If you’ve spent any amount of time searching for customer-friendly identity management and authentication, it probably feels like you can’t take two steps without tripping over something calling itself CIAM, or Customer Identity and Access Management.
Everyone appears to have a different take on CIAM. Is it always passwordless? Does it need an identity provider? What really is CIAM, and why should you care? In this article, we’ll demystify the term and give you the tools to figure out how it can work best for you.
CIAM Basics: It’s All About the “C”
Customer identity and access management (CIAM) can seem complex at first, but it’s really quite simple when you break it down into its individual parts. At its most basic level, CIAM is a system that:
- Establishes and maintains persistent customer data — specifically, identity data
- Authenticates legitimate customers
- Denies access to non-verified users
- Authorizes customers to access digital assets based on their privileges
It’s worth noting that all these things are equally applicable to the identity management systems from 20 years ago — except for one key difference. The customer. CIAM is all about the “C,” or the customer logging in to buy products and access services. It’s this focus that sets CIAM apart both in theory and practice.
CIAM builds on the identity and authentication tools of the past, and it creates several new ones to construct an environment that is friendly, easy to manage and secured against fraud. At its core, CIAM is all about getting customers into your app, site or service while keeping the bad guys out. But to understand what makes CIAM so special, we have to take a quick look at what came before it.
IAM’s early beginnings
Decades before CIAM was recognized as a separate concept, IAM (Identity and Access Management) was created primarily through scattered, in-house development and specialized tools. This is where modern digital identity as we know it really begins. Before that, identity was stored within local silos and managed manually, which made it prone to errors, difficult to reuse and highly inefficient.
IAM solutions automated identity management in an attempt to increase reusability, reduce costs and increase efficiency. In the 1990s, IAM systematized employee and internal identity by centralizing the storage of user accounts. This eventually gave way to networked environments that could share data, like user account information. Now it was possible to manage access control across an entire shared network rather than only locally on each machine.
Early IAM was mostly isolated to two goals: safely storing user data and accurately authenticating users. Self-service or user-centric controls were secondary or nonexistent. Modern employee-focused IAM grew out of this homegrown ecosystem to eliminate operational inefficiencies and further secure resources. While the typical experience has become much more user-friendly, many limitations inherent to the IAM of the late 90s remain the same.
Organizational differences between CIAM and IAM
In theory, CIAM is just a variant of IAM. The key differentiator is a laser focus on your customers, or the “C” in CIAM. But CIAM is much more than adding the word “customer” to the beginning of IAM. In fact, when it comes to practical applications, CIAM and IAM have many components that are mutually exclusive.
If you’re starting with next to no knowledge of CIAM or IAM, the easiest way to understand them and their organizational differences is with the “inside-out” versus “outside-in” illustration. In the diagram below, the typical IAM implementation is entirely within the organization’s grasp and control. Users start from within the organization and interact outward. The opposite is true for CIAM; users begin outside the organization and enter its boundaries only at their discretion.
In CIAM, the ecosystem of users exists outside the operational boundaries of the business, meaning less direct control is available to the organization. This invokes significant differences in capabilities and requirements — especially when it comes to scale.
Consider the size of the employee roster at a large company. It may number in the thousands, and that’s usually a lot to manage for an internal IT team tasked with protecting vulnerable resources. However, CIAM solutions must provide access to millions, if not tens of millions, every day and at any time.
Comparing the scale of IAM and CIAM is akin to comparing a submarine with a cruise ship. Both are built to ensure the safety of their occupants, but the submarine isn’t designed for comfort or capacity. It has a job to do — and so does everyone on it. On the other hand, the cruise ship caters to the desires of its passengers while keeping them safe, happy and moving forward.
Read more on the differences between CIAM vs. IAM.
What Does CIAM Do?
Unlike traditional (or inside-out) IAM, which is generally driven by operational efficiency and security, CIAM is built on a user-first approach that gives customers more control over their authentication experience. More importantly, CIAM is designed to make identity management and authentication simpler so that customers barely notice it.
In fact, the only reason organizations should want customers to notice their CIAM solution working is when they’re impressed by how seamless and secure it is. CIAM is more focused on providing an uninterrupted experience at scale than increasing operational efficiency or increasing security for a few thousand users. That said, CIAM does dramatically improve efficiency and security — just not by adding tedious layers of authentication that detract from the customer experience. In other words, its goal is to provide the powerful functionality of the most secure IAM solutions without any of the plumbing disrupting the user journey.
To deliver this degree of control and seamlessness to a user base of millions, CIAM environments are composed of a wide array of tools and applications, and they often combine software from multiple vendors to achieve the desired result. Rather than being defined by a specific set of tools, a comprehensive CIAM environment is more accurately described based on its capabilities.
Generally speaking, a CIAM solution includes:
CIAM solutions may also include but are not limited to: secured APIs, SDKs for mobile apps, social logins (BYOI, or Bring Your Own Identity) and fraud detection or behavior monitoring. Again, these are just the tip of the iceberg, and this list is by no means exhaustive. In the next several years, this group of features will grow exponentially.
Keep in mind that CIAM environments are designed to scale far beyond the typical scenarios of internal IAM, serving millions of concurrent users. All of these functions must be built to accommodate that massive scale before they can qualify as a trustworthy (and explicit) CIAM component.
Why CIAM? Why Doesn’t IAM Work for Customers, Too?
The core aim of CIAM is to provide the maximum level of security without compromising a seemingly effortless user experience. It’s been shown time and again that excessive security measures tend to rub customers the wrong way, and many will abandon a webstore or service provider that places too many obstacles in their path.
The simplest reason why IAM isn’t appropriate for customers is that it’s entrenched in a security-first, obstacle-laden design scheme. The existing tools and solutions for IAM do not scale to the size of modern customer bases, nor do they offer the quality-of-life adjustments necessary for a smooth experience. Critically, traditional IAM includes a range of tools and offerings that are either unwieldy or completely useless in the customer-facing environment.
Simply put, traditional IAM fails to deliver an unobtrusive experience or a cost-effective offering for the vast majority of customer-facing use cases. It is unconcerned with disrupting internal users, and it includes residual tooling or blunt instruments that cannot compete with acutely designed CIAM solutions.
CIAM security concerns are different
CIAM environments protect their owners from a different set of cyber threats than traditional IAM solutions. Financially motivated threat actors attacking a CIAM solution will steal services or make illegitimate purchases rather than ransom business infrastructure.
CIAM solutions are tasked with protecting customer accounts without disrupting the user’s experience. They do not have the benefit of dealing with internal users like employees, and thus CIAM environments are typically designed to contain self-service components for account maintenance or troubleshooting. For example, a CIAM customer might be able to easily reset their account’s password through automated dialogues. However, this has led to self-service mechanisms becoming frequent targets for fraud schemes.
Because of this vulnerability, many CIAM implementations are designed to authorize users based on their perceived level of trust, only enforcing a secondary step-up authentication when the user tries to take a particularly sensitive action. Newer CIAM solutions attempt to eliminate the vulnerability by removing the underlying mechanism: passwords. While passwordless authentication is still relatively new, Gartner analysts suggest that the majority of enterprises will implement a passwordless initiative in 50% of use cases by the end of 2022.
CIAM Privacy and consent pose issues
Unlike traditional IAM, which is typically reserved for internal users like employees, CIAM must also account for privacy and consent. CIAM solutions often collect personally identifiable information (PII); for example, email addresses, phone numbers and passwords. This kind of information is governed by many regulations, including the GDPR in the European Union.
In these cases, the PII must be processed according to a strict set of rules, including giving end users the ability to opt-out of any non-essential data collection. The current generation of CIAM solutions often include options that allow users to revoke their consent and delete their stored data, request a copy of their stored data and opt-out of marketing campaigns.
Customer vs. internal focus: why can’t my internal IAM-focused IdP do CIAM?
Internal IAM solutions offer a vast array of features that you simply don’t need to provide a great customer experience. This means traditional IAM can be bloated and overcomplicated, and you’ll typically pay licensing fees for features you don’t even use. Worse still, it may be lacking in terms of user-friendliness.
Because their platform has grown over many years while serving a wholly different set of use cases, they are completely unprepared to provide a comfortable experience that can compete with the market’s status quo. Customers aren’t of two minds about this, and many will quickly abandon an unfamiliar or frustrating authentication process. There is nothing slick or “cool” about business IAM. It’s rigid and ugly and trying to make it approachable enough for customers simply isn’t worth the investment.
CIAM vs. IAM
|
IAM
|
CIAM
|
Type of user
|
Internal employees
|
Customers or partners
|
User experience
|
Emphasizes security over user experience
|
Balances security with customer experience
|
Authentication options
|
Determined by the organization, may include SSO (Single Sign-On)
|
May include social login, BYOI (Bring Your Own Identity)
|
Scale
|
Hundreds and thousands of users
|
Millions of users
|
Upgradability
|
Rigid and difficult to update
|
Dynamic and adaptable
|
Devices
|
Organization-managed devices
|
Any device
|
Integrations
|
Internal, central identity provider
|
Multiple decentralized identity providers
|
Privacy and data regulations
|
Personal data managed according to labor laws and human resources
|
Personal data managed according to consumer regulations
|
Read more on our CIAM vs IAM blog post.
CIAM Use Cases: B2B and B2C
While we’ve primarily discussed B2C (business-to-consumer) use cases, like shopping online or enjoying digital services, there’s another pillar of CIAM that doesn’t receive much attention. B2B (business-to-business) CIAM is used to provide a customer-friendly experience to users while still operating within the business context. For example, a B2B CIAM environment might be used to onboard external partners or other business associates who are not internal employees of the organization.
By providing this enterprise-focused hybrid of CIAM, companies can effectively control the user experience and identity lifecycle more effectively than if they used traditional IAM. CIAM also gives them more flexibility, allowing them to empower external IT teams to govern their own users. Similarly, since they’re dealing with external parties on third-party networks using unknown devices, CIAM’s tailored approach to authentication gives them a vast array of highly secure options, like 2FA or MFA, risk-based authentication and single sign-on. Lastly, CIAM features privacy and consent management options where traditional IAM does not — and, since this is intended for an external organization, it’s likely that they will wish to customize these to match their regulatory obligations.
B2C applications include basically everything else you can imagine, from online retail and subscription services to medical bill payment and government-issued ID renewals. Here are a few of the most common B2C CIAM use cases:
- Online shopping and retail
- Subscription media services (music, games and video)
- Financial services
- Gaming platforms
- Bill payment
- Medical and healthcare management
- Governmental organizations
In some cases, CIAM can even enter the “real world.” For example, a customer might need to respond to a request for authentication while visiting a brick-and-mortar store or while chatting with a call center. Although these channels aren’t the same as using an app or web browser, they’re still a part of that B2C CIAM environment.
The Road Forward for CIAM
In closing, consider the unique needs your organization and your customers have. Despite being the gold standard for decades, traditional IAM simply isn’t cut out for the user-friendly large-scale operations for which CIAM is explicitly designed. The Internet and the number of people who use it have grown exponentially over the last two decades, and the more recent shift to digital is ushering in a new era of authentication. It’s time to start thinking about what the customers of the future will expect from their identity experience.
What kind of control over preferences and privacy can you give your users? How many concurrent users will the CIAM solutions of the future support? How strong or secure can the authentication methods be? It’s these questions that the CIAM environments of the next generation seek to answer.