19 Jan, 2022 | 3 min read

A Maturity Model for Customer IAM

  • Prabath Siriwardena
  • Senior Director - Security Architecture - WSO2

The main objective of Customer IAM (CIAM) is to drive revenue growth by leveraging identity data to acquire and retain customers. It will build an identity-centric ecosystem to nurture an anonymous website visitor into a well-known loyal customer. We have come across multiple phases in the past, and today at the age of the customer, identity has become the glue for all contextual marketing. In doing that, in our journey towards CIAM, we face multiple challenges.

In a typical workflow, many follow to onboard a customer, we start with an anonymous website visitor, then nurture this anonymous website visitor to a lead, and a qualified lead — and finally to a customer. There can be multiple variations of this flow, and we could be using multiple channels to onboard customers. When we have multiple channels, multiple points of connections, and data sources, that could lead us into a new set of challenges.

Data related to the anonymous users may reside under marketing data sources, data concerning leads and sales might be under Customer Relationship Management (CRM) data sources, and the identity data of customers would be under the IAM system. Unless managed consciously, with this approach, we’ll end up having siloed data sources — and those siloed data sources may not know how to talk to each other.

52% of marketing leaders responsible for data and analytics believe data integration and data management are the most time-consuming activities, and also over ⅓ of marketers say their inability to integrate data is the biggest obstruction or the challenge to the success of their analytics teams.

Protecting consumer data at a large scale brings in another set of challenges. Unlike in workforce IAM, in a typical CIAM system, we work with millions of users. We need to worry about how we securely store the personally identifiable information (PII) of these users and preserve privacy. When you handle any customer data, security should be one of the topmost priorities. You need to worry about how your CIAM system stores and processes PII, how the system talks to external systems, and also how the communications happen among the components of the CIAM system itself.

Also, from customers’ point of view, they do expect some control around how you collect, store, manage, and share their personal data. Any misuse of customer data, whether deliberate or not, can significantly damage brand equity.

Yahoo!, for example, was in the middle of a series of data breaches a few years back, that exposed the personal data of more than 1 billion users. That did cost the company $350 million. They had to lower the sales price of its email and other digital services, which they sold to Verizon from $4.83 billion to $4.48 billion to account for the potential backlash from the data breaches.

Over time we have spoken to hundreds of customers, and probably thousands of leads. From all those conversations, what we have learned is, different customers are at different levels of maturity, in building a CIAM solution. Some even don’t know they are doing CIAM. In the sections to follow, we discuss five maturity levels.

Level-0, Nonexistent

Most businesses do start with level-0, or Nonexistent. At this level, you don’t worry about tracking any customer interactions. Probably you don’t have an online portal and probably you don’t do any sales online. In case you have an online portal, you may use it only to share your product and contact information — and would not expect any dynamic customer interactions. Probably you may use systems like Viber, WhatsApp, or a phone line to accept orders, but you don’t worry about tracking who places which order.

Many restaurants, taxi services, retail stores, and family businesses follow this model at the start. When you walk into a restaurant, no one knows about you, even if it’s the same restaurant you are going back to again and again, each time, you need to pick where you want to be seated and what you want for the meal.

The same applies to many taxi services, other than Uber and Lyft. Whenever you order a taxi, you need to share the address you need to go to. You can’t just say drop me home — or drop me to the office.

Level-1, Managed Identity

At level-1 — or the Managed Identity phase, you only worry about onboarding your customers to the system and digitally managing their identities.

The businesses that operate under the level-1 maturity level have a varying level emphasis on how they want to manage their customer identities. One may only worry about onboarding customers via an online portal and then letting them authenticate to the system via username and password. Another business would worry about integrating with social identity providers for registration, enabling strong authentication options with adaptive authentication, integrating with risk engines, identity analytics, and so on.

What you do in this phase is distributed across a broader spectrum, but still, you only worry about digitally managing your customer identities. No CRM system in place, no customer preference management system in place.

Most of the companies, who are starting to work towards a digital strategy are in this phase or at least start with this phase. Then again, the question is, how long do you want to be in this phase?

We’ve worked with many companies, who’ve been in this phase for years — and some even for more than a decade. What we have seen is, the more you are in this phase, you start building disconnected identity silos, and you find it harder to move out from this phase.

You may use a federation between applications and an identity provider but still will end up having multiple federation silos, probably by different departments. Each department may have its identity store and identity provider, which will result in duplication of identity information, across the company.

Level-2, Siloed

Level-2 is one step forward from the managed identity phase. Here you have an identity management system in place, and you also worry about having a CRM system, a marketing platform, an e-commerce platform, a content management system, a data management platform, and many more to know about your customers better. This does not necessarily mean that all the businesses in this maturity level have all these systems in place. Probably you start with a CRM system, and then gradually move into others.

One deficiency we see in the businesses in this phase is, even though they collect customer data at different contact points, the data sources are disconnected and do not help in building a unified profile for a given customer.

When you want to generate a report across multiple data sources, that would require a high labor-intensive process with human involvement. And even in some cases, you may fail to find a correlation among different data sources.

This is the phase we see a business would start worrying about a CIAM system. Once you are in this phase you’ll understand the benefits of building a unified view of a customer — and at the same time, you’ll start realizing the deficiencies in your current system that prevent you from getting there.

Level-3, Connected

The level-3 is the connected phase. This is the phase where you start integrating your IAM system with your CRM system, marketing platform, e-commerce platform, content management system, data management platform, and many more. This helps in building a unified view of your customer. For example, you can see how long it took to nurture an anonymous lead to a loyal customer.

Progressive profiling is a key feature we see in this phase. When you onboard a customer, you only request a minimal set of information, but as he or she starts using the system, the system will start learning more. The system can learn more from the user’s behavior or else directly ask the user for inputs. Irrespective of how the system learns about the user, it will feed those data into the IAM system using an API.

This helps the IAM system to make much-informed decisions, concerning the user’s actions — as well as share a unified profile of the user across all the applications.

Another advantage you see in integrating IAM with other business platforms is that you can track the customers across multiple platforms or multiple devices. Most of the marketing platforms track users by cookies. When you use cookies, you can’t track a user across multiple devices. But, having your marketing platform integrated with the IAM system, helps you identify user interactions across devices.

This is one reason, I would say arguably, why Google introduced Gmail. You are always logged into your Gmail account (and also to the browser), so Google can correlate your search patterns with your identity — and they can do that across all the devices. Then Apple ID, probably introduced for the same reason. When you use Apple ID, Apple knows, which apps you use from your mobile device, as well as outside of your mobile device.

To build a CIAM solution in this phase, you would need more than an Identity Provider. You need to worry about integrating systems, exposing data as APIs, managing those APIs, and many more. This is why we see many customers in this phase work with system integrators to build a CIAM solution if they do not have a strong development team in-house.

Level-4, Optimized

Finally, the level-4 or the optimized phase. Omnichannel access is a key feature we see in the businesses that operate at this level. In an omnichannel environment, the customers interact with the business via multiple channels, but will still get a seamless — continuous user experience. For example, if you use the Newsweek iPhone app to highlight some content, once you view the same from the web, you should find it still highlighted.

Amazon took the retail order placing system to the next level with Alexa. If you are an Amazon customer, you can place an order via its website, mobile app, Alexa, or via kindle. When Amazon announced Amazon Books, a few years back, they intended to bring the same digital experience (from the web) to the physical world. If you visit an Amazon Bookstore, you will see the book reviews, ratings, and many other digital-only features there.

Amazon Go uses sensors to track items as we put them into the cart or return them to the shelf and finally your Amazon account gets automatically charged, with no cashier involved. When you enter into the Amazon Go store the system seamlessly authenticates you via the Amazon Go mobile app. This is the next level of omnichannel experience Amazon is building.

The CxO dashboards are another key feature we see in this phase of CIAM. The CxO dashboards get updated in near real-time, with the data concerning the current status of the business and also the predictions derived from integrating with machine learning systems.

Also in this phase machine learning and behavioral analytics are being used to suggest how you can design better, more effective UX A/B testing for user registration and login flows.

We only see a small percentage of companies at this optimized level.

    WSO2 has released an early adopter version of Asgardeo, an IDaaS that sets new industry standards for enabling developers without security expertise to easily embed CIAM features into their apps within minutes. Try out Asgardeo's free trial or discover more about its features here or why not join the IAM4DEVS community to get the latest tips and tricks on all things Identity!

    Alternatively, if you’re looking for an enterprise grade, API driven, open source solution that can manage millions of user identities without spiraling costs please view WSO2 Identity Server

Guest Author

Prabath Siriwardena is an identity evangelist, an author, a blogger, and the former Deputy CTO (Security) at WSO2 with more than 13 years of industry experience in designing and building critical Identity and Access Management infrastructure for global enterprises, including many Fortune 100/500 companies.

As a technology evangelist, Prabath has published eight books, including Microservices Security in Action (Manning) , OpenID Connect in Action (Manning), Advanced API Security (Apress) and Microservices for the Enterprise (Apress). He blogs on various topics from blockchain, PSD2, GDPR, IAM to microservices security. He also runs a YouTube channel.