CSO

This article is more than 1 year old

Keeping customers happy means the big IAM just got bigger

You need to open up core systems to consumers and partners. Here's how to do it securely

Sponsored Feature It's easy to forget the human factor when it comes to cybersecurity. Completely locking down your network will certainly make you secure, just as completely locking down your building will do the same. The problem is you'll struggle to get much work done, because people need access to assets, physical or virtual, to do their jobs.

That's why identity and access management (IAM) for "insiders" is a central discipline in cyber security. It provides the principles, processes, and tooling needed to manage what your colleagues can and can't do across the core systems that form the foundation of corporate tech infrastructure are well understood – even if they are occasionally forgotten.

There's just one problem. Your organization does not exist in isolation. Just as real-world supply chains have become increasingly complex and interconnected, so have the ways in which organizations and individuals do business together and collaborate using technology.

Both businesses and consumers expect a much deeper, more seamless experience when dealing with companies. And they want to be able to do this across a wide range of devices and services, accessing your website from their desktop or laptop, interacting with your apps across mobile devices, and keeping in touch via social channels. And they don't want to have to juggle multiple logins and identities while they're doing it.

Actually, it's not just "customers". Suppliers want and deserve a similar experience. And what about those who straddle both categories? Gig economy workers are, philosophically - if not legally - speaking suppliers, customers and employees rolled into one.

The problem is traditional enterprise IAM doesn't map very well to this more complex world.

As Haider Iqbal, Director Product Marketing at tech and aerospace giant Thales Group, explains, IAM tools are focused on managing and controlling employee access to corporate resources. Those resources are often decidedly legacy. Think monolithic ERP or CRM systems. Opening them up to external people and entities often makes technology level integration a challenge, as developers relying on REST APIs come up against the reality of on prem, homegrown IAM systems.

 Although IAM has evolved to match the dynamics of the corporate workforce, much of it remains hierarchical and linear, and not designed with change in mind. Yes, a typical enterprise might expect a certain amount of staff turnover every month, with departing employees' access to systems being shut down and new joiners onboarded, but this will be just a fraction of the total workforce. Growth is rarely going to show exponential spikes due to a rollout into a new territory, or a new product, service or app launch going viral.

It's a new, customer driven world

And this is not how the new, customer driven world works. Just consider the insurance industry. An insurer might work with brokers who may be the initial intermediary with the customer. But the relationship will then move to one between the end user and the insurance company. A single policy might involve multiple family members. They will want to be able to access their policies, check coverage, make claims. And they may want to discuss additional products or services. Again, some of this will involve intermediaries, or other delegated authorities, as well as the company and customer.

As Iqbal explains, many insurance organizations will have systems which date back decades at their core. "They were never built for the digital world," he says. "They were just meant for internal consumption." Supporting the sort of relationships we've described means exposing those systems to multiple customer and business entities, via web channels, mobile apps and social systems. And it means maintaining all of this 24/7. No taking systems offline for backup in the middle of the night.

So insurance firms have to overcome these hurdles to deliver the sort of data-driven experiences consumers – and intermediaries, suppliers, contractors and more – have come to expect and will be happy to find from a challenger organization.

That's why IAM becomes central to the broader digital transformation challenge facing companies. As Iqbal emphasizes. "It's not just addressing a security problem, it's actually addressing a business problem for a lot of organizations."

Not just for consumers and customers

It's for this reason that "CIAM" first emerged. The c stands for consumer, or customer, but is perhaps a misnomer. Because consumer identity access management (CIAM), done right, enables companies to securely open up relevant systems to the full range of consumers, suppliers, partners, and other non-employee parties.

As for what distinguishes CIAM from traditional IAM, one key feature is the ability to scale. Iqbal points out that there are few commercial organizations with more than half a million employees in the world, and only a few hundred with more than 100,000. But when you start talking about customers or consumers, you could be talking tens of millions of potential identities, even close to a billion in some cases.

"It's really hard to imagine that a conventional lAM system that was built for a maximum of 100,000 users can scale up to manage millions, or tens of millions of identities," he says.

This also means that CIAM solutions, and the teams deploying them, must be extremely flexible about the underlying systems they manage. Traditional systems would largely be about granting access to well-known and widely used applications and services like Office 365, Salesforce, or SAP.

But, as Iqbal explains, "In the CIAM space, you could potentially be speaking to applications that don't even have a name inside the organization, right? Because a team of developers actually built a loyalty program system in house that they want to integrate to, when showing loyalty points on the web app or the or the mobile app, for example."

This makes flexible APIs, and webhooks essential. Equally important is that a CIAM vendor is able to sit down with a customer to really talk through what systems and business objectives need to be covered, not simply impose a template that broadly covers a company of a given size, in a given industry, with an assumed portfolio of applications.

Share and share alike isn't always the answer

Data management and privacy also becomes more of a challenge in this new world. Managing an organization's responsibilities around the information regarding their employees is fairly well understood. Employees will assume their personal data will be protected, and not shared outside the firm.

Things become much more complex when it comes to consumers and customers and other partners. Sharing and pooling data can deliver insights that will improve customer service and spark the development of new products or workflows. But customers will be particularly sensitive about the possibility of data being shared between different domains and organizations, and their ability to control this.

"Imagine if I'm speaking to a retailer who is selling clothes for instance. I'm willing to share my height, waist, or my sport preferences. It's fine for me to do that," says Iqbal. But if that data might then be shared beyond the retailer, say with an insurance company, he continues, "maybe I'm not that comfortable sharing it, because it might affect my premium based on my BMI or the riskiness of the sport I play."

That sensitivity is particularly key for Thales, which is a European company, and which has recently taken over another European CIAM vendor in OneWelcome. This means both organizations are well versed in the EU's GDPR-based approach to managing personal data.

So, OneWelcome offers integration with marketing and analytics platforms as well as integration with social IDs, and customer profiling and auditing. It also offers features such as data validation, identity link matching, and delegation management, to cover cases such as the insurance example we discussed.

Sensitive to European rules

In addition to single sign on, key features for users include a focus on mobile devices and mobile authentication, and extensive preference management, including the right to be forgotten mandated by the GDPR. Iqbal said this focus on privacy and consent management is a key factor in the adoption of CIAM in Europe, and Thales will be offering it globally, knowing that GDPR is the gold standard for many emerging data privacy regulations.

"I think the pedigree of being a European vendor automatically brings in that notion of somebody who understands the importance of privacy and consent management," he says.

In contrast to the traditional hierarchical approach of enterprise IAM, Iqbal says Thales and OneWelcome see CIAM as the heart of a customer's multiple digital journeys. "Its primary role is that of an orchestrator," he explains.

A company might be using multiple systems for its marketing operations, such as CRM platforms, MDM, and analytics systems, and these will be handling vast amounts of data.

"But in order to contextualize it for a certain user or groups of users, you need to have the context of identity as well," he continues.

That will deliver benefits for the business in terms of security, and in terms of ensuring customers engage with it and stick around. Which is, perhaps, the ultimate benefit that CIAM can deliver.

Because, as Iqbal says, the needs of customers and partners are very different from those of employees. And their respective options to switch suppliers when those needs aren't met are also very different.

Afterall, an employee struggling to access an ERP system will call support, or try again later, but they are unlikely to leave the company, never to return. But a customer hit with an unhappy experience will simply move on and not come back.

Sponsored by Thales.

More about

TIP US OFF

Send us news