Customer IAM (CIAM) - Turning Identity Data Into Gold!
By Prabath Siriwardena
- 8 Apr, 2018
Transforming the customer experience is at the heart of digital transformation. Digital technologies are changing the game of customer interactions, with new rules and possibilities that were unimaginable few years ago. Customer Identity and Access Management (CIAM) is an emerging area in IAM, which is an essential ingredient for creating digital customer experiences. Today’s increasingly sophisticated customers view digital interactions as the primary mechanism for interacting with brands and, consequently, expect deeper online relationships delivered simply and seamlessly.
Furthermore, customers expect some control around how firms collect, store, manage, and share their profile data. With competition only a click away, your firm’s misuse of customer data, whether deliberate or inadvertent, can significantly damage brand equity. Yahoo! was in the middle of a series of data breaches in the last couple of years, exposing personal information of more than 1 billion users and this cost the company $350 million. Yahoo had to lower the sales price of its email and other digital services to Verizon Communications from $4.83 billion to $4.48 billion to account for the potential backlash from the data breaches.
The role CIAM plays in an enterprise today has the same weight a business API had in the industry for several years. In 2013, 90% of Expedia’s business was coming through its APIs. Salesforce generates almost 50% of its annual $3 billion in revenue through APIs, while at eBay APIs contribute 60% to the annual revenue. In the same capacity in which APIs became the public face of your company, CIAM drives revenue growth by leveraging identity data to acquire and retain customers. It’s your new public face!. CIAM builds a layer of interactions with the customer — or in other words, CIAM drives the layer of interactions with the customer.
According to the latest Forrester report on CIAM, 67% of the Asia Pacific market, 64% of North America market and 54% Europe market have adopted CIAM.
Workforce IAM vs. CIAM
Customer focused IAM systems are different from their traditional IAM (Workforce IAM) counterpart. Workforce IAM looks inward. It focuses on B2E (business-to-employee) and B2B (business-to-business) interactions. The goal of workforce IAM is to reduce the risk and cost associated with on-boarding and off-boarding new employees, partners, and suppliers, while the purpose of customer IAM (CIAM) is to help drive revenue growth by leveraging identity data to acquire and retain customers. If CIAM processes are cumbersome, customers will go to your competitors where these processes are more streamlined or easier to use. The same is not true of employees. Very few employees leave their employer because business-to-employee (B2E) IAM processes are archaic or difficult to use.
In B2E IAM, on-boarding is the responsibility of the employer, while in B2C mostly it’s self service. In other words, for employees, it's the HR department who initiates the employee on-boarding process and remains the owner of user accounts, while for customers, it can be any of the following cases:
- A person who anonymously shows interest in products and services offered by your company. For example, this person may visit the Toyota website and look for all the Corolla models under lease. This is useful information to nurture an anonymous visitor such as this to a customer. You will have no clue who this person is, but track when the same person visits the site repeatedly via cookies, and personalize the site to fit to his/her expectations — which could possibly lead him/her to engage with the company.
- A person who fills the contact form for an inquiry or to use free services offered by the company, by simply sharing their contact information. For example, a user may download a product or a white-paper by providing his/her contact information. Or per person may register for a company event by completing an online form. You will probably not call this person a customer — rather a lead. Leads are defined as people who may be interested in your product or service. The hope is they will eventually become a customer.
- A person who has bought some product or service from your company — and now wants to signup to consume the company’s services online. There is an account verification involved in this process, to make sure that it's the same customer who bought the product or service before, who's now signing up. Account verification is part of the know your customer (KYC) process. KYC is the process of a business identifying and verifying the identity of its clients. The term is also used to refer to bank and anti-money laundering regulations which govern these activities. Support for know your customer/account verification is a key part of a CIAM system, triggered during the on-boarding process.
- A person who signs up directly with the company through an online portal. Many e-commerce applications and online retailers follow this approach.
- A person who signs up via a known public identity provider. This vastly reduces the initial barrier for registration — and there are multiple studies which confirm the huge success rate in user registration after integrating with known public identity providers (such Facebook, Google, and Microsoft Live).
In a CIAM system, most of the time on-boarding happens via an online registration form. Even in the case where you fetch user attributes required for registration via a third party identity provider, the last leg of the registration will include some sort of a form submission. The user experience of the customer on-boarding portal is among the top priorities of a CIAM system.
Security vs. usability is a long lasting debate. Finding the right balance is extremely hard. Someone I met from the Google Chrome security team mentioned that they can spend months collecting feedback for merely changing the colors and find the right alignment of the text on the Chrome page displayed to the user - and they discover that the public certificate of a web site is not valid. To avoid automated form submissions and spam, many on-boarding portals use a CAPTCHA. A CAPTCHA plays a key role in customer conversion rates. People hate spam — but people hate CAPTCHA too! Over the time it’s been proven that even the hardest CAPTCHAs can be solved by state of art machine learning algorithms. There are many companies who have shared their experience with CAPTCHA — and one thing in common is — after introducing CAPTCHA, the customer conversion rate has rigorously decreased. With the new reCAPTCHA from Google, a significant number of users can now attest they are human without having to solve a CAPTCHA. Instead, with a single click they’ll confirm they are not a robot. The Google reCAPTCHA takes-away most of challenges enterprises face in customer on-boarding — and provides the right balance between usability and security.
A CIAM system provides ingredients to nurture an anonymous user to a well-known customer. Progressive profiling is the process by which a system learns about a customer in a progressive manner. First, the anonymous user is just a visitor to the company web site. His/her preferences can be tracked via cookies and the company can promote content that is interesting to him/her. At one stage, the anonymous user will become a lead, by completing a contact form. Now the CIAM system has the opportunity to link all the preferences tracked against the anonymous user with the new lead. Over time the preferences of the lead can be tracked in a more meaningful way — and the company’s marketing/sales team can work in a collaborative manner to make him/her a customer. At this point you collect the most reliable data about the customer — with proper verification. From there onwards, the CIAM system will keep tracking customer preferences — and will produce more meaningful data to company management to make much informed decisions. Once the customer decides to sign up with credentials (may be to use the company’s online portal), the CIAM system has the opportunity to track and relate all user interactions together to build one unified user profile.
Authentication in a CIAM system differs in many ways from a traditional IAM (workforce IAM) system. Let’s walk through the differences and the similarities:
- Social login is a key success factor in CIAM and a good CIAM system should support login with multiple social identity providers. 88% customers in the US claim to have logged into a web site or a mobile application using social login. Workforce IAM systems do not encourage social login — it’s treated as a high risk factor as the enterprise has no control over how the user credentials are stored and managed by a 3rd party identity provider. The same risk factor is present even in CIAM. But, then again, it’s a compromise between convenience and security. It also depends on which vertical we are talking about - for example, financial institutions do not even worry about integrating social login.
- Strong authentication is encouraged both in CIAM and workforce IAM. Workforce IAM systems rely on hardware tokens for MFA (multi-factor authentication), while at a large scale CIAM systems use soft tokens like OTP over SMS/Email or TOTP (Google Authenticator). Both Google and LinkedIn use FIDO U2F internally for employee authentication. FIDO U2F is on its way to becoming the de facto standard for multi-factor authentication. Yubico is one of the top vendors that build FIDO U2F compliant security keys. Eventhough FIDO is not mainstream in the CIAM market yet, with the support from Google and Facebook, it shows some promise in the mass market.
- 41% of customers in the US are interested in password-less authentication. Almost all consumer mobile applications produced by vendors in financial, retail, and airline domains have supports login with touch ID.
- Risk-based authentication is a non-static authentication system which takes into account the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Based on risk factors, the system will decide whether to use SMS OTP — or use knowledge based authentication (KBA). To determine the risk of the transaction — the authenticate system may use a risk engine, which takes into the consideration, the geographical location where the transaction is initiated from, the frequency, the value of the transaction, and many other things.
- Workforce IAM systems use stricter account locking policies compared to CIAM systems in instances of failed login attempts. CIAM systems may use a CAPTCHA or an auto unlock after some time. Workforce IAM systems probably need the IAM administrators' help to unlock an account.
- Single Sign On (SSO) is a must in a CIAM system when you have multiple portals to perform business functions. For example, if you are a PG&E (The Pacific Gas and Electric Company) customer, you might have noticed that when you want to view your current electricity/gas usage, you are redirected to opower.com from the pge.com — but you retain the same login session. Also, if you are a publisher with multiple news publications, you will let your customers browse between them with a single login session.
The audience of the self-service portal in a CIAM system is the customer. It is the one-stop shop for a customer to view/update his/her profile, manage consent given to third party applications, reset password, manage credentials, manage preferences, configure account recovery options, view concurrent login sessions, view activity logs, request for a data export, associate social login, etc. Security and compliance are two important aspects in CIAM. If you are familiar with the General Data Protection Regulation (GDPR), you might have already noticed that some of the self-service portal functions listed above are driven by it.
One of the key objectives of CIAM is to drive revenue growth by leveraging identity data to acquire and retain customers. The audience of the CxO dashboard is comprised of corporate executives who are keen on tracking the revenue growth from multiple angles. The CxO dashboard, which talks to multiple data sources, will focus on building insights around the following - the growth of customers/leads over time, the growth of the customer/lead base over time, active customers/leads over time, customers/leads by geography, the conversion rate over time from leads to customers, the frequently used business functions by customers/leads, the conversion rate over time from existing customers to online customers, inactive customers/leads by age (inactivity) by region, and customers/leads access patterns by the channel (web/mobile).
Security, Compliance, and Fraud Detection
Any CIAM system should make security as its top most priority. Any kind of a security breach at this layer would have a direct impact on the company’s revenue and reputation. As organizations grow , more and more customer identity data are collected to make more personalized, context-based decisions. These can be personally identifiable information or contextual information. Whatever it is, organizations are bound to follow rules and regulations enforced by governments and different industrial bodies. For example in the US, we have the federal level legislation such as SOX(Sarbanes-Oxley Act) and GLBA(Gramm-Leach Bliley Act) focused on the financial sector, FERPA(Family Education Rights and Privacy Act) in the education sector, and HIPAA((Health Insurance Portability and Accountability Act) in the healthcare sector. GDPR in Europe intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of GDPR are to give EU residents control of their personal data and simplify the regulatory environment for international business by unifying the regulation within the EU. In Singapore, PDPA (Personal Data Protection Act) stipulates that consent must be obtained before personal data is collected. The Privacy Act in Australia regulates how personal information is handled.
With the rise of online fraud by 40% in the last year in the US alone, fraud detection has become an integral part of a CIAM infrastructure. A CIAM system can contribute to fraud detection in two ways: feed the fraud detection engine with security related events and listen and enforce the feedback from it. For example, all your login and access patterns will be fed into the fraud detection engine and then based on the anomaly detection algorithms/rules you define, the system has to respond to fraud events, possibly by blocking the transactions, locking the customer accounts, and generating alerts to the responsible parties. If you login to your account from USA first and then within one hour from China, that’s possibly a fraudulent event with a high fraud score. If you access online services between 9 PM to 11 PM GMT 90% of the time, and if someone suddenly accesses the system between 2 AM to 3 AM, then it too could be a fraudulent event with a medium fraud score.
Some CIAM systems do assign a trust level to each account at the point of on-boarding. This score is based on past behavior and takes phone number intelligence, AI-based traffic pattern analysis, and data from global information services into account. This helps the business to make policy decisions about how to treat such identities.
When you subscribe to Newsweek magazine, you pick the type of subscription, either print or digital or both. The digital subscription is available through web, iPhone or iPad. In an omnichannel environment, customers interact with the business via multiple channels, but will still get a seamless and continuous user experience. For example, if you use the Newsweek iPhone app to highlight some content, once you view the same content from the web, you should find that it's still highlighted. Amazon took the retail order placing system to the next level with Alexa. An Amazon customer can place an order via its web site, mobile app, kindle in addition to Alexa. Amazon has brick and mortar stores too. When Jeff Bezos announced the launch of Amazon Books (brick and mortar store) a couple of years back, his intention was to bring the same digital experience to the real world. You will be able to see the book reviews, ratings, and many other features in the digital world in Amazon Books.
One cannot stop talking about Amazon repetitively when talking about the innovation happening in the retail sector. The Amazon Go convenience store in Seattle uses sensors to track items as shoppers place them in baskets or return them to the shelf while the shopper’s Amazon account is automatically charged. This is an even better experience than shopping via its online counter part. The wifi-connected Amazon Dash button provides a store-less experience to Amazon customers - one click allows you to place your order and have it delivered to your home.
The bottom line here is that companies in many verticals (not just retail), are looking to deliver better, seamless customer experiences through multiple channels. The role of a CIAM infrastructure in an omnichannel environment varies from authenticating the customer through multiple channels to managing the customer preferences through multiple channels to build a unified customer profile.
Help Desk and Delegated Administration
Help desk and delegated administration is another key aspect in a CIAM infrastructure. Help desk administrators should have access to some customer data to validate that the person who is calling is the actual owner of the account he/she queries about. This is one of the ‘strongest’ weakest links in the entire system and has been exploited many times to hack into other people’s accounts. In August 2012, Mat Honan, a reporter for the Wired magazine in San Francisco, experienced a situation where all his iPhone, Mac Book, and backups on iCloud were wiped out by hackers. He also lost control of his GMail and Twitter accounts. All this started with a simple social engineering hack executed against the Amazon help desk. The hackers were able to figure out the last four digits of Honan’s credit card by talking to the Amazon help desk, then used these details and Honan’s billing address (which was readily available under the whois internet domain record Honan had for his personal website), the hackers were able to call the Apple help desk to reset his iCloud password.
In general, many help desk operators worry about verifying static data about the customer. For example, mother’s maiden name, birthdate, last four digits of the social security number, billing postal code, etc. None of these data are hard to find if someone is a little desperate. What would be the best way to identify a customer who is calling to the help desk? This is where the progressive profiling comes in handy. Let’s say it’s a bank — you can ask about which restaurant the customer visited the most in the previous month, what is his/her favorite grocery store, when did he/she pay the last credit card bill, etc. Some do verify that the caller is the true owner of the account by sending a code to the registered phone or email address. However, these questions cannot be used individually - there has to be a collection of them.
Identity verification is only one part of the help desk administration. The CIAM infrastructure should allow granular access to relevant personal and transactional data, possibly via an API to the help desk operations. Apart from the authentication, the API should audit all the queries done by the help desk administrator — and any query from a help desk administrator should be able to mapped into a help desk request from a customer. Even though help desk administrators have access to some customer data, they should not have the right to query the data with no consent from the corresponding customer.
Impersonation is the other key part of the help desk administration. Once the caller is identified, the help desk administrator may need to login to the customer portal as the customer and see what he/she has done or guide him/her through what needs to be done. CIAM systems should provide the ability to the help desk administrators to impersonate other users (customers). Both the CIAM system and the customer portal should be aware that everything done by the help desk administrator is an impersonation act. Possibly during an impersonation act, when the help desk administrator tries to login to customer’s account, the system should send a message to the customer’s registered mobile number or the email address seeking approval. The approval granted should be valid for a few minutes only and the portal should auto logout the help desk administrator once it expires.
A CIAM system has to worry about scalability from day one. A workforce IAM system may expect thousands of users whereas a CIAM system works with millions, resulting in thousands of concurrent logins. You will find a considerable difference between average load and peak load in most of these systems. The peak load is many more times the average load, and would only occur for few hours in couple of days per month. Let me give you an example. One of the financial institutes that WSO2 worked with was building an IAM infrastructure for over 1.5 million customers. In an average day, they expect 350,00 logins with daily peak times around 9 AM to 10 AM, 12 PM to 1 PM, and 3 PM to 4 PM. Even if we assume 300,000 users will login to the system during these peak times, the expected load per minute would be around 1,700 users. However for 2 days every month, they expect 5,000 logins per second, that is 300,000 users per minute. That’s a huge difference between the daily peak load and the monthly one. It’s not cost effective to plan the infrastructure and keep it running to target the peak load all the time, as it's a waste of system resources and money. In such cases, the best option is to build a dynamic scaling model where the system resource will spin up to address increasing load and when the load goes down, the servers will shutdown too.
High-availability is another key aspect in a CIAM infrastructure. You may have geographically distributed data centers where some may act as active data centers while others are used for disaster recovery (DR). Active data centers will cater to active traffic, but the DR centers will be on stand by mode so that if one entire data center is down, the traffic will be deviated to the DR center. Within an active data center itself, there will be a cluster of nodes taking the load in a equally distributed manner. Hence if one node is down it will not take the whole infrastructure down.
APIs and Integration
A CIAM system is not an all-in-one solution. Its power depends on how well it can function in a larger ecosystem. A CIAM system should know how to integrate with multiple data sources, customer relationship management (CRM) systems (like Salesforce, Sugar CRM, Microsoft Dynamics, Net Suite CRM, etc.), marketing platforms/solutions (like Dataxu, Appboy, MailChimp, Google Analytics, Salesforce Pardot, etc.), e-commerce platforms (like Shopify, Magneto, Oracle Micros, etc.), fraud detection solutions, risk engines, content management systems (like Microsoft SharePoint, Drupal, WordPress, Joomla, DotNetNuke, etc.), data management platforms (like Blueconic, DoubleClick, Lotame, Krux, etc), and many more.
CIAM, Marketing Automation, and CRM
A CIAM system is not going to replace the need for a marketing automation platform or a CRM system — but integrates with them— and provides a layer of foundation for more target marketing and lead nurturing. For example, Marketo, a leading marketing automation software provider, defines marketing automation as a system that allows companies to streamline, automate, and measure marketing tasks and workflows. Salesforce, a leading CRM software provider, defines CRM as a strategy for managing all company interactions with current and prospective customers. The marketing automation system tracks the behavior of an anonymous user throughout the phases of being a raw lead, a viable lead, a nurtured lead, and an active lead. The CRM system starts from where the marketing automation stops — it tracks the user throughout the phases of marketing qualified lead, sales accepted lead, an opportunity, and finally closed won. Up to this point the CIAM system does not know anything about the user and at the end of the day the customer will be on-boarded. The CIAM system can now track all the user access patterns in more trust worthy manner and with data feeds from the CIAM system, the marketing automation system can drive its marketing campaigns in an identity-driven approach. Following are some of the key benefits of a CIAM system that integrates well with marketing automation and CRM systems:
- Anonymous cookie data tracked via the marketing automation platform can be tied to an authenticated identity as users log in through CIAM and gain a single cross-device/platform view of every user as they go from anonymous to known. Cookies alone don't allow you to correlate two users using different devices or browsers for interactions.
- Behavioral patterns tracked by the marketing automation platform can be fed into the CIAM system to perform more effective adaptive/risk-based authentication and fraud detection.
- Qualified user data captured by the CIAM system can be used for more target marketing (user contact data must be updated all the time).
- Build a unified user profile across marketing, CRM, and identity platforms and rich data visualization.
- Verify user sign up data at the CIAM system by talking to the CRM system.
CIAM drives revenue growth by leveraging identity data to acquire and retain customers. It’s the new public face of your company. CIAM differs from traditional IAM (or workforce IAM/Employee IAM) in many ways. User experience rules everything in CIAM , in addition to privacy and security — it’s not an ‘or’ but an ‘and’. Customer on-boarding, progressive profiling, social integrations, strong authentication, self-service, help desk, and delegated administration and scalability are the key areas any CIAM infrastructure should worry about. Identity data is the new gold and CIAM is a mainstream business capability.
- Prabath Siriwardena
- Senior Director - Security Architecture