Transforming the customer experience is at the heart of digital transformation. Digital technologies are changing the game of customer interactions, with new rules and possibilities that were unimaginable only a few years back. Customer Identity and Access Management (CIAM) is a whole emerging area in the IAM, which is essentially an ingredient for digital customer experience. Today’s increasingly sophisticated customers now view digital interactions as the primary mechanism for interacting with brands and, consequently, expect deeper online relationships delivered simply and seamlessly.

Further, the customers do expect some control around how firms collect, store, manage, and share their profile data. With the competition only a click away, your firm’s misuse of customer data, whether deliberate or inadvertent, can significantly damage brand equity. Yahoo! was in the middle of a series of data breaches during last couple of years, that exposed the personal information of more than 1 billion users and already have cost the company $350 million. Yahoo had to lower the sales price of its email and other digital services to Verizon Communications from $4.83 billion to $4.48 billion to account for the potential backlash from the data breaches.

The role of CIAM plays in an enterprise today, has the same weight a business API had in the industry for several years. In 2013, 90% of Expedia’s business was coming through its API. Salesforce generates almost 50% of its annual $3 billion in revenue through APIs, while at eBay, APIs contribute 60% to the annual revenue. In the same capacity how the APIs became the public face of your company, the CIAM drives the revenue growth by leveraging identity data to acquire and retain customers. It’s your new public face!. CIAM builds a layer of interactions with the customer — or in other words, CIAM drives the layer of interactions with the customer.

According to the latest Forrester report on CIAM, 67% of the Asia Pacific market, 64% of North America market and 54% Europe market have adopted CIAM.

Workforce IAM vs CIAM

Customer focused IAM systems are different from it’s traditional IAM (Workforce IAM) counterpart. The workforce IAM looks inward. It focuses on B2E (business-to-employee) and B2B (business-to-business) interactions. The goal of workforce IAM is to reduce the risk and cost associated with on-boarding and off-boarding new employees, partners and suppliers, while the purpose of customer IAM (CIAM) is to help drive revenue growth by leveraging identity data to acquire and retain customers. If CIAM processes are cumbersome, customers will go to your competition where these processes are more streamlined or easier to use. The same is not true of employees. Very few employees leave their employer because business-to-employee (B2E) IAM processes are archaic or hard to use.

On-boarding

In B2E IAM, on-boarding is the responsibility of the employer, while in B2C mostly it’s self service. In other words, for employees, its the HR department who initiates the employee on-boarding process and remains the owner of the user accounts, while for customers, it can be any of the following cases:

A person who anonymously shows interest on the products and services offered by your company. For example, this person may visit https://www.toyota.com and look for all the Corolla models under lease. This is useful information to nurture this anonymous visitor to a customer. You will have no clue who this person is, but via cookies you can track when the same person visits the site repeatedly, and personalize the site to fit to his expectations — which could possibly lead him to engage with the company.

A person who fills the contact form to do an inquiry or to consume some free services offered by the company, just by sharing the contact information. For example a user may download a product or a white-paper just by providing his/her contact information. Also it can be someone who registers for a company event by filling an online form. You will probably not call this person a customer — rather a lead. Leads are defined as people who may be interested in your product or service. The hope is they will eventually become a customer.

A person who has bought some product or service from your company — and now wants to signup to consume company’s services online. There is an account verification involved in this process, to make sure that its the same customer who bought the product or service before, now signs up online. Account verification is part of the know your customer (KYC) process. Know your customer (KYC) is the process of a business identifying and verifying the identity of its clients. The term is also used to refer to the bank and anti-money laundering regulations which governs these activities. Support for know your customer/account verification is a key part of a CIAM system, triggered during the on-boarding process.

Some time back we (WSO2) worked with a popular life insurance provider in USA. The insurance agents sell the insurance policies — and then to do the payments and claims online the customer has to register via the company’s web site. The customer registration form asks a minimal set of details like the policy number, social security number, name and the date of birth — and the user provided information will be automatically validated against the user data already recorded in the system (after the original policy being sold). Another company we worked with, who sells medical equipment to individuals and medical institutes, let them register via the company web site to consume online services. As in the case of the previous example, the medical equipment are sold by sales agents — and all the customer data are recorded in Salesforce. When a customer decides to register online — the data entered by the customer is verified against the data already recorded in Salesforce. Recently we worked with a company in the west coast, who’s building a virtualized data center at the enterprise level. They do follow the same model as explained in the previous example. They too maintain customer records in the Salesforce first, at the point of the sale — and then later the customer can register via the company’s online portal by providing the same information recorded before in Salesforce.

A person who signs up directly with the company through an online portal. Most of the e-commerce applications, online retailers follow this approach.

A person who signs up via a known public identity provider. This vastly reduces the initial barrier for registration — and there are multiple studies which confirm the huge success rate in user registration after integrating with known public identity providers (Facebook, Google, Microsoft Live).

In an CIAM system, most of the time on-boarding happens via an online registration form. Even in the case where you fetch user attributes required for registration via a third party identity provider, the last leg of the registration will include some sort of a form submission. The user experience of the customer on-boarding portal is among the top priorities of a CIAM system.

Security vs usability is a long lasting debate. Finding the right balance is extremely hard. One guy I met from the Google Chrome security team mentioned — they are working on for months by gathering user feedback for just changing the colors and to find the right alignment of the text, on the Chrome page displayed to the user, when it finds the public certificate of a web site is not valid.

To avoid automated form submissions and spam, many on-boarding portals use a CAPTCHA. A CAPTCHA plays a key role in customer conversion rates. People hate spam — but people hate CAPTCHA too! Over the time it’s proven that even the hardest CAPTCHAs can be solved by state of art machine learning algorithms at a better rate than humans. There are many companies who have shared their experience with CAPTCHA — and one thing in common is — after introducing CAPTCHA, the customer conversion rate has rigorously gone down. With the new reCAPTCHA from Google, a significant number of users can now attest they are human without having to solve a CAPTCHA. Instead with just a single click they’ll confirm they are not a robot. The Google reCAPTCHA takes-away most of challenges enterprises face in customer on-boarding — and provides the right balance between usability and security.

Progressive Profiling

A CIAM system provides ingredients to nurture an anonymous user to a well-known customer. Progressive profiling is the process how the system learns about a customer in a progressive manner. First, the anonymous user is just a visitor to the company web site. His/her preferences can be tracked via cookies and can promote the content that is more interesting to him/her. At one stage, the anonymous user will become a lead, by filling a contact form. Now the CIAM system has the opportunity to link all the preferences tracked against the anonymous user with the new lead. Over the time the preferences of the lead can be tracked in a much meaningful way — and the company’s marketing/sales team can work in a collaborative manner to make him/her a customer. At this point you collect the most reliable data about the customer — with proper verification. Then again from there onwards, the CIAM system will keep tracking customer preferences — and will produce more meaningful data to the company management to make much informed decisions. Once the customer decides to sign up with credentials (may be to use company’s online portal), the CIAM system has the opportunity to track and relate all the user interactions together to build one unified user profile.

There is an interesting story behind GMail. Google’s top revenue even today comes from online advertising. They used to track search patterns of the users via cookies. That didn’t help Google to identify who the exact user is. If the same user uses different devices or browsers — cookie based tracking is not very effective. GMail made users to log into the browser. Once the user logs in, Google can easily map all the search patterns and other behavioral patterns to a real user — and make the target marketing very productive.

Authentication

Authentication in an CIAM system differs in many ways from a traditional IAM (workforce IAM) system. Let’s walk through the differences and the similarities.

Social login is a key success factor in CIAM. A good CIAM system should support login with multiple social identity providers. 88% US customers claim to have logged into a web site or a mobile application using social login. Workforce IAM systems do not encourage social login — it’s treated as a high risk factor as the enterprise has no control over how the user credentials are stored and managed at a 3rd party identity provider. The same risk factor does not move away — just by calling it the CIAM. But, then again, it’s a compromise between the convenience and security. Also, it depends on which vertical we are talking about. None of the financial institutes even worry about integrating social login.

Strong authentication is encouraged both in CIAM and workforce IAM. Workforce IAM systems rely on hardware tokens for MFA (multi-factor authentication), while at a large scale CIAM systems use soft tokens like, OTP over SMS/Email or TOTP (Google Authenticator). Both Google and LinkedIn use FIDO U2F internally for employee authentication. FIDO U2F is on its way to be the de facto standard for multi-factor authentication. Yubico is one of the top vendors who builds FIDO U2F compliant security keys. Even though FIDO is not mainstream in the CIAM market yet, with the support from Google and Facebook it shows some promise to be in the mass market.

41% of the US customers are interested in password-less authentication. Almost all the consumer mobile applications produced by vendors in financial, retail, airline domains — have added the support to login with touch ID.

Risk-based authentication. Risk-based authentication is a non-static authentication system which takes into account the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Based on the rick factors, the system will decide whether to use SMS OTP — or use knowledge based authentication (KBA). To determine the risk of the transaction — the authenticate system may use a risk engine, which takes into the consideration, the geographical location where the transaction is initiated from, the frequency, the value of the transaction and many other things.

Workforce IAM systems use more strict account locking policies — than the CIAM systems, in case of n number of failed login attempts. CIAM systems may use a CAPTCHA or an auto unlock after some time. Workforce IAM systems probably need the IAM administrators help to unlock an account.

Single Sign On (SSO) is a must in a CIAM system, when you have multiple portals to perform business functions. For example if you are PG&E (The Pacific Gas and Electric Company) customer, you might have noticed that, when you want to view the current electricity/gas usage, you are redirected to opower.com from the pge.com — but still you will retain the same login session. Also, if you are a publisher with multiple news publications, you will let your customers browse between them with a single login session.

Self-service Portal

The audience of the self-service portal in a CIAM system is the customer. It is the one-stop shop for a customer to view/update his/her profile, manage consents given to third party applications, reset password, manage credentials, manage preferences, configure account recovery options, view concurrent login sessions, view activity logs, request for a data export, associate social login, etc. Security and compliance are two important aspects in CIAM. If you have gone through GDPR, you might have already noticed that some of the self-service portal functions listed above are driven by it.

The EU General Data Protection Regulation (GDPR) is the regulation 2016/679 of the European parliament and of the council, which replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens (and residents) data privacy and to reshape the way organizations across the region approach data privacy.

CxO Dashboard

One of the key objectives of CIAM is to drive the revenue growth by leveraging identity data to acquire and retain customers. The audience of the CxO dashboard is the corporate executives, who are keen on tracking the revenue growth from multiple angles. The CxO dashboard, which talks to multiple data sources, will focus on building insights around: the growth of customers/leads over time, the growth of the customer/lead base over time, active customers/leads over time, customers/leads by geography, the conversion rate over time from leads to customers, the frequently used business functions by customers/leads, the conversion rate over time from existing customers to online customers, inactive customers/leads by age (inactivity) by region, and customers/leads access patterns by the channel (web/mobile).

Security, Compliance & Fraud Detection

Any CIAM system should take security as it’s top most priority. Any kind of a security breach at this layer — would have a direct impact on company’s revenue — and of course the reputation. As the organizations grow — more and more customer identity data are collected to make more personalized, context-based decisions. These can be personally identifiable information or just contextual information. Whatever it is the organizations are bound to follow rules and regulations enforced by governments and different industrial bodies.

In the USA we have the federal level legislation such as SOX(Sarbanes-Oxley Act) and GLBA(Gramm-Leach Bliley Act) focused on the financial sector, FERPA(Family Education Rights and Privacy Act) in the education sector and HIPAA((Health Insurance Portability and Accountability Act) in healthcare. The GDPR(General Data Protection Regulation) in Europe, intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give EU residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Then in Singapore PDPA (Personal Data Protection Act) stipulates that consent must be obtained before personal data is collected. The Privacy Act in Australia regulates how personal information is handled.

With the rise of the online frauds by 40% in the last year, in US alone, fraud detection has become an integral part of a CIAM infrastructure. A CIAM system can contribute to fraud detection in two ways: feed the fraud detection engine with security related events and listen and enforce the feedback from it. For example, your login patterns, access patterns, all will be fed into the fraud detection engine and then based on the anomaly detection algorithms/rules you define, the system has to respond to fraud events, possibly by blocking the transactions, locking the customer accounts, generating alerts to the responsible parties. For example, if you login to your account from USA first and then within one hour from China, that’s possibly a fraud event with a high fraud score. If you used to access the online services, 90% of the time between 9 PM to 11 PM GMT, and now if someone accesses the system between 2 AM to 3 AM, then it too could be a fraud event with a medium fraud score.

Some CIAM systems do assign a trust level to each account at the point of on-boarding. This score is based on past behavior and takes phone number intelligence, AI-based traffic pattern analysis, and data from global information services into account. This helps the business to make policy decisions about how to treat such identities.

Omnichannel Access

When you subscribe to Newsweek magazine, you pick the type of subscription, either the print or digital — or the both. The digital subscription is available through web, iPhone or iPad. In an omnichannel environment, the customers interact with the business via multiple channels, but will still get a seamless — continuous user experience. For example, if you use the Newsweek iPhone app to highlight some content, once you view the same from the web, you should find it still highlighted. Amazon took the retail order placing system to the next level with Alexa. An Amazon customer can place an order via its web site, mobile app, kindle in addition to Alexa. Never forget — Amazon has brick & mortar stores too. When Jeff Bezos announced Amazon Books (brick & mortar store), a couple of years back, his intention was to bring the same digital experience to the real world. You will be able to see the book reviews, ratings and many other digital world only features in Amazon Books.

When I visited US for the first time in 2008, I looked for an Amazon store near Mountain View, California — and disappointed with the response I got from the hotel front desk. It’s fascinating that almost after 7 years from then, Jeff Bezos realized the need :-). Now I moved to US permanently 3 years back and living closer to Mountain View, and waiting eagerly to see the Amazon Books in Santana Row, San Jose gets opened — it’s in fact just few miles from where I live.

One cannot stop talking about Amazon repetitively when talking about the innovation happening in the retail sector. The Amazon Go convenience store in Seattle uses sensors to track items as shoppers put them into baskets or return them to the shelf. The shopper’s Amazon account gets automatically charged. This is even a much better experience than shopping via it’s online counter part. The wifi-connected Amazon Dash button provides a store-less experience to Amazon customers. Just by one click, you place your order — and delivered to your home.

The bottom line here is, the companies in many verticals (not just retail), are looking to deliver a better, seamless customer experience through multiple channels. The role of a CIAM infrastructure in an omnichannel environment, varies from authenticating the customer through multiple channels to managing the customer preferences through multiple channels to build a unified customer profile.

Help Desk & Delegated Administration

Help desk and delegated administration is another key aspect in a CIAM infrastructure. Help desk administrators should have access to some customer data to validate that the person who is calling is the actual owner of the account he/she queries about. This is one of the ‘strongest’ weakest links in the entire system, and being exploited many times to hack into other people’s accounts. In August 2012, Mat Honan — a reporter for the Wired magazine, San Francisco, went through a brutal experience where all his iPhone, Mac Book and the backups on iCloud were wiped out by hackers and also lost the control of his GMail and Twitter accounts. All these started with a simple social engineering hack executed against the Amazon help desk. The hackers were able to figure out last four digits of Honan’s credit card by talking to the Amazon help desk, then with that and Honan’s billing address (which was readily available under the whois internet domain record Honan had for his personal website), the hackers were able to call Apple help desk to reset his iCloud password.

In general, most of the help desk operations worry about verifying some static data about the customer. For example, mother’s maiden name, birthdate, last four digits of the social security number, billing postal code likewise. None of these data are hard to find, if someone is little desperate. What would be the best way to identify a customer who is calling to the help desk? This is where the progressive profiling comes in handy. Let’s say it’s a bank — you can ask about which restaurant the customer was visiting mostly during last month, what is his/her favorite grocery store, when did he pay the last credit card bill, likewise. Also, some do verify that the caller is the true owner of the account by sending a code to the registered phone or the email address. None of these questions are strong individually — it has to be a collection of them.

Identity verification is only one part of the help desk administration. The CIAM infrastructure should allow granular access to the relevant personal and transactional data, possibly via an API to the help desk operations. Apart from the authentication, the API should audit all the queries done by the help desk administrator — and any query from a help desk administrator should be able to mapped into a help desk request from a customer. Even though help desk administrators have access to some customer data, they should have no rights to query the data with no consent from the corresponding customer.

Impersonation is the other key part of the help desk administration. Once the caller is identified, the help desk administrator may need to login to the customer portal, as the customer and see what he/she has done — or guide him/her through what needs to be done. CIAM systems should provide the ability to the help desk administrators to impersonate other users (customers). This sounds little crazy — and little dangerous too. Both the CIAM system and the customer portal should be aware that, everything done by the help desk administrator is an impersonation act. Possibly during an impersonation act, when the help desk administrator tries to login to customer’s account, the system should send a message to the customer’s registered mobile number or the email address, seeking approval. The approval should be valid only for few minutes and the portal should auto logout the help desk administrator once it expires.

Scalability

A CIAM system has to worry about scalability from day one. A workforce IAM system may expect thousands of users — but in contrast a CIAM system works with millions. The millions of users in a CIAM system, will also result in thousands of concurrent logins. Then again, in most of these systems, you will find a considerable difference between average load and the peak load. The peak load is many more times the average load, and would only occur for few hours in couple of days per month. Let me give you an example. In one of the financial institutes we (WSO2) worked with, they were building an IAM infrastructure over 1.5 million customers. In an average day, they expect 350,00 logins — having daily peak times around 9 AM to 10 AM, 12 PM to 1 PM and 3 PM to 4 PM. Even if we assume 300,000 users will login to the system during the 3 hours peak time, the expected load per minute would be around 1700 users. But — in 2 days every month, they expect 5000 logins per second, that is 300,000 users per minute. That’s a huge difference between the daily peak load and the monthly. It’s not cost effective to plan the infrastructure and keep it running targeting the peak load, all the time. It’s a whole waste of system resources and money. In such cases, the best option is to build a dynamic scaling model — where the system resource will spin up to address increasing load — and when the load goes down the servers will shutdown too.

High-availability is another key aspect in a CIAM infrastructure. You may have geographically distributed data centers — where some may act as active data centers while some just for disaster recovery (DR). Active data centers will cater for active traffic, but the DR centers will be on stand by mode, in case one whole data center is down, the traffic will be deviated to the DR center. Within an active data center itself, there will be a cluster of nodes taking the load in a equally distributed manner. If one node is down — it will not take the whole infrastructure down.

APIs and Integration

A CIAM system is not an all-in-one solution. Its power is, how well it can function in a larger ecosystem. A CIAM system should know, how to integrate with multiple data sources, customer relationship management (CRM) systems (like Salesforce, Sugar CRM, Microsoft Dynamics, Net Suite CRM, etc), marketing platforms/solutions (like Dataxu, Appboy, MailChimp, Google Analytics, Salesforce Pardot, etc), e-commerce platforms (like Shopify, Magneto, Oracle Micros, etc), fraud detection solutions, risk engines, content management systems (like Microsoft SharePoint, Drupal, WordPress, Joomla, DotNetNuke, etc), data management platforms (like Blueconic, DoubleClick, Lotame, Krux, etc) and many more.

CIAM, Marketing Automation and CRM

A CIAM system is not going to replace the need for a marketing automation platform or a CRM system — but integrates with them— and provides a layer of foundation for more target marketing and lead nurturing. For example, Marketo, a leading marketing automation software provider, defines marketing automation as a system that, allows companies to streamline, automate, and measure marketing tasks and workflows. Also, Salesforce, a leading CRM software provider, defines CRM as, a strategy for managing all your company’s interactions with current and prospective customers. The marketing automation system tracks the behavior of an anonymous user through out the phases of being a raw lead, a viable lead, a nurtured lead and an active lead. The CRM system starts from where the marketing automation stops — it tracks the user through out the phases of marketing qualified lead, sales accepted lead, an opportunity and finally closed won. Till this point the CIAM system does not know anything about the user — and at the end of the day the customer will be on-boarded (see the on-boarding scenarios covered before in this blog). Now, the CIAM system can track all the user access patterns in more trust worthy manner — and with the data feeds from the CIAM system the marketing automation system can drive its marketing campaigns in an identity-driven approach. Following highlights some of the key benefits of a CIAM system that integrates well with marketing automation and CRM systems.

The anonymous cookie data tracked via the marketing automation platform can be tied to an authenticated identity as users log in through CIAM, and gain a single cross-device/platform view of every user as they go from anonymous to known. If it is just cookies you cannot correlate two users using different devices or browsers for interactions. The behavioral patterns tracked by marketing automation platform can be fed into the CIAM system to perform more effective adaptive/risk-based authentication and fraud detection. Use the qualified user data captured by the CIAM system to do more target marketing — and keep the user contact data updated all the time. Build a unified user profile across marketing, CRM and identity platforms — and rich data visualization. Verify user sign up data at the CIAM system by talking to the CRM system.

Summary

CIAM drives the revenue growth by leveraging identity data to acquire and retain customers. It’s the new public face of your company. CIAM differs from traditional IAM (or workforce IAM/Employee IAM) in many ways. User experience rules everything in CIAM — so as the privacy and security — it’s not an ‘or’ but an ‘and’. Customer on-boarding, progressive profiling, social integrations, strong authentication, self-service, help desk and delegated administration and scalability are the key areas any CIAM infrastructure should worry about. Identity data is the new gold, and CIAM is a mainstream business capability.