. With Gigya’s acquisition by SAP, Janrain may over time gain more of a stronghold on platform agnosticity. In particular, the solution offers a centralized, standardized, but configurable user experience and open protocols focusing on minimizing client-side complexity. Janrain’s CIAM solution has moved all identity components to the cloud and fully abstracts identity from applications. Furthermore, the solution focuses heavily on customer analytics by leveraging path analysis, enhanced fingerprinting, and predictive modeling - and enabling enterprises to build a holistic view of user interactions, increase ‘match rates’ and combine journeys across channels through extensive federation support. This sort of capability is rather unprecedented in the CIAM space, as other vendors strive to catch up with Janrain.

Figure 6: Janrain Design Framework

The following nets out some of the primary strengths and weaknesses of the Janrain solution.

Strengths

• Cloud-native IDaaS solution




• CIAM specialization • Advanced policy management; well integrated, flexible • US, EU, AU, Canada, Japan separate data stores • Oauth2, OIDC, SAML - all major federation standards supported • Strong marketing system/CRM integration • Strong UI/customer engagement platform • Robust MFA options including mobile ‘push’ and biometric integration • API-first design

Weaknesses

• Janrain is the last of the early leading CIAM vendors to remain independent; there is some risk that they could be acquired and their strategy, pricing and plans could change

Okta

Okta is a strong, scalable IDaaS solution. It is very developer oriented subsequent to their acquisition of Stormpath in 2017 with most technical/APIs/federation capabilities addressed. Okta is the exception to the rule of a traditional Enterprise IAM vendor successfully moving to the CIAM space, but isn’t yet as focused on the user experience and marketing systems integration as native CIAM vendors such as Janrain are. They have an enterprise IDaaS-centric model that has been transformed to support CIAM. Okta has assured TechVision that CIAM is a major direction for the company, and as illustrated below, intends to leverage as much as commonality as possible between enterprise user and customer use cases.




Figure 7: Integrated Identity Layer Design

As illustrated above, there is a good deal of functionality that Okta views as being shared across these use cases. It is admirable that Okta would build on what they already do very well in the enterprise space, but it will remain to be seen if that ideology truly enables a first class CIAM solution. The user experience and reporting/analytics capabilities will need to be bolstered significantly, as will adherence to privacy regulations that require stringent management of user consent, the right to be forgotten and so forth. However, Okta has become the proverbial 800-pound gorilla in the IDaaS market, and we’re not counting them out of the CIAM market by any stretch at this point. Key strengths and weaknesses follow.

Strengths

• Meet most CIAM technical requirements including OIDC, Oauth2.0, SAML • Many vertical industry use cases and experience • Scalability is proven via its enterprise solution • Okta leverages push MFA from enterprise pedigree • Well versed in enterprise AD integration

Weaknesses

• Recent focus in CIAM space, more enterprise AD/IDaaS support historically • As yet undetermined if Okta will be sufficient from a customizability/configurability

and UI perspective in support of customer-facing applications for multiple BUs

SAP/Gigya

The Gigya platform is a well-proven CIAM solution and, overall, the SAP acquisition should help with future integration and synergy. Gigya and SAP have are calling their offering the Customer Data Cloud (CDC) to which is a cloud-based IDaaS service offering. Gigya was already a very successful CIAM vendor before the SAP acquisition last year and we look forward to seeing how SAP integrates and leverages Gigya going forward. In evaluating SAP/Gigya in recent RFPs it was clear that while future SAP integration is expected, they are still working out the details. Certainly, for an enterprise that runs the majority of its back office IT infrastructure on SAP software and wants to integrate its customer-facing e-commerce or support platforms with that SAP environment, Gigya should be one of the first CIAM vendors considered. For enterprises that are not so SAP-centric, or run little or no SAP at all, Gigya’s pedigree as a bona fide technology agnostic platform makes them a good candidate, as well. However, there are often pitfalls when a big company acquires a successful smaller company in that the original heterogeneity begins to suffer as acquired platform gets swallowed up within the big vendor’s homogenous ambition. Time will only tell if that is what happens to




Gigya, but as of this writing, the level of autonomy of the Gigya platform is still strong and has not been diluted by the acquirer. The following figure provides some insight as to key capabilities and the architecture of their SaaS offering.

Figure 8: Key SAP/Gigya Capabilities

We’ll now look at a summary of the strengths and weaknesses of the SAP/Gigya offering.

Strengths

• SAP integration, support and synergy over time with SAP/Hybris • One of the premier CIAM platforms before SAP acquisition • Strong marketing and CRM system integration • Built to connect social IDs from the beginning • Strong consent management—well thought out • GDPR compliance • Proven CIAM scale • Strong MFA options including biometric integration, as well as support for ‘lite’

customer authentication based solely on email address • True managed IDaaS solution from inception

Weaknesses • No support for OAuth 2 • Possible lock-in to SAP as time goes on • No SAP additional integration (above and beyond other vendors) post-acquisition




Other CIAM Vendors to be considered

In addition to the previously mentioned short-list vendors there are other quality offerings to

consider to support your CIAM program that may rise to the top for your organization based on

your current environment and business priorities. These vendors include Microsoft, Google,

Amazon, Ping Identity, iWecome and Radiant Logic. All of these vendors can be a viable part of

an organization’s CIAM program (and an extension of our short list) under certain conditions.

We’ll start with Microsoft. Microsoft, of course, via Active Directory (AD), Azure AD and Office

365 has a massive footprint in most enterprises and to a certain degree is an incumbent. In our

CIAM consulting engagements, Microsoft is almost always initially considered by the team, but

generally can’t meet the enough of the core CIAM requirements to be emerge as a primary

solution. That said, Microsoft often partners with other organizations and may be considered as a

lighter weight and scalable CIAM alternative. Microsoft can also be economically attractive in

large Microsoft shops that may have licensing agreements that support CIAM with relatively

modest (or no) incremental investment.

Google and Amazon also seem to be logical candidates for any customer-facing program given

their world-class scale and pervasive cloud-based services. Building CIAM services within these

platforms is a viable solution, but again this won’t be a full-featured CIAM service without a lot

of custom development and/or partnerships. Organizations with heavy DevOps and cloud-first

strategies may still build their CIAM programs on top of the Google Identity Platform or Amazon

Cognito services, but this will generally take a lot of work.

Ping Identity has a reasonably strong CIAM solution subsequent to the acquisition of UnboundID

and have strong integration and federation capabilities, but the current offering is still heavily on-

premised based deployment and not fully integrated in their overall service portfolio. For an

enterprise that has Ping-centric IAM services (and there are many) this is solid offering and should

be considered.

iWelcome is another vendor with strong CIAM capabilities and one major limiting factor.

iWelcome is focused on enterprise rather than mid-size companies and is strictly a private cloud

service, i.e., it does not offer multi-tenancy, based on the company’s understanding that businesses

are extremely sensitive about flexibility and security. This can be of value in supporting GDPR.

iWecome is not on the top-tier short-list primary due to their limitations outside of Europe and

generally don’t market their offering to non-European based organizations. In several discussions

with iWelcome’s CEO Danny de Vreese over the past few years, we know they are actively

investigating expanding to North America and beyond and will provide updates when this status

changes. For a EU-based CIAM solution we do feel that iWelcome is worth considering.

Radiant Logic is vendor that can support identity integration capabilities as organizations build out

their CIAM program, but is not a stand-alone CIAM solution. Radiant Logic boasts a strong virtual

directory platform and identity data integration solution enabled by their Identity Correlation




Service (ICS), which provides a plethora of out-of-the-box connectors to authoritative source and

target systems through a combination of virtual (real-time) integration between authoritative

source systems. There solution can also add to the relationship management and correlation

capabilities that may not be as robust within the selected CIAM vendor’s portfolio.

We’ll close with some final thoughts about vendor selection and how TechVision can further

support our clients in this area. First, the CIAM space is moving at Internet speed and updated

vendor information is always available from TechVision for our clients via dialogues/inquires. We

develop the vendor short-list summary to provide a summary assessment of the vendors as a

starting point, but we have deep information and additional perspectives on virtually every vendor

in this space. TechVision is also available for more detailed consulting including the development

of RFIs/RFPs, supporting the collection of cross-functional requirements and to support the

development of your CIAM reference architecture. Our team has done over 1,000 enterprise

consulting engagements in the IAM space and we are happy to further support our clients in all

areas related to CIAM and IAM in genera.

Conclusions/Enterprise Recommendations

Digital transformation depends on consistent, clear, and secure identity management for every user, device, and asset across all lines of business. Identity management is the ability to set up and manage the relationships between users and things and to enforce rules for access and security. At its simplest, identity management must answer two questions: who/what are you, and what can you do? These sound simple but have never been more complicated. Nor have the stakes ever been higher. For enterprises, the ability to manage the digital identities of every contributor, every customer, and every prospect is a fundamental requirement to realize the full benefits of cloud computing, mobility, and the Internet of Things (IoT). The bottom line is that every person (thing) of interest to the business must be able to access the resources they need to produce, buy, use, and recommend the products and services of the company. And the business must be able to leverage the data generated by these customer interactions to help build customer relationships and grow revenue. CIAM is a foundational capability to achieve transformation and is a major priority for many of our clients. While there are several vendors that can help support this foundation, there are some recommendations TechVision highlights for all of our clients. So what should you be focusing on as you build out your CIAM program? We’ll conclude this report with 7 next steps to get the ball rolling with your CIAM program: 1. Start with a clear understanding of requirements – Customer engagement requires that

the CIAM platform supports a responsive customer experience across various digital




business platforms. The people closest to the customers should be the conduit to this knowledge and should be engaged in the process.

2. Progressive profiling not “all or nothing” - Customers are willing to give more information as the relationship deepens and value increases. Think of the customer profile as a representation of the state of the relationship; the more the customer willingly shares, the deeper the relationship.

3. Inclusion vs exclusion – Traditional IAM is about protection – keeping the bad guys at bay. CIAM is about inviting people in. While security is important, it cannot be a barrier to engagement.

4. Enterprise IAM should be on the team, but shouldn’t be leading the project – As the old saying goes, “When all you have is a hammer, everything looks like a nail.” While the identity processes look similar for employees and customers, they are different and should be led by the businesses with a customer focus, not the technical people who may have a tendency to try to fit the customer into a familiar model.

5. Customer and employee relationships are different – The enterprise can define and enforce the relationship between the enterprise and the employee. The enterprise enforces the rules. Customers are increasingly in charge of not only the relationship, but the rules as well. Regulations such as GDPR are redefining the roles by putting the customer in charge.

6. Pay attention to privacy – Privacy and proper handling of customer data is an expectation, not an option. Not only is the company liable, but customer trust can be lost in an instant and take years to rebuild.

7. Correlation and context are important – Understanding the various connections the customer has with your enterprise are keys to customer engagement. How they prefer to communicate, how they are represented in various business functions, and how valuable they are to the business are all connected through a proper CIAM infrastructure.




About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective. TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis. TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.




About the Authors

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include

identity and access management, blockchain, Internet of Things, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies. He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President at Gartner.

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

David Goodman has over 25 years experience in senior identity management positions in Europe and the US. He led two prominent pioneering EC-funded identity/security projects while working for IBM, firstly with Lotus in the Notes/Domino product management team and later with Tivoli’s security

division. He has led several start-ups in the identity space and spent eight years in senior product management roles for telecom providers Apertio, Nokia Siemens Networks and Ericsson. His work has included database and directory services technologies and architecture, meta-directory services, role management and role-based access controls, digital certificates and PKI. More recently he has been engaged in privacy and trust services, cloud services, big data analytics and the Internet of Things. He has worked as a technology analyst and consulted with some of the largest companies in Europe and the US. He has particular insights in the European privacy/regulatory environment, European clients and vendors. For 13 years he was chairman of EEMA, the leading European identity and security membership association.


developing a customer iam (ciam) strategy and roadmap

Documents