KuppingerCole just concluded our first Consumer Identity Summit in Paris.  In fact, this was the first Consumer focused digital identity event of its kind.  The event was very well attended, and featured excellent expert speakers from all across the globe.  The popularity of the event and enthusiasm for dialogue among attendees demonstrates the need for treating Consumer Identity differently than traditional Enterprise Identity.  The technology has been evolving significantly, to meet rapidly changing business requirements and encompass newly developed technologies.

Businesses and public sector organizations are finding that they need to “Know Your Customer” (KYC) better for a number of reasons.  Consumer Identity and Access Management (CIAM) services can help meet these objectives.  For example, retail and media outlets can provide better experiences to registered users.  These companies can offer incentives, special sales, and other features to increase loyalty to their brands.  Banks and financial institutions can better comply with Anti-Money Laundering (AML) regulations by establishing digital relationships via CIAM, and provide competitive advantages. 

Consumer identity is becoming more than just a competitive advantage though.  Katryna Dow, CEO of Meeco, said “Consumer Identity is the new channel”.  What this means is that digital service providers are in many cases beginning to bypass traditional distribution channels to directly engage and sell to consumers.  This will have increasingly profound effects on business models.  Consider, for example, the changes in entertainment media and its prior distribution channels.  Where consumers once bought movies and programs on VHS or DVD at stores such as Blockbuster and Hollywood Video, consumers are now streaming content straight from Amazon, Hulu, Netflix, Sony, and more.  The same can be said for online retailers:  those utilizing consumer identity solutions have ways to alert interested buyers, solicit feedback, and create revenue streams that others can’t. 

Allan Foster, VP of Community at ForgeRock and President of Kantara Initiative, described the difference between enterprise IAM and CIAM: “with enterprise IAM, IT provides the identities; in CIAM, IT provides the means for consumers to build their own identities.”   This saves administrative effort, and puts control over which attributes to share back into the consumers’ hands, making them a participant in the process.

Ian Glazer, Senior Director at Salesforce Identity, highlighted the need for improved user experiences, showing how effective consumer identity management promotes a much better user journey.   He stated that businesses must reduce friction for consumers by using social logins, progressive profiling, and progressive proofing. Logins should not require “Yet Another Username & Password”, or YAUP.  Consumer identity should work across multiple channels, including tying users to their IoT devices.

Several speakers touched on the importance of preparing for the EU General Data Protection Regulation (GDPR), which will take effect on 25 May 2018.  GDPR contains language which governs the treatment and handling of information gathered and used by CIAM systems. GDPR defines what personally identifiable information (PII) is:  name, email, photos, posts on social networks, medical information, and financial information are examples.  Some of the most important provisions include explicit consent for PII data usage, localized processing (EU citizen data must be housed and processed within the EU itself), data portability (EU citizens must be able to export their data from systems), and the right to be forgotten (data deletion).  CIAM solutions must be able to meet all these requirements to be viable within the EU in the post-GDPR regulatory schema.  For more information on GDPR, follow KuppingerCole’s updates, and to see the full text, go to http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

To meet the privacy objectives of GDPR, Dr. Maciej Machulak discussed Kantara Initiative’s User Managed Access (UMA) specification.  UMA provides a framework for web applications to obtain user’s consent for use of their data.  KuppingerCole believes that UMA will be a major enabler for GDPR compliance.  For more information on UMA, see https://kantarainitiative.org/confluence/display/uma/Home

We also presented the results of our CIAM Leadership Compass at the Summit.  For this paper, ForgeRock, Gigya, IBM, iWelcome, Janrain, LoginRadius, Microsoft, Okta, PingIdentity, Saleforce, SAP, and SecureAuth participated.  Each company has products that serve the CIAM needs of their own customers, with different strength, challenges, and target markets.  For the full report, see https://www.kuppingercole.com/report/lc71171

Lastly, our own Martin Kuppinger weighed in on the ownership aspect of CIAM deployments.  There are a variety of ways that CIAM can be implemented and maintained.  In some companies, marketing takes the lead.  In others, IT is completely responsible.  The hybrid ownership approach works best:  IT owns the deployment, but operates it as a service for the business as a whole.  This promotes tight integration with enterprise IAM, without being encumbered by enterprise IAM limitations.  It also allows businesses to efficiently promote regulatory compliance and security, while offering consistent and feature-rich solutions for sales and marketing.

KuppingerCole will continue to track with CIAM solution developers and customers to provide the most up-to-date information on CIAM, KYC, and the regulatory drivers in this space.