18 Jul The Danger of Relying on IAM When You Need CIAM
In a recent blog post Ed Sawma from Okta outlines how IAM and CIAM are the same, and not the same. Reading through the post you might get a warm and fuzzy feeling inside that says typical (Enterprise) IAM solutions can solve your identity and access management challenges that you might have with your external users. I’m here to tell you that following that fuzzy feeling will result in a situation where a brown substance hits an air impeller.
Most of the basic underlying technologies for both IAM and CIAM are similar, and might lead you to believe that it is easy to adopt your enterprise IAM to meet the demands of customer IAM. You see all the same technology jargon listed in the spec sheets including SAML, OAuth, OpenID Connect, LDAP, SQL, 2-factor authentication, REST API etc. These are the building blocks of the foundation. They are needed for any IAM solution to work properly. What you build on top of these standard Lego pegs of IAM is the differentiator.
What Ed doesn’t say is how vastly different the environments between the enterprise and customer facing services are. Your employees do what you say. They will happily (not) use the RSA SecurID tokens you hand them and try their best not to lose them on a weekly basis. Your customers on the other hand will quickly vote with their feet if you try to restrict them or if you deliver a bad user experience. The enterprise environment is stable, fixed and changes are slow. The customer environment is erratic, rapidly changing and ultra competitive. Rigid enterprise IAM solutions are not built for this, especially solutions where you need to develop something inhouse. CIAM is a balanced solution where quick changes can be made through simple configuration, and not through laborious and error prone coding, but at the same time including a good selection of REST APIs that allow you to embed CIAM functions to your own applications.
CIAM is also about capture and conversion. Allowing your visitors easy access and minimal registration flows, or even completely automated registration increases your bottom line. How many enterprise IAM solutions are designed to increase your revenue and customer intake?
GDPR is not a check box
What I found the most worrisome (facepalm moment) was Eds statement about handling GDPR compliance with a few check boxes. Either Okta hasn’t done their homework, or they’ve completely missed their mark on how big of an impact GDPR has and the role CIAM plays in the picture. Naturally, an enterprise IAM doesn’t have to worry about things like consent, data portability or access to data. Consent comes from the supervisor as given (it’s called a job description), you don’t really take your data with you when you leave, and HR takes care of the employee data. But for the customer facing world, things go upside down.
Consent is a fairly big deal with the new regulation and the most logical place to implement consent is within the CIAM platform. You need to collect the consent, allow end users to view, manage, freeze and revoke the permissions given. A good CIAM solution also allows end users to selectively choose what information they wish to share in case for e.g. federation. In the enterprise environment you can send whatever you want to your applications and its perfectly ok. Not so in the GDPR world. And now it is the job of the service provider to prove that they have the consent. So, consent related actions need to be carefully and securely stored.
To reiterate: GDPR and consent is not just a few check boxes. If you believe so, then… brown substance, air impeller…
Are you ready to hire 500 more employees?
One of the biggest mistakes an organisation can make when trying to get control over customer identities, is to start managing those said identities themselves. Just ask your sales managers how confident they are that all of the CRM information is up to date and accurate.
In the enterprise scenario the management of identities is easy(ish). People join the company, they get recorded into the HR system and the provisioning engine will take care that the information trickles to the right internal systems. Employees get promoted or switch jobs and their roles change. Projects need time limited roles and authorizations. Once in a while the IT admin has to reset a few passwords. Now imagine if you try to mimic this behaviour on your customer facing solutions with tens of thousands of users, or *gulp* millions of users. Get ready to hire a lot of extra help.
The idea of CIAM is to outsource the management of not just the basic user data to the customers, but also authorisations. Especially in a B2B cases when your own customers can authorise their own employees to your services, the benefits of a CIAM system become apparent – as well as the bigger differences between IAM and CIAM. How do you model families in an enterprise IAM? Or allow your customers to manage authorizations in a supply chain type of environment? What if you link the identity and authorisation data maintained by your customers to your own CRM? What would your sales managers say when all of a sudden the data within the CRM becomes accurate?
It seems that incumbent IAM vendors are becoming defensive when it comes to managing customer identities. They’ve realized that CIAM is not the same as enterprise IAM. We’ve been doing CIAM for over a decade, and we know they are not the same. Contact Ubisecure now to hear how we can help your organisation to take control over the customer identities.