KuppingerCole Analysts' View on Customer-Centric Identity Management



Challenges of large-scale IAM environments

Matthias Reinwarth

Long before analysts, vendors or journalists were coining terms like Digitalization, Identity Relationship Management or Customer IAM, several industries were already confronted with large-scale Identity and Access management (IAM) environments. Due to the character of their businesses they were challenged with the storage of huge amounts of identity data while serving massive volumes of both read and write requests at a constantly high access speed. Especially providers of telecommunication infrastructure like voice or data services typically handle identity data for several millions of subscribers. This information is leveraged for various purposes: One highly essential task focuses on controlling which subscribers are permitted to access which services and keeping track which resources they have used. This is typically done in highly specialized AAA (Triple-A) systems providing real-time Authentication (who?), Authorization (what?) and Accounting (how many?) services.

As this forms the basis for the actual core business processes, performance, availability, reliability and security are of utmost importance. Therefore, telco operators have always been in the forefront of designing and implementing highly redundant, scalable, sustainable special-purpose IAM systems as directory or database systems capable of fulfilling their unique requirements.

But several other systems traditionally need access to various subsets of subscriber=customer data: Customer Relationship Management (CRM) systems are the foundation for sales and help desks processes, while this information needs to be merged with AAA-data to produce e.g. the monthly bills. But apart from the traditional help desk systems, where customers call and want to interact with helpdesk personnel, the service landscape has changed dramatically: Many telco operators have transformed into being full service providers of communication and entertainment services, e.g. IPTV. In parallel subscribers have more and more gotten used to online portals for self-service access to their operator’s product portfolio. Having online access to their billing information, while being able to change, extend or cancel their subscriptions has become the new normal. This of course requires strong security mechanisms, especially rock-solid authentication and authorisation functionalities, while this is also true for ordering immediate access to streaming a blockbuster movie or gaining access to live coverage of their favourite sports event directly from the set-top box. These devices among money others (tablets, mobile phones or even gaming consoles) represent the identities individual subscribers and are of course more sources for additional billing information as well.

Providing a large-scale IAM system comes with many promises and requirements: gaining better insight into subscriber data through big data analytics might lead to efficient and agile business decisions and new products. The resulting information might be even more valuable when own subscriber data is intelligently merged with information provided by third parties (e.g. financial data, market research) and even social data, e.g. from Facebook, Google or Twitter logins. On the other hand, the privacy, security and reliability of sensitive information provided to the operators by subscribers is highly important. An example for that is when mobile devices are used for mobile, online payments (which is already done for example by Swisscom with their Easypay system) or secure mobile authentication (e.g. as a second factor) in the not so far future.

In large-scale IAM environment we observe that the traditional use case scenarios don’t go away, while they are constantly complemented with completely new requirements and business models. New technical requirements (new access methods, new devices, optimized performance, new data processing like big data analytics and lots more) are the results from such developments. And this often introduces the need for compliance to new sets of legal or regulatory requirements. All of this has to be adequately implemented in parallel, while existing requirements continue to be fulfilled, but usually with rising numbers of subscribers and increasing volumes of access requests.

With the traditional business models of providing mere access to voice or data services getting more and more irrelevant, telco operators have to constantly re-invent themselves and their business models. Existing and changing IAM systems for large numbers of customers and subscribers might turn out to be one of their biggest challenges but also their most significant asset to provide added value to their subscribers and new customer groups in the future.



The role of Adaptive Authentication in Consumer Identity Management

Ivan Niccolai

As more and more traditional services move online as part of the digital transformation trend, consumer-centric identity management is becoming increasingly vital business success factor. Customers aren’t just physical persons, they are also the devices used by customers, they are also intermediate organisations and systems which operate together to enable the provisioning of the service.

While traditionally the identity and access management (IAM) discipline has focused on employee use cases, consumer-centric identity management is an approach to identification, authentication and authorisation of the consumers of services by customers, devices and organisations who are external to the organisation providing the product or service. It is more than just external user IAM, it is an approach which, as the name implies, recognises that consumer interaction with services from businesses and government is predominantly via online channels. So when planning and designing IAM capabilities, the customer must be the starting point, not technology, not standards, not products – these are key factors too, but user experience, along with security and scalability must be at the forefront.

While usability and security are typically seen as objective in conflict with each other, it is possible today to offer a better user experience which is also more secure. An example of this is seen with identification, by making use of federation standards to leverage social logins, thus externalising the risks associated with passwords. If social logins are not appropriate, adaptive authentication, which for some time now being used by almost all online banking services, offers better security and user experience by reducing the reliance on passwords for securing both authentication and authorisation through the use of multi-factor authentication challenges. Dynamic, adaptive authentication will also improve the user experience by stepping up or down the authentication challenge depending on the action the user is requesting as well as the risk profile of the user. Here we can see how consumer-centricity, coupled with a holistic approach to security and risk management can leverage adaptive authentication and authorisation to understand what it is that a user is trying to do, linking that action to the risks examined in the risk management exercise, to ensure that low-risk actions do not entail an excessively onerous user experience as well as ensuring appropriate security controls are in place for high-risk actions. Dynamic, adaptive authorisation and authentication will also be able to flag anomalous user activity and respond with accordingly.

Scalability is also a key factor in consumer-centric IAM, consumer IAM generally has much higher performance and throughput requirements which must not be neglected during the planning and design phases. A good functional user experience will be fail if the underlying systems cannot support the performance stresses of production use. Performance and capacity planning is often a big unknown and prone to large variations in line with consumer demand. As with security, performance tuning is a process, not a project, and consumer IAM systems must be designed to scale up or down as required.

Consumer-centric IAM must also be threat-centric. With the loss of the traditional network perimeter, IAM becomes the key common denominator for determining appropriate access to resources, regardless of where they reside (cloud, on-premise) or the device used to access them. Consumer-centric IAM becomes a key component of a Real-Time Security Intelligence strategy.



There is no Consumer Identity & Access Management at all – at least not as a separate discipline

Martin Kuppinger

These days, there is a lot of talk about Consumer Identity & Access Management or CIAM. However, there is no such thing as CIAM, at least not as a separate discipline within IAM. There are technologies that are of higher relevance when dealing with customers and consumers than they are when dealing with employees. But there neither are technologies that are required for CIAM only nor is there any benefit in trying to set up a separate CIAM infrastructure.

This does not mean that IAM should or must not focus on consumers – in contrast. But it is about extending and, to some extent, renovating the existing on-premise IAM, which commonly is focused on employees and some business partners. It is about one integrated approach for all identities (employees, partner, consumers,…), managing their access to all services regardless of the deployment model, using all types of devices and things. It is about seamlessly managing all access of all identities in a consistent way. Notably, “consistent way” is not the same as “from a single platform”.

So why don’t we need a separate CIAM? The easiest answer is found by asking a simple question: “Is there any single application in your organization that is only accessed by consumers?” This implies “and not by at least some of your employees, e.g. for customer services, administration & operations, or analyzing the data collected.” The obvious answer on that question is that there is no such application. There are applications, which are only used by employees, but not the other way round. So why should there be separate IAM deployments for applications that are used by a common group of users? That could only result in security issues and management trouble.

The other aspect is that the way applications are used within the enterprise is changing anyway. Mobile users access cloud applications without even touching the internal network anymore. Thus, technologies such as Adaptive Authentication, Cloud IAM or IDaaS (Identity Management as a Service), Identity Federation, etc. are relevant not only for consumer-facing solutions but for all areas of IAM.

Finally, there is the aspect, that users frequently have multiple digital identities, even in relationship to their employers. Many employees of car manufacturers also are customers of that company. Many employees of insurance companies also have insurance contracts with that companies, and some even act as freelance insurance brokers. Managing such complex relationships becomes far easier when having one IAM for all – employees, partner, and consumers. One IAM that serves all applications, on-premise and in the Cloud. And one IAM, that supports all type of access.

That might anyway result in projects that focus on managing consumer access to services, IAM for cloud services, and so on. But all these projects should be part of moving IAM to the next level: An IAM that serves all requirements, from the traditional access of an employee using his PC in the corporate LAN to access a legacy backend system to the mobile consumer coming in via a social login and accessing a cloud service.

What are your thoughts on #consumeridentity?

Join the discussion and share your comments
on the KuppingerCole Blog or on Twitter @KuppingerCole

Related KuppingerCole Events

Related KuppingerCole Research

Related KuppingerCole Podcasts