The Five Pillars of Customer Identity and Access Management
- Malithi Edirisinghe
- Director, Architect - IAM, WSO2
- 21 Aug, 2024
This white paper expands on WSO2’s original work on the Five Pillars of Customer Identity and Access Management (CIAM), available here. It includes updated content to reflect recent market changes and advancements.
Introduction
In today's interconnected digital landscape, effective management of customer identities is not just a technical requirement but a strategic asset. Customer identity and access management (CIAM) systems are at the heart of this, ensuring secure and seamless user experiences across numerous digital interfaces. Whether for individual consumers or business clients, CIAM facilitates personalized interactions while safeguarding sensitive data, complying with global regulations, and improving business enablement and operational efficiency.
Consider Spotify, where users can listen to their favorite songs, discover personalized playlists, and receive podcast recommendations. How does Spotify deliver tailored content to millions of global users, enhance user engagement, and ensure secure interactions at every touchpoint? Similarly, think about Salesforce, which serves thousands of enterprises and helps them manage customer data effectively. Salesforce offers robust self-service capabilities that allow employees to manage access across various services and subscriptions seamlessly.
These examples underline the power of an effective CIAM strategy that adopts an identity-first approach, integrating seamlessly with core business operations while adhering to stringent security and regulatory standards. This strategy is essential whether the focus is on individual consumers or business clients.
This article will delve into the five critical pillars of CIAM: User Onboarding and Registration, Authentication, Authorization and Access Management, Self-Service, and Integration with Systems of Record and Business Insight Tools. Understanding these pillars is essential for developing systems that ensure security and compliance and support frictionless, personalized digital experiences, thereby driving user adoption and business growth.
Understanding CIAM
CIAM is a specialized application of identity management focused on managing and securing customer identities. At its core, CIAM is designed to facilitate seamless, secure customer interactions across various digital platforms (web apps, mobile apps, kiosks, etc.) while enhancing user experience and maintaining compliance with privacy regulations.
Think of CIAM as the gatekeeper and guide within a digital amusement park. It not only ensures that customers can enter through the gates by authenticating (using methods like social login, passwordless options like email links or passkeys, username/password, multi-factor authentication (MFA) with authenticator apps, push notifications, etc.) but also directs them to the appropriate rides (services) based on their access privileges (authorization) and preferences. This ensures a smooth and enjoyable visit that’s both secure and personalized.
Depending on the digital service offering and the business model, “customer” represented by “C” in CIAM can represent different things. In scenarios like online shopping, banking, streaming, and food delivery services, the “customer” represents individual consumers. In the context of digital services offered by the public sector and government, it is citizens. When it comes to enterprise software and SaaS services, it can be employees of a business organization that subscribe to the service or a partner organization that may provide professional services or resell the solution (resellers).
Figure 1: The different types of customers in CIAM
When developing a CIAM strategy, it is crucial to recognize the diverse types of customers the business serves and their unique requirements. Whether catering to individual consumers, citizens, employees of business organizations, partners, or resellers, each group has specific needs that must be addressed to ensure a secure and seamless user experience. The CIAM tools and features employed should reflect this diversity, enabling your system to manage and meet these varied demands efficiently. The following diagram highlights the differing requirements and preferred features for B2B and B2C contexts, illustrating the need for tailored CIAM solutions.
Figure 2: The distinct requirements and preferred features of B2B and B2C contexts
In essence, CIAM is not just about security or technology; it’s about building a bridge between businesses and their customers, ensuring that every interaction is secure, compliant, and user-friendly. It enables continuous and seamless connections with customers, allowing for the collection of data with their consent while protecting both company and customer data. This balance makes CIAM an indispensable component of modern digital strategies, allowing organizations to unlock new levels of customer engagement and trust.
The Five Pillars of CIAM
A robust CIAM strategy is built upon five key pillars, each representing a critical competency for effective customer identity and access management. These pillars are:
- User Onboarding and Registration
- Authentication
- Authorization and Access Management
- Self-Service
- Integration with Systems of Record and Business Insight Tools
Striking the right balance among these pillars is crucial. Together, they enable frictionless, personalized customer experiences, ensure robust security and compliance, and enhance the business's operational efficiency.
Figure 3: The five pillars of a robust CIAM strategy
User Onboarding and Registration
The first step in a CIAM process is user registration, which converts anonymous, casual website visitors into known, active, registered users. In consumer-facing applications, user onboarding can be streamlined with Bring Your Own Identity (BYOID) using social identifiers or email, mobile, and username identifiers for basic identity verification. This approach is particularly common in scenarios like online shopping carts, food delivery services, streaming services, ride-sharing apps, and e-commerce platforms. However, for more sensitive applications such as banking, financial services, airline systems, and government services, the verification process can include validating legal documents like passports, national IDs, and driving licenses. These processes may even incorporate Know Your Customer (KYC) protocols and integrate with device fingerprint reputation services and biometric verification to prevent fraud.
Another essential aspect of user registration is collecting consent during registration for Terms of Service (ToS) and privacy policies. This ensures that users know and agree to the legal and privacy terms before using the service. Additionally, prompting users for additional attributes based on the specific services they are registering for can enhance personalization and service delivery. For instance, an e-commerce site might ask for preferred shopping categories, while a streaming service might inquire about favorite genres. Collecting this information upfront can significantly improve the user experience by tailoring services to individual preferences right from the start.
For B2B businesses, registration often involves the onboarding of entire organizations. This can be initiated through a sales-led approach, where an account manager facilitates interactions and negotiations, eventually triggering the provisioning of the organization once the service agreement is finalized. This often includes invitation-based registration flows. Alternatively, in product-led B2B SaaS applications, organizations can self-onboard by creating their accounts. Slack, Zoom, Trello, and Dropbox are examples of such applications.
The registration process must be user-friendly and straightforward while also ensuring security. When collecting valuable customer identity data, the onboarding process must be designed to avoid identity fraud, such as registration with synthetic or stolen identities. These factors must be carefully balanced based on the characteristics and goals of the business, ensuring that the registration process aligns with security requirements and user experience expectations. Additionally, it is imperative to include measures for detecting and preventing bots during the registration process to prevent fraud. Implementing CAPTCHA, reCAPTCHA, and other bot-detection technologies can help ensure that only genuine users are able to register, thereby maintaining the integrity of the user base and protecting the platform from automated attacks and spam.
Authentication
Authentication is another critical pillar of CIAM, ensuring that users possess the required credentials to access customer-facing applications. Strong authentication prevents account takeovers, password snooping, and password stuffing, keeping unauthorized users out through robust authentication policies. In consumer-facing applications, providing single sign-on (SSO) and passwordless login options such as email links, mobile OTPs, passkeys, and social logins like Google and Facebook enhance the authentication experience. Allowing customers to set up 2FA options through authenticator apps, push notifications, and security keys further secures account access. Adaptive authentication, which steps up security based on situational risk factors such as attempting access from a new device, logging in from an unusual geographical location, or after a prolonged period of inactivity, balances user experience with security needs. For high-value services like financial applications or government services, additional layers like biometric verification and liveness checks provide higher levels of assurance and meet regulatory compliance demands for more stringent security measures.
When it comes to B2B applications, specific requirements often include allowing employees of the customer organization to log in with their enterprise Identity Provider (IdP). Additionally, multi-factor authentication (MFA) options ensure secure authentication in these scenarios. Therefore, the B2B application should allow customer organizations to configure their enterprise IdPs and different MFA options in a self-service manner, providing them with the flexibility to choose the methods that best suit their security needs.
By incorporating these various authentication methods, organizations can significantly enhance security, protect against unauthorized access, and improve the overall user experience, making this pillar essential in a comprehensive CIAM strategy.
Authorization and Access Management
Authorization and access management define the available rights and entitlements for any authenticated user, application, or device. Traditionally, authorization has relied on role-based access control (RBAC). To address more fine-grained authorization requirements, attribute-based access control (ABAC) models were developed. However, despite some authorization-focused vendors implementing these models, they were typically embedded within applications, tightly coupled with business domain-specific services and data.
With modern requirements demanding even more fine-grained approaches, relationship-based access control (ReBAC) emerged. ReBAC evaluates access based on the relationships between entities, with Google Docs being a prime example. Google Zanzibar has further popularized ReBAC, encouraging more vendors to adopt it to solve complex authorization problems.
Regardless of the underlying model—whether RBAC, ABAC, or ReBAC—authorization in CIAM involves evaluating access rights and granting appropriate permissions to users, applications, and devices. In consumer-facing applications, access rights often vary based on the user's loyalty level. In B2B SaaS applications, they depend on roles and service subscription tiers. Additionally, access may be dynamically adjusted based on the user's assurance level when accessing data or performing actions. For instance, an online banking application might prompt for 2FA again during a transaction to ensure the security of the user’s session.
Authorization also involves collecting user consent, particularly when third-party applications need access. For example, Trello, a project management tool, can link to Google Calendar and GitHub, allowing users to manage project timelines and track code commits effectively. When Trello accesses Google or GitHub resources, these services request user consent to share data, enabling access or performing operations on the user’s behalf. In this context, Trello acts as a third-party application consuming Google APIs. This model is applicable in B2B contexts as well, where technology partnerships expand business ecosystems, necessitating open APIs for partner organizations' apps. Ensuring access based on user consent is crucial in scenarios where user data is accessed.
Implementing robust authorization and access management strategies is essential for preventing data loss, detecting account takeovers, and ensuring secure, compliant access to resources, making this pillar indispensable for a comprehensive CIAM strategy.
Self-Service
Self-service capabilities are crucial for enhancing user experience and reducing operational costs. The efficiency with which users can recover lost or forgotten credentials is significantly influenced by the ease of access provided by self-service options. These options empower end users to get things done faster or outside regular business hours, enhancing their service experience. Operationally, these options automate common customer service and support tasks, saving businesses substantial contact center and chat-based labor costs.
Essential self-service features include simple password resets, recovery of forgotten user IDs, and the ability to manage MFA options like authenticator apps, passkeys, and security keys. Users can also manage their profiles, including account security settings and notification preferences, view and revoke active sessions, manage consents and authorized applications, and authorize and deauthorize devices.
Additionally, users need to have access to their activity logs, which show when and from which devices they accessed their accounts. This transparency allows users to audit their activity and take necessary actions based on this information. Compliance with privacy regulations, such as GDPR, requires facilitating self-service features that allow users to view accepted terms and conditions, download their data, and opt out of services.
These self-service features apply to both consumer-facing and business-client-facing applications. However, business clients often require additional functionality, such as onboarding users, connecting their enterprise Identity Provider (IdP), delegating access, managing login policies (e.g., enforcing 2FA), and customizing the branding of the service. Furthermore, business clients benefit from detailed administrative audits and insights into user activities.
By implementing robust self-service features, CIAM enhances user experience, ensures compliance with regulations, improves security, and reduces operational costs, making this pillar indispensable for a comprehensive CIAM strategy.
Integration with Systems of Record and Business Insight Tools
Integration with systems of record and business insight tools is a critical pillar in a comprehensive CIAM strategy. This competency involves embedding identity into the organization’s business processes and tools, facilitating seamless interactions across various applications and workflows.
Businesses often evolve to have multiple siloed identity repositories serving different lines of business (LOBs) and their respective applications. To achieve a centralized CIAM system, unifying identity management across all business properties, including various external-facing websites and brands, is essential. This unification may require migrating siloed user data repositories or their bidirectional integration to synchronize user profiles.
Similarly, integrating CIAM with other customer data repositories, such as Customer Relationship Management (CRM) systems, Customer Data Platforms (CDP), Master Data Management (MDM) systems, and Digital Experience Platforms (DXP), is vital to achieving better customer data unification and a unified customer experience. This integrated approach improves data consistency and enhances customer insights and operational efficiency, making it an indispensable component of a modern CIAM strategy.
Integrating CIAM with business insight tools such as cyber/web fraud management systems, incorporating risk-based authentication and behavioral biometrics, and transaction monitoring systems help identify and mitigate fraud effectively. Additionally, regularly using CIAM transactional data to inform business intelligence reporting and drive business decisions can significantly enhance the organization’s efficiency and responsiveness to market changes.
Therefore, incorporating these integrations is key to creating a cohesive and effective identity management system, ultimately leading to better customer experiences and more informed business decisions.
CIAM Requirements Across the Five Pillars for B2C and B2B
The following diagram summarizes the requirements for B2C and B2B applications under the five pillars of CIAM discussed above.
Figure 4: The requirements for B2C and B2B applications under the five pillars of CIAM
Leveraging CIAM Pillars for Enhanced Business Outcomes
The five pillars of CIAM—User Onboarding and Registration, Authentication, Authorization and Access Management, Self-Service, and Integration with Systems of Record and Business Insight Tools—collectively contribute to significant business benefits.
Firstly, these pillars ensure a frictionless, personalized customer experience by simplifying user interactions and providing tailored services. Easy registration and seamless authentication processes make it effortless for users to engage with the platform. Self-service capabilities empower users to manage their profiles and preferences independently, enhancing their overall satisfaction and loyalty.
Secondly, robust security measures such as adaptive authentication, MFA, and fine-grained access control safeguard user data and ensure compliance with regulations like GDPR. This prevents unauthorized access and fraud and builds customer trust by demonstrating the organization’s commitment to data protection and privacy.
Lastly, integrating CIAM with existing business processes and tools improves operational efficiency. Automated support tasks and seamless data synchronization reduce the need for manual intervention, allowing businesses to focus on strategic initiatives. This streamlining of operations enhances agility and responsiveness to market changes.
Organizations can drive higher adoption rates and foster business growth by achieving these benefits of CIAM—frictionless, personalized customer experiences, improved security and regulatory compliance, and enhanced operational efficiency. These improvements ensure the organization remains competitive and responsive in the dynamic digital landscape.