We get asked about the difference between CIAM, IAM, specific planning, and how organizations benefit from their IAM program initiatives that allow maximized returns, end user satisfaction and better prioritize the initiatives. In this post, we at CredenceIA Consulting are highlighting the difference between CIAM, IAM and key use cases for CIAM.
CIAM vs. IAM – the Difference
Identity and Access Management (IAM) and CIAM are similar yet a lot different. Firstly, the names. CIAM stands for Consumer IAM, Customer IAM, or Counterparty IAM (CIAM). No matter what term you use, they all refer to the key detail that CIAM is for external users vs. IAM refer to users within enterprise or within a perimeter.
Secondly, IAM and CIAM focus on a very different set of problems. Enterprise IAM initiatives are typically driven by reduction in cost or regulatory compliance or modernization objectives. In contrast, CIAM drivers are about simplifying consumer user identity experience, brand management, or to be on the leading edge of competitive business while achieving modernization objectives.
CIAM vs. IAM – Key Priorities
Both programs will have the following higher level initiatives. What changes is the priorities & order of execution of initiatives and scope/requirements for each initiative.
· Single Sign-On (SSO)
· Multifactor Authentication (MFA)
· Access and authorization Management
· Simplification and unification of directory services & user repositories
· User lifecycle Management and Identity governance (IGA)
· Privilege Access Management
· Brand Management
Enterprise IAM will focus on SSO & MFA to achieve ease of its enterprise and outside organization business users’ interaction with the key applications. Typically, there is a level of trust involved with enterprise users as most companies would have issued a laptop and soft/hard token (if VPN is required) to achieve SSO and MFA. In addition, with 3rd party business users, there will be federation setup via SAML. Much bigger focus is typically with IGA and privilege access initiatives to ensure compliance, audit or regulatory obligations are addressed, awareness of “who has access to what” and its governance is established, and privilege access is known and managed.
SSO and MFA for CIAM: In most cases, the CIAM initiative will have a higher focus towards end-user experience, ease of user interaction with the enterprise both via website & mobile, and ensuring the user experience translates into retention of the user. End user experience is so crucial for CIAM program that a bad user interface design or a cumbersome login process could move a user to a competitive offering and loss of revenue as a result. On the other hand, businesses can’t risk too lax password policies that foster weak passwords and risk user account compromises or privacy issues. A simplified SSO process goes a long way in the first impression that the user would have for the business. Users want a single point of entry. Things such as personalization of the landing page, the services they avail, and self-service processes that allow a user to be back to where they want to be vs. a deal with a customer service.
IGA for CIAM: IGA is another critical area for certain industries (e.g. finance, banking, healthcare and insurance) to ensure third party or external users access is well known and managed. Traditionally, IGA related to CIAM would have been handled in piecemeal approach with several disjointed applications (combination of homegrown and off-the-shelf) managing user lifecycle. We advise our customers to look for opportunities with consolidation of IGA initiatives for CIAM, as they allow new features, faster time to value and overall cost/complexities reduction.
Delegated administration is an important use case for CIAM. Most enterprises would like to nominate a designate from each of the key departments and 3rd party partners who then would be responsible for access request, approval and termination for their respective teams.
There are few use cases that will get much more emphasis from enterprise IAM vs from CIAM. Access certification will be much simplified in case of CIAM, however due to business focused users, IGA tool’s intuitive UI and ability to interact via mobile devices would be a critical factor. Similarly, access request forms and approval workflows are kept with business and 3rd party user perspective. Roles and RBAC may not be initial focus as there is usually not a robust use case to justify time and investment necessary for realize the benefits. Reporting and analytics will be more geared toward the “how” to better understand and refine the application, processes and support structure. The use of Machine Learning and data analytics is equally important.
IGA functionality, similar to the SSO, will have much more focus on self-service experience and investment into automated service ticket creation and resolution. It is in our experience that a well-defined intuitive support mechanism for IGA programs allow better participation from both enterprise users dedicated to CIAM program, and from the 3rd party business users/organization. A centralized team of dedicated experts who cater to asks that cannot be solved by self-service or automated system is important for CIAM.
The final area of difference will be in the architecture that keeps customer engagement, brand reputation, and management in mind. The CIAM system will be designed with focus on reduction in complexities, and ability to frictionless transaction with outside users and organizations. A large pool of out of box connectors or API based interaction will be in focus. The backend systems will be throughout for addressing exponential potential growth of users w/o performance challenges or worst outages. Privacy and compliance will be in center. A well-executed CIAM initiative will have much better brand reputation, customer retention and business user satisfaction.
Priorities & Buy-in
We recommend an independent strategy for IAM and CIAM that meets business & customer requirements, priorities and stakeholder buy-in. In long run, this provide tremendous flexibility in achieving two widely different objectives and meet demands. In our opinion, this approach allows must faster time to value could be achieved. Having advisors who bring experience and actionable insights to bring your unique needs and use cases as key to overall success of either programs.
About CredenceIA Consulting
CredenceIA Consulting brings over 20 years of experience working with organizations of all sizes and complexities. This allow CredenceIA Consulting advisors to get the best value and outcome within time and budget. CredenceIA Consulting provides advisory and implementation solutions. We have a successful track record of IAM implementations over last two decades. CredenceIA Consulting has one of the best IAM & IGA experienced team with robust project planning, execution and management expertise.
CredenceIA Consulting’s all-encompassing tailored solutions from advisory, implementation, and US based L2/L3 managed services allow CISOs and their teams to focus where the attention is necessary.
For More Information, get in touch!