Simeio’s June 3rd “Ask Me Anything Coffee Talk Series”- CIAM
Last Wednesday, Simeio held its most recent “Ask Me Anything Coffee Talk Series.” The topic was “Customer Identity and Access Management.” The session hosts were James Quick, Director of Solutions and Advisory at Simeio, and Richard Bird, Chief Customer Information Officer at Ping Identity. Here are some of the questions and highlights of the session.
Can you provide an overview of CIAM?
Customer identity and access management, or CIAM, is similar to identity management for employees, but with a customer focus. It enables the secure capture and management of customer identity and profile data, between an online store with a B-to-C model, to manage user preferences. CIAM enables us to differentiate applications and services, provide self-service capabilities, and profile management. Specific to CIAM is consent management that allows a business to collect customer data, and engage them through various channels. CIAM is critically important if the business has customers in Europe, because of GDPR, and in California, with CCPA.
We are at the beginning of a new phase of access control. A few years ago, the focus was on customer account management, where security obligations were placed upon customers. Now, regulations require businesses to secure customer data and have their privacy guarded.
However, we’re in danger of repeating the sins of the past. In order to bring identity into information security, it must be embedded into the organizational infrastructure that has been a standard for decades. While we’ve substantially matured our workforce, we haven’t matured customer access management to keep up. There are massive changes coming, that will demand it, whether they are regulatory, or customer-driven.
Additionally, there is a substantial difference in scale, between identity access for employees versus other users. A business may have a hundred thousand employees. But that is significantly dwarfed by their millions of customers, partners, and other third-party users.
What should I look for in a prospective CIAM solution?
To implement CIAM well, there are many features needed, like account registration and enabling users to manage their profile information and consent. It should have single sign-on and multi-factor authentication.
Another feature is directory services because where you store profile data is critical. Is it an LDAPv3 store, or a database? How are you collecting and maintaining the information from a regulatory perspective, and as a good steward? Data access governance is another crucial capability. I recommend ranking features in order of importance. But, always put the customer experience as number one.
Key attributes of best practices for a CIAM platform include, what I call the three “A”s – Authentication, Authorization, and Approvals. For years, there had been a mistaken belief, within the customer side, that these were simple issues. In reality, it involves a good deal of complexity. Authorization requires entitlements, grants, and consents. Where do you put those? How do you keep them current? How do you handle a medical or financial power-of-attorney, where on any given day, over 20% of the U.S. population suffers from some form of illness or disability? How do you aggregate that information and keep it current? How do you keep that as part of a customer’s holistic digital identity? As you can see, there are gaps in customer identity management. We need to tie identity security to the data the customer owns under GDPR and CCPA, within our systems.
To that end, while we’ve focused on employee identity, we haven’t put enough attention, care, and concern for security into customer identity management.
How do I improve customer data, provide the company with a unified view, and comply with privacy and consent regulations?
First, determine the quality of the data in your active directory, relative to your workforce. High-quality inputs, associated with access, has been a challenge for years. Microsoft created AD to compete with Novell, primarily for file and printer sharing. But now we’ve built entire security frameworks around a tool and data store that was never intended for security.
Now consider the diversity within your customer environment. Different departments collect customer information for their own purposes. The rationalization of placing this information into a protective data store that meets regulatory demands requires a huge amount of work. Each department values its data independently. To meet regulatory compliance, you can be assured, there will be internal turf wars and corporate politics.
Today, we’re seeing companies standing up new functions around digital transformation, rather than putting customer access management into the CSO organization. The heads of those transformations are taking responsibility for creating the quality stores that can comply with privacy and consent requirements, and for large enterprises, this is proving to be very challenging.
Companies collect a lot of customer profile data. My recommendation is, have a strong reason for every attribute of data you collect. Make someone responsible for ensuring it is kept accurate and up to date. By engaging customers in a frictionless way, enabling them to update their information, so you can more easily and accurately maintain their data.
What are some evaluation criteria needed to create a good customer experience?
We now have the ability to leverage artificial intelligence and machine learning to conduct key functions within access control that improves the customer experience. We can provide frictionless authentication and authorization approval for customers. We can leverage risk, device, and behavior scoring, at a scale we could never have done before. These critical customer protections are now possible, without having to inconvenience the user.
What should companies expect, regarding future regulations?
What I would say is, if you’ve not started, get started. For the first time, we’re seeing demands for regulatory change coming much faster against a cybersecurity control. There are currently multiple drafts of U.S. legislation related to national security and citizen digital identity. This is not speculation. It’s coming. Not only in the U.S., but in other countries too.
There is an opportunity now to understand the concepts and demands, relative to your customer access. You can put your business in a proactive position to not only protect it but your customers, too. Customer access is directly tied to the safety and security of citizens within their country. In the United States alone, every year over half a billion unique customer identity records are stolen. We need to improve our protection posture, and many of these regulations will demand it from us.
We’ve just touched upon some of the conversations. If you want to learn more, you can watch this and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.We hope you can join our next Coffee Talk where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs, and achieve greater security and privacy using IAM. Click here to sign-up.