​The Eight Stages of Effective Customer Identity Access Management

Mark Perry, APAC Chief Technology Officer and Principal Architect, PING Identity

As commerce continues to shift online, IT managers are finding themselves juggling two competing priorities. On one hand they need to provide a frictionless experience for customers, while on the other they need to ensure underlying systems and data remain secure.

Getting the access and security balance right is critical for a business. If customers find it too hard to purchase products or services from one firm they will simply shift to a competitor. Also, they want the ability to use a range of different channels for their interactions and will gravitate to those firms offering the best experience.

For businesses, this trend has brought the issue of Customer Identity Access Management (CIAM) into sharp focus. Businesses need to find an effective and seamless way to create new customer accounts and manage these relationships over time.

There are eight key stages to consider when deploying a CIAM system and they include:

1. Registration and ID creation

The registration process will be the first interaction a new customer has with a firm's IAM system, therefore the goal has to be to create the least amount of friction while at the same time ensuring an appropriate level of security.

Options on offer for customers should include the ability to complete registration without needing to speak to an agent and the ability to use an existing ID login such as those provided by sites such as Google, Facebook and PayPal.

While customer profiles will become invaluable to the business over time, it's important to start out by requesting the least amount of information necessary to create a new customer ID. Further details can be gathered as the customer begins to interact with the business.

To assist in this initial stage, a CIAM system should provide either pre-built registration forms that can be customised to suit the business or APIs that allow original forms to be built and used.

2. Identity storage

Once a new customer profile has been created, the ID data must be stored in a secure repository. Because a business may end up having hundreds, thousands, or even millions of user profiles, the repository must be able to scale.

Many CIAM systems rely on directory services to support authentication and authorisation and database technologies to house the identity repository. However, because of the need to handle what is an unpredictable and potentially high volume of IDs, a cloud-hosted option is more appropriate.

A cloud-based repository can readily scale to match growing demand with the provider also taking responsibility for utilisation and performance.

Because data entered by customers will be in both structured and unstructured forms, the ID repository must also be able to accommodate both types. Also remember that cloud storage should be in-country where privacy and data sovereignty requirements mandate it.

3. Data aggregation

The challenge of effective CIAM is further complicated by the fact that relevant data may be distributed across multiple locations within a business as well as in third-party databases and marketing systems.

One way to achieve this is through application integration where data is synchronised bi-directionally between the user profile and third-party applications such as marketing and CRM systems. Another option, called progressive profiling, uses dynamic forms to gradually gather demographic data from customers over time.

4. Account validation

As customers continue their relationship with the business, regular account validation will be required.

Options include the use of CAPTCHA tools to determine that the customer is a human (and not a bot), and data validation measures which involve comparing entered details with known confirmed information about them.

5. Identity proofing

At times when it makes sense to apply additional techniques to ensure the authenticity of a customer, ID proofing can be employed. Indeed, look at adopting push notifications to a registered device to ease the process.

6. Strong authentication

Strong or multi-factor authentication is another key step in having secure CIAM in place. It involves having a procedure that requires the combination of two or more authentication factors, including things such as PINs, passwords, tokens, smart cards and fingerprints or iris scans.

While it's always important to strike a balance between security and user experience, authentication beyond the scope of just a username and password is a requirement for an increasing number of CIAM systems.

At the same time, a MFA system should allow for specific CIAM requirements such as environments where there may be a mixture of device types, and a requirement for use among elderly and disabled users. After all, Not everyone can easily type a number in to a tiny screen.


7. Single Sign-on (SSO)

While single sign-on is relatively common within organisations it can be harder to put in place for customers if they need to access multiple websites or applications.

One way it can be achieved is through automated account linking. If a customer has multiple accounts within the same organisation they can be automatically linked to provide SSO. Another option is to offer customers the chance to link multiple social accounts (such as Facebook and Google) to their account with the business so they don't need to remember which one they used when the account was established. Either can then be used to sign in.

8. Customer Profile

As the relationship between the business and its customers grows over time, the final stage of effective CIAM is the management of created profiles. To ensure data accuracy is maintained, profile management rights should be given to delegated administrators, while at same time customers are also offered the ability to self-manage certain data and settings.

Implementing an effective CIAM system is a vital step in ensuring online relationships with customers can be established and maintained. By following these stages, a business can ensure it has the right CIAM system in place that will support growth well into the future.

Tags IT managementGoogleFacebookpaypalcaptchaAPIsCRM systemregistrationSSOCIAMID login

Show Comments