17 Sep, 2020 | 3 min read

A Maturity Model for CIAM

  • Prabath Siriwardena
  • Senior Director - Security Architecture - WSO2

The main objective of customer IAM (CIAM) is to drive revenue growth by leveraging identity data to acquire and retain customers. It builds an identity-centric ecosystem to nurture an anonymous website visitor into a well-known, loyal customer. Today, in the age of the customer, identity has become the glue for all contextual marketing. However, in an enterprise’s journey towards CIAM, there are multiple challenges.

In a typical workflow, when onboarding a customer, we start with an anonymous website visitor and then nurture this individual to become a lead, a qualified lead, and finally a customer. There can be multiple variations of this flow, and we could use multiple channels to onboard customers. These varied channels, points of connections, and data sources present a new set of challenges.

Data relating to anonymous users can reside under marketing data sources. Data with respect to leads and sales might be under customer relationship management (CRM) data sources, and the identity data of customers would be in the IAM system. With this approach, a company could end up having siloed data sources — and those siloed data sources may not know how to talk to each other.

CIAM Forrester Wave Report

52% of marketing leaders responsible for data and analytics believe data integration and data management are the most time-consuming activities, and also over of marketers say their inability to integrate data is the biggest obstruction to the success of their analytics teams.

Protecting consumer data at large scale brings in another set of challenges. Unlike in workforce IAM, in a typical CIAM system, a company may have to work with millions of users. We need to worry about how we securely store the personally identifiable information (PII) of these users and preserve privacy. When you handle any form of customer data, security should be the key priority. You need to worry about how your CIAM system stores and processes PII, how the system talks to external systems, and also how communications happen among the components of the CIAM system itself.

Also, from the customers’ point of view, they expect control around how you collect, store, manage, and share their data. Any misuse of customer data, whether deliberate or not, can significantly damage brand equity. For example, a few years ago, Yahoo! experienced a series of data breaches that exposed the PII of more than 1 billion users. This cost the company about $350 million. Owing to the breaches, Yahoo! had to lower the sales price of its email and other digital services, which it sold to Verizon at $4.48 billion – a drop from $4.83 billion to account for the potential backlash.

Over time, we have spoken to hundreds of customers, and probably thousands of leads. From all those conversations, what we have learned is, different customers are at different levels of maturity in building a CIAM solution. Some of them even don’t know they are implementing CIAM. In the sections to follow, we discuss five maturity levels.

Level 0: Nonexistent

Most businesses start with level 0, or Nonexistent. At this level, you don’t worry about tracking any customer interactions. You probably don’t have an online portal and don’t do any sales online. In case you have an online portal, you may use it only to share your product and contact information — and would not expect any dynamic customer interactions. You may use systems such as Viber, WhatsApp, or a phone line to accept orders, but you don’t worry about tracking who places which order.

Many restaurants, taxi services, retail stores, and family businesses follow this model at the start. When you walk into a restaurant, no one knows about you, and even if you go back again (and again), you need to pick where you want to be seated and what you want for the meal.

The same applies to many taxi services, other than Uber and Lyft. Whenever you order a taxi, you need to share the address you need to go to. You can’t just say drop me home or drop me at the office.

Level 1: Managed Identity

At level 1 — or the Managed Identity phase, you only worry about onboarding your customers to the system and digitally managing their identities. Businesses that operate under the level 1 maturity level have varying levels of emphasis on how they want to manage customer identities. One may only worry about onboarding customers via an online portal and then let them authenticate to the system via usernames and passwords. Another company would focus on integrating with social identity providers for registration, enabling strong authentication options with adaptive authentication, integrating with risk engines, performing identity analytics, and so on.

What you do in this phase is distributed across a broader spectrum; however, you only focus on digitally managing your customer identities. There’s no CRM or customer preference management system in place. Most companies working towards a digital strategy are in this phase (or at least start with this phase). Then again, the question is, how long do you want to be at this level?

We’ve worked with many companies, who’ve been in this phase for years — and with some that have done so for more than a decade. What we have seen is, the more time you are in this phase, you start building disconnected identity silos, and you find it harder to move out of this.

You may use federation between applications and an identity provider but still will end up having multiple federation silos, probably by different departments. Each department may have its own identity store and identity provider, which will result in the duplication of identity information across the company.

Level 2: Siloed

Level 2 is one step forward from the managed identity phase. Here, you have an identity management system in place, and you also worry about having a CRM system, a marketing platform, an e-commerce platform, a content management system, a data management platform, and many more to know about your customers better. This does not necessarily mean that all the businesses in this maturity level have all these systems in place. You probably start with a CRM system, and then gradually move into others.

One deficiency we see in businesses in this phase is, even though they collect customer data at different contact points, the data sources are disconnected and do not help in building a unified profile for a given customer.

When you want to generate a report across multiple data sources, that would require a high-labor-intensive process with human involvement. And even in some cases, you may fail to find a correlation among different data sources.

This is in fact the phase we see a company would start worrying about a CIAM system. Once you are in this phase, you’ll understand the benefits in building a unified view of a customer — and at the same time, you’ll start realizing the deficiencies in your current system that prevent you from getting there.

Level 3: Connected

Level 3 is the connected phase. This is the phase where you start integrating your IAM system with your CRM system, marketing platform, e-commerce platform, content management system, data management platform, and many more.

This helps in building a unified view of your customer. So, you can see how long it took to nurture an anonymous lead to a loyal customer.

Progressive profiling is also part of this phase. When you onboard a customer, you only request a minimal set of information, but as he or she starts using the system, the system will start learning more. The system can learn more from the user’s behavior or else directly ask from the user for inputs. Irrespective of how the system learns about the user, it will feed those data into the IAM system using an API.

This helps the IAM system to make much-informed decisions, with respect to the user’s actions — as well as share a unified profile of the user among all the applications.

Another advantage you see in integrating IAM with other business platforms is that you can track the customers across multiple platforms or multiple devices. Most of the marketing platforms track users through cookies. When you use cookies, you can’t track a user across multiple devices. But, having your marketing platform integrated with the IAM system helps to identify user interactions across devices.

This is one reason, I would say arguably, why Google introduced Gmail. You are always logged into your Gmail account (and also to the browser), so Google can correlate your search patterns with your identity — and they can do that across all the devices. Then Apple ID, probably introduced for the same reason. When you use Apple ID, Apple knows, which apps you use from your mobile device, as well as outside of your mobile device.

To build a CIAM solution in this phase, you would need more than an identity provider. You need to worry about integrating systems, exposing data as APIs, managing those APIs, and many more. This is why we see many customers in this phase work with system integrators to build a CIAM solution if they do not have a strong development team in-house.

Level 4: Optimized

Finally, the level 4 or the optimized phase. Omnichannel access is a key feature we see in companies that operate at this level. In an omnichannel environment, customers interact with the business via multiple channels, but will still get a seamless, continuous user experience. For example, if you use the Newsweek iPhone app to highlight some content, once you view the same from the web, you should find it still highlighted.

Amazon in fact took the retail order placing system to the next level with Alexa. If you are an Amazon customer, you can place an order via its website, mobile app, Alexa, or via kindle. When Amazon announced Amazon Books, a few years back, their intention was to bring the same digital experience to the physical world. If you visit an Amazon Bookstore, you will see the book reviews, ratings, and many other digital-only features there.

Amazon Go uses sensors to track items as we put them into the cart or return them to the shelf and finally your Amazon account gets automatically charged, with no cashier involved. This is the next level of omnichannel experience Amazon is building.

CXO dashboards are another key feature we see in this phase of CIAM. The CXO dashboards get updated in near real-time, with the data with respect to the current status of the business and also the predictions derived from integrating with machine learning systems.

Also, in this phase, machine learning and behavioral analytics are being used to suggest how you can design better, more effective UX A/B testing for user registration and login flows. We only see a small percentage of companies at this optimized level.


CIAM is a key enabler for digital transformation. Tracking anonymous users to make them a meaningful prospect could be a CMO requirement at first, but for enterprises to gain and retain customers, CIAM is a pivotal component in their architecture to connect applications, APIs to users, and more. Each enterprise is on its own journey, but it is important to understand the current gaps that they could experience at each level.

Interested in a free consultation on how you can take your enterprise to the next maturity level in CIAM? Get in touch and we will get back to you.