In order to cut costs and complexity, 75% of organizations are planning to consolidate cybersecurity, according to analysts. Consolidation, done right, also closes security gaps and creates a smoother, more unified user experience (UX). If these are your goals, you’ll want to read every word of this article for key insights from TIAA.
As a Fortune 100 financial services company, TIAA is ahead of the curve and willing to share their experience with other identity professionals. In a Q&A style session at Gartner IAM, TIAA’s Director of Digital Identity Services Gaurav Kothari spoke with Transmit Security’s Chief Identity Officer David Mahdi, a former Gartner analyst himself. In this session on identity orchestration, Gaurav offered tips (and a few warnings) for anyone embarking on a CIAM project.
Identity orchestration manages vendor integrations and delivers a unified control layer to consolidate identity solutions — enabling them to work as one. A powerful policy engine combines and negotiates all of the risk/trust recommendations to adapt the identity journey at run time. With a drag-and-drop journey player, you can deliver tailored and dynamic risk-based identity journeys for every use case and scenario.
Orchestrating identity workflows for diverse customer scenarios enabled TIAA to:
The following conversation reveals how orchestration bridges the gaps between siloed identity solutions — and how it benefits your teams and customers. These are just highlights of their talk, trimmed down to give you the most valuable information from their Q&A:
David Mahdi with Transmit Security: Gaurav, we are fortunate to have a customer like you, willing to share your experience with others who can benefit. So tell us about your background and what you do at TIAA.
Gaurav Kothari with TIAA: Sure, first, thanks for joining us. I hope after the session you’ll get something that you can take back to your organization and use that in your CIAM program.
I lead the digital identity services at TIAA. My group is responsible for customer digital onboarding, digital access management, fraud detection and prevention and a whole slew of identity lifecycle services…I’ve worked on homegrown systems with database identity and passwords, homegrown token-based systems and more modern identity and access management.
David: You’ve seen the full evolution of CIAM. So why don’t you tell us a little about TIAA?
Gaurav: TIAA is a Fortune 100 company, and we have a mission statement: “We help those who help others.” Our primary business is around retirement products, and we have a strong, long legacy with educators. We have since transformed ourselves and have expanded beyond education. Digitization is one of the key goals…improving all of the interactions that we design for our customers.
David: So let’s dive in. We’re all here at the Gartner IAM conference, and [our focus] here today in this session is CIAM. And one thing I want to mention — it’s a bit of a bone to pick — there is definitely a difference between consumer identity and workforce identity.
As a former Gartner analyst, I myself did some research on bring-your-own identity, and worked with many clients who would ask, “David, can we use social identities if someone loses access? Can we use that to bootstrap some kind of identity proofing?”
The answer is yes, but you have to treat employees differently because they sign employee agreements. You have to adhere to acceptable use policies (AUPs). Gaurav and I were talking about this; it’s a disservice to loop them both in together. What did you say, Gaurav? You said, “If every employee uses a smart card, do you give smart cards to your customers?”
Gaurav: No, that wouldn’t fly.
David: So we’re going to talk about the journey at TIAA with Customer IAM. And we’re thinking about the consumer’s CIAM journey. From that perspective, let’s talk about the program at TIAA.
Gaurav: At TIAA, we have a fairly mature CIAM program, and it didn’t happen overnight. We have been doing this for close to 4 years now. And we have built an ecosystem of products, tools and third-party SaaS providers that typically need to balance competing priorities.
…The first priority is the customer experience. You want to make it easier for your customer to get onboarded. You want to make it easier for your customer to access your system. On the flip side of it, you need to have very strong digital protection. So unless you have a CIAM program or…that tool chain, it becomes very difficult to balance those two priorities.
David: How did you engage your stakeholders at TIAA and get their support?
Gaurav: When we meet with our business folks, we know that, for them, technology is just a means to an end…They don’t care about products. They say, “How fast can I onboard? How fast can I reach a better enrollment rate? How much can I reduce MFA so that there is no frustration with our customers?” So those are the things that we always look for when we are doing anything around the CIAM program.
David: So let’s dive into orchestration. Tell us how that fits it with your CIAM objectives. What business outcomes do you achieve?
Gaurav: The identity orchestration engine…is one of the key pieces we enabled. The first thing is that it takes you away from code management. You have seen the earlier generation of journeys where you have hundreds and thousands of lines of code, and you have five developers working on it. It becomes very complicated to manage that environment.
So with the identity engine you move away from hand rolling things, hand coding things to using a graphical interface. You design your journeys and move to a low code mode. And in that low code mode, it enables you to be more agile. It provides you the ability to meet your business needs faster. The time to market drastically reduced.
…Apart from that having a central identity engine, it saves you from creating point-to-point integration. That’s key. Those integrations take a lot of time. And they introduce a lot of bugs and quality issues every time you hand code them.
David: So it’s fair to say orchestration is a central pillar of your CIAM program. Do you have other areas where orchestration plays a role?
Gaurav: We are obsessed with making our customer experience as simple as possible. So we look at reducing the friction of each and every journey we design. We have a UX team, we conduct UX workshops and make sure that the journey is what our customer really wants. Apart from that, we have an additional analytics team that measures those journeys so that we can have some empirical evidence of what we have done. Is it really working or not working?
And I’d like to quote one of my fraud stakeholders. He is a visionary in the fraud space, and he always tells me, “Gaurav, when you think about the customer, you have to think key things when he’s interacting with you. Once you have authenticated your customer in a passive mode that authentication has to be portable, meaning if someone has authenticated in mobile you should be able to port that to the web or vice versa.
…And the last one point is that the authenticated user has to be persistent — because it took a lot [of effort] to bring him in, and he’s on your website. And he’s transferring money. And you say, I need OTP again because he’s doing this transaction. I’m not saying that you don’t step them up for higher value transactions where you have a bigger stake, a bigger risk, but you shouldn’t be stepping them up on each path in the user journey.
David: So going back to CX… what you were saying earlier is absolutely critical because in the workforce scenario, we do obviously want to have good user experience for the workforce, but CX is absolutely a competitive battleground for customer IAM.
Gaurav: Yeah, that’s one of the differentiating factors when you take your product to the market. …And my business partners would [compare] us against the competitors and say, “This is how fast we can onboard your customers or participants.” And that’s always a feather in the cap for my team and for the business too in terms of digital first and in the simplification of the process.
David: That’s excellent. I want to transition now to giving folks here some advice on orchestration. Akif Khan, the Gartner analyst who presented here just before us, he had some really great research on journey-time orchestration and in his research note that he published, I think, mid-last year, he made the comment about orchestration saying that, “You’re either going to be an orchestrator, or you will be orchestrated.” …In the authentication space, there are a lot of these point players that are out there and some of them are fantastic, and they’re really good at doing certain things, but they just don’t have that holistic view, they don’t have the contextualized signals. So they generally need to be paired with something like orchestration.
Gaurav: And think of it this way: orchestration is a very personalized tool. We personalize the experience of orchestration. For example, we have a product with one university versus a product with another university. With orchestration we can create a very customized experience. Some of our auth flows and screens are so dynamic that they are based upon the content. So it’s you getting the content as a University of Michigan customer or a Harvard customer. Those are the things we could not have done, [short of] 50 copies of code, if we did not have the orchestration engine.
Another use case is to create a white label product. I come from an insurance company, right? So our business runs through agents…what we do is we create a white label app that can look as if it’s an agency’s app, not the underwriting company or the insurance companies app. With orchestration and context-aware technologies, you can really create a very bespoke model. And that can really drive customers for you.
David: Yeah, I think that really highlights another CX advantage. So I want to transition…and get a bit tactical here and give the audience here some recommendations. But before we do, just a quick show of hands, how many folks here are using some kind of orchestration today? I think I see a hand-ish? One hand-ish out of everyone here. All right, so I think they could use some advice.
Gaurav: I’ll start by saying, CIAM is a complex program. It’s not just because the technology is complex. It’s the breadth of what you do as part of CIAM. And by no means am I trying to scare you guys. It is doable. It is achievable, and we know that at our organization.
The critical thing, when you have to go to the stakeholders, you have to tell them the business capabilities. You have to tell them the importance of the program.
CIAM is the first step of your digital transformation … The program helps you establish your digital identity with your customer and you get him into the room. And we see a tremendous push towards digitization, right? And there have been a lot of tools, a lot of technologies and initiatives around that. But I consistently see that part missing where the digital onboarding and the CIAM is not part of it. Then what happens is those backend pieces get to production and you scramble.
How do I bring more customers? How do I make their lives easier? So how do you structure and run program management? There are 3 critical pieces: the strategy of your CIAM program, planning and program management and execution.
I think one thing that worked for us is…a very comprehensive CIAM strategy, which is very well documented. You almost have to write a story of your strategy. There’s both art and science to it because you have to roll up CIAM concepts into a high-level construct or KPIs or a value stream.
David: So having some goals, having the overall strategy tied to those outcomes, and then those stories, absolutely, are critical for the communication strategy within your organization.
Gaurav: Correct. And the other thing that we have seen is establishing a common taxonomy between the business stakeholders and the tech team … You have to start with capabilities, not CIAM features.
David: So don’t go to them and talk about OAuth, SAML and OIDC.
Gaurav: Right, and these guys are smart. They’ve done millions of dollars in business. It’s just that their domain is different and we have to respect that.
…So the 2nd [step] is planning and program management. “If you don’t plan, your plans fail.” We’ve all heard that statement. Your plan is important because…you have to interface with multiple teams. You have to interface with the UX team…the business SMEs…infrastructure teams. So if you don’t have a very solid plan, it would be very difficult to handle the complexity behind it.
And the last thing is execution. We all know stuff needs to get done…We follow agile, and we follow safe. So it has really worked for us in terms of executing on the program. We have scrum teams that work together. The biggest thing I see in that model is that our business is so aligned. In terms of what we are getting. So a sprint starts, designers are designing the screens, and we orchestrate the journeys and by the end of the sprint, I am able to show them a real life working journey.
…and if you can build something iterative and if you can build something that you can move to production faster and have that constant feedback loop between the requirements and the delivery, it is a good recipe for success.
David: And that’s what gets me excited about journey-time orchestration. Because there’s the link to the stories of what the business is trying to do. …You can see it visually versus having to go through pages of scripts and all that stuff. [Orchestration] can be very powerful for those businesses.
So, roadmap. We’ve talked about the journey so far, pun intended. What are items that you’ve got in your CIAM roadmap?
Gaurav: Last year we sat with our stakeholders, and we created a CIAM 2.0 strategy. And the key drivers were how we can further improve our customer journeys and how we can have stronger fraud detection and prevention capabilities.
So three things that we are looking at right now is around identity proofing and verification… We strongly believe it’s going to improve our enrollment scores and some of the dropoff challenges that we have.
The second piece is around behavioral biometrics. We have a lot of data coming in through our risk engine, and we want to add behavioral dataset and marry those two policies to prevent fraud. If you base your step-up on the geolocation, and someone goes to some other location [that’s added friction]… But if you have a behavioral profile, it makes you more comfortable [knowing] that it’s the same person based on how they press the keyboard or how they move the mouse. So we’ll be able to improve the customer experience there.
And the last thing is, I know everybody is going passwordless, right? We’ve already started doing some foundational work on it. I don’t know if we’ll do it this year, but it’s definitely a big thing to accomplish on the platform.
David: What’s your view on things you’d like to see with CIAM in the future?
Gaurav: I think CIAM has come a long way, having a centralized way to manage the user journey. I would like to see CIAM becoming more context-aware…When I talk to my stakeholders, I use the term “smart context”…where we take a multi-dimensional approach to serve our customers. And that’s our goal, right? To serve our customers.
David: I think ultimately it’s like when you know we’ve met, and if I see you in the future, I’m not going to ask you for your ID card. We want to have our digital services be like when we are interacting with our friends and acquaintances.
Gaurav: Another example is when you go to a neighborhood coffee shop, you go in and they know what you’re getting. By the time you get to the counter, your coffee is ready. If we can do that for our customers, that will be a big achievement for us as an industry.
If you have an all-access pass to Gartner IAM, you can play their full session titled, “Transmit Security: Breaking Down Silos – How Identity Orchestration Helped TIAA Consolidate CIAM.”
We’re grateful to have a customer like Gaurav who is willing to share his expertise and insights on how orchestration brings all of the pieces together. Learn more about how Transmit Security Orchestration Services can help consolidate your identity stack.