As more and more traditional services move online as part of the digital transformation trend, consumer-centric identity management is becoming increasingly vital business success factor. Customers aren’t just physical persons, they are also the devices used by customers, they are also intermediate organisations and systems which operate together to enable the provisioning of the service.
While traditionally the identity and access management (IAM) discipline has focused on employee use cases, consumer-centric identity management is an approach to identification, authentication and authorisation of the consumers of services by customers, devices and organisations who are external to the organisation providing the product or service. It is more than just external user IAM, it is an approach which, as the name implies, recognises that consumer interaction with services from businesses and government is predominantly via online channels. So when planning and designing IAM capabilities, the customer must be the starting point, not technology, not standards, not products – these are key factors too, but user experience, along with security and scalability must be at the forefront.
While usability and security are typically seen as objective in conflict with each other, it is possible today to offer a better user experience which is also more secure. An example of this is seen with identification, by making use of federation standards to leverage social logins, thus externalising the risks associated with passwords. If social logins are not appropriate, adaptive authentication, which for some time now being used by almost all online banking services, offers better security and user experience by reducing the reliance on passwords for securing both authentication and authorisation through the use of multi-factor authentication challenges. Dynamic, adaptive authentication will also improve the user experience by stepping up or down the authentication challenge depending on the action the user is requesting as well as the risk profile of the user. Here we can see how consumer-centricity, coupled with a holistic approach to security and risk management can leverage adaptive authentication and authorisation to understand what it is that a user is trying to do, linking that action to the risks examined in the risk management exercise, to ensure that low-risk actions do not entail an excessively onerous user experience as well as ensuring appropriate security controls are in place for high-risk actions. Dynamic, adaptive authorisation and authentication will also be able to flag anomalous user activity and respond with accordingly.
Scalability is also a key factor in consumer-centric IAM, consumer IAM generally has much higher performance and throughput requirements which must not be neglected during the planning and design phases. A good functional user experience will be fail if the underlying systems cannot support the performance stresses of production use. Performance and capacity planning is often a big unknown and prone to large variations in line with consumer demand. As with security, performance tuning is a process, not a project, and consumer IAM systems must be designed to scale up or down as required.
Consumer-centric IAM must also be threat-centric. With the loss of the traditional network perimeter, IAM becomes the key common denominator for determining appropriate access to resources, regardless of where they reside (cloud, on-premise) or the device used to access them. Consumer-centric IAM becomes a key component of a Real-Time Security Intelligence strategy.