CIAM: Codifying the Ever-Changing Keys to B2B Commerce

Photo by Jan Prokes

An Intellyx BrainBlog by Jason English, for WSO2

WSO2 recently announced the release of their Private CIAM Cloud service, and it made me think about the changing role of personal identity versus business entity in today’s complex distributed software environments. 

The CIAM space has evolved far beyond the traditional end user’s need for identity and access to applications in a B2C (business to customer) scenario. 

The ‘C’ in CIAM doesn’t just stand for ‘customer’ anymore, it is now an essential catalyst for businesses to safely work with any constituents: end customers, businesses (B2B), employees (B2E), citizens, and even communications among API-enabled services.

Redefining the customer

Most customers think about identity primarily from an account setup and login perspective. As individual end users, we’ve all spent countless hours trying to recover and reset passwords, entering authentication codes, and solving captchas.

Secure, private and trusted identity management processes are still vitally important to consumers using a retail or e-commerce website, a banking app or an insurance account portal. Identity literally enables the flow of modern commerce. If a business fails to provide a safe process, or throws too many roadblocks into the user experience, customers will eventually take their business elsewhere.

A B2C application such as a healthcare portal has certain minimum requirements for identity – the ability to reliably authenticate the identity of the patient, and the ability to authorize what systems and information that patient would have rights to. PII (personally identifiable information) should be kept secret from anyone other than the patient and healthcare provider.

However, the patient portal or end customer’s account is just one perspective in a continuum of identity management that must support many more complex relationships behind the scenes of every business transaction or request for information.

Mapping the extended org with B2B identity

The days of vertically integrated enterprises are over. In supply chains for physical goods, nearly 100% of leading brands are outsourcing some or all responsibilities for raw materials, manufacturing, logistics and operations to a matrix of specialized groups and other companies.

Similarly, our software supply chains have become very distributed as well. No business is an island anymore, and the agility and cost benefits of sharing information and work among distributed teams and third party suppliers is mirrored in our service based, API-driven business applications. 

Different business teams and partner companies will often have their own sets of applications and SaaS services, so B2B scenarios start from a perspective of integration between systems as a core design consideration. Identity also plays an equally important role in ensuring successful B2B application delivery.

Modern companies no longer fit within the monolithic departmental silos of old. People and teams may have different access and authorization needs for different software packages, and they may change roles or come and go from a project at any time. 

Admins need to assign policies that govern each entity, each group or user within a multi-level hierarchy so they get the access needed to do their work – but never more than they need. A “least privileged access” approach tightly controls the boundary of authorizations, so hopefully any bad behaviors of hackers trying to span authority domains will be detected.

Delegated administration scenarios allow team leaders to hand off administrative rights to partners and even downstream business customers for very fine-grained levels of access to services and data for a given line of business, project or product. 

Delegation allows permissions to be nested across an extended B2B org that can include partners and even customers (let’s not call it B2B2B2C, but you get the point). 

For instance, a major automotive brand authorizes a partner who supplies an electronic dashboard system to access part of the car’s on-the-road network. That supplier authorized car dealer franchises to make onboard system adjustments for their customers – including what systems and network resources they are authorized to self-administer.

Figure 1: This B2B scenario shows how a healthcare software company sysadmin might provide access directly to customer admins, while delegating nested admin rights to a reseller who administers system access to their own customers. Source: WSO2.

Getting B2E scenarios on board

For companies to grow and scale, they need the ability to provide their workforces with tailored access to company systems – whether they are direct employees or virtual hires through partners and contractors.

In essence, employees are end customers of the organization’s application estate, therefore a CIAM system that is great at managing complex B2C accounts should already have a headstart on establishing employee accounts and access policies.

B2E access scenarios commonly start with the initial setup of employee onboarding. After that, information workers also need the ability to break out of organizational silos to form more flexible and collaborative groups. 

For instance, in a special project scenario, a field admin can provide temporary access to flexible ‘tiger teams’ from across the organization’s hierarchy to deliver a new service offering, or resolve a crisis situation.

Identity between services

The advent of distributed service-based architectures and cloud infrastructure has led the IT industry at large to the conclusion that almost any feature we request from software should be an API call away.

APIs define the modern application, and they are being used to modernize existing applications and data services. According to a recent 2022 State of the API report, 51% of respondents say that more than half of their organization’s development effort is spent on APIs.

Access management between services represents the future frontier of CIAM activities, so look for strategies to map interconnected organizational hierarchies including partner and customer systems to an access management framework for services themselves.

The Intellyx Take

Your leading analyst firm may call it CIAM. But especially in an API-driven software world, the ‘customers’ of identity and access management will be more than one type of constituent with distributed application consumption scenarios that must be served.

For end customers (or B2C scenarios) identity management needs to protect the privacy and integrity of users accounts, while staying out of the way of access to revenue generating services, as much as possible.

For business applications (or B2B/B2E and system access scenarios) identity and access management is a core element of an overall data sovereignty and security posture across the extended application estate, including all types of entities and groupings of business partners, employees, and services.

Fortunately, common identity standards, open source products and commercial service offerings are arising to address this critical current need without requiring the enterprise to invest in hordes of developers to roll their own CIAM solutions.