What is Customer IAM (CIAM)?
- Prabath Siriwardena
- Senior Director - Security Architecture - WSO2
Customer identity and access management (CIAM) have become a bit of a buzzword in recent years. There are numerous articles, blogs, and analyst reports that explain what CIAM is and how it is defined in different ways. The goal of this blog is to present a one-line definition of CIAM from my perspective.
Before defining what it is, let’s be clear on why we need to worry about CIAM.
Digital transformation is all about improving customer experience. Digital technologies are redefining how we manage customer relations, introducing new rules and opportunities that were unimaginable only a few years ago. CIAM is a whole emerging area in IAM, which is essentially a component of digital customer experience.
The rest of the post is based on the statement above. That seems reasonable to me, and I haven't heard anyone question it. We can confidently presume that this is a widely agreed definition of CIAM's goal. Even if they don't say it the same way, many people who discuss CIAM have a similar perspective.
In one of its reports, Gartner defines CIAM more lightly as,
In my opinion, it’s not strong enough nor does it convey enough depth to reach the objective of CIAM. CIAM is more than managing customer identities traditionally. It must act as a catalyst for business growth by leveraging identity data.
More CIAM Definitions
If you Google it, you can find more definitions of CIAM. Not that they're all incorrect, but none of them, in my opinion, place enough emphasis on CIAM's objective. A couple of them are listed below.
Rather than calling it CIAM, managing customer identities, I prefer to refer to it as customer-focused IAM. The term "IAM" is well-defined. According to Gartner,
IAM that is customer-focused adds a lot of nuance to the definition of IAM. For example, unlike traditional IAM, when you focus on customers, you're likely to encounter millions of impatient users who are irritated by long forms and can't wait more than two seconds to login into a system.
They will take any minor flaw in your system to social media and make a big deal out of it. The smallest amount of exposed customer information could cause a significant drop in your share price.
Yahoo!, for example, was hit by a series of data breaches a few years ago, exposing the personal information of over 1 billion users. That cost the company $350 million. To account for the probable backlash from the data breaches, they had to reduce the sale price of its email and other digital services, which they sold to Verizon, from $4.83 billion to $4.48 billion.
Beyond Customer-focused IAM
Customer-focused IAM, dubbed CIAM, does not give enough weight to the idea that it should catalyze business growth. Unlike standard IAM, a CIAM system should be able to integrate with CRM systems, marketing platforms, e-commerce platforms, content management systems (CMS), data management platforms, and many other applications. In terms of business growth that we expect from having a CIAM solution, a customer-focused IAM system with no business integrations brings minimal value.
What is CIAM?
Customer-focused IAM does not necessarily mean you only manage customer identities. That’s why I preferred customer-focused IAM instead of managing customer identities. In a typical CIAM solution, in addition to direct customers, you also need to manage the identities of employees who have direct access to the CIAM solution or should integrate with an IAM system that manages employee identities. The latter is the preferred option. Also, not all CIAM solutions are just B2C (business-to-consumer), they can also be B2B (business-to-business) or B2B2C (business-to-business-consumer) as well.
Prabath Siriwardena is an identity evangelist, an author, a blogger, and the former Deputy CTO (Security) at WSO2 with more than 13 years of industry experience in designing and building critical Identity and Access Management infrastructure for global enterprises, including many Fortune 100/500 companies.
As a technology evangelist, Prabath has published eight books, including Microservices Security in Action (Manning) , OpenID Connect in Action (Manning), Advanced API Security (Apress) and Microservices for the Enterprise (Apress). He blogs on various topics from blockchain, PSD2, GDPR, IAM to microservices security. He also runs a YouTube channel.