Topics to reflect on internally when considering a new product or solution.

Vendors should provide tenants/customers with strong internal security, including the ability to require strong authentication or MFA for administrators, role or attribute-based access controls for administrators, and delegated administrative capabilities. All system and consumer data should be encrypted in transit and at rest.

CIAM is a business enabler, but consumer identities are under attack. CIAM tools must complement and work with cybersecurity tools, such as SIEM or security intelligence, fraud intelligence, and compromised credential intelligence solutions. If your organization needs but does not yet have security intelligence infrastructure, initiate a separate project to instantiate such capabilities to aggregate all threat and risk information across your enterprise, including from CIAM.

Architects must create a plan and schedule for deployments. Depending on the size of the organization in question, a phased approach may work best. If the CIAM solution must interoperate with enterprise IAM, define connectors, methods, and processes for achieving the appropriate level of interoperability. In some cases, CIAM systems may need to integrate with third-party identity governance and lifecycle management solutions. Ensure that the CIAM solution you choose supports the protocols and formats needed for required interoperability.

CIAM solutions take two approaches with regard to data analytics for identity and marketing: incorporate these analytics into their products or provide APIs so that third-party data analytics tools can extract the consumer data and make meaningful business intelligence from it. If your organization is leaning toward a CIAM solution that does not have extensive built-in identity and marketing analytics, then inventory your in-house or SaaS data analytics tools to determine if the capabilities they possess will meet or exceed your requirements for identity and marketing analytics functions. If your data analytics tools are insufficient, assess the gaps and figure out how to acquire the necessary analytics functions, or shift your scoring to favor CIAM solutions with built-in identity and marketing analytics.

If your organization opts for an on-premises CIAM product, make sure your data center growth plan can handle it. Key considerations are not only processing power and network bandwidth, but also storage. Depending on how you architect your CIAM system, it may need massive amounts of additional storage to accommodate consumer profiles. Many CIAM products permit the storage of large volumes of data, including attributes, preferences, purchases, social network “likes”, and even unstructured data files such as audio and video files. In some cases, CIAM deployments have necessitated data center modernization initiatives.

In large organizations, generally members of the RFP team will go on to become internal “product managers” for the CIAM product or service. When building a steering team, add stakeholders from organizations that will derive value from the CIAM solution, such as marketing.

If an on-premises solution is chosen, as in any other project, system owners must be identified. Typically, the stakeholders for the information collected will be the teams consuming said information: marketing, sales, compliance, and security. Others are possible. In the case of SaaS, the system ownership role is reduced, but a small team of cloud administrators is generally empaneled to manage the tenant instance. The same kinds of stakeholders as for on-premises solution need to be identified and provide guidance to the SaaS administrators.

There must be valid business cases for the project. For CIAM, the two main business cases are increasing revenues via targeted marketing and facilitating regulatory compliance by capturing consumer consent.

There must be sufficient budget approved.

The project must be backed at the C-level. Such projects could originate under either a CIO, or in some cases at the VP of Sales or Marketing offices. The project needs both technically knowledgeable people as well as people with business knowledge in order to succeed.

Ensure that guidelines for data collection and protection are defined and mapped to policies and relevant regulations.

Each business department connected with the CIAM solution needs a defined contact person, which usually is not the departmental manager. These roles must be assigned and communicated.

Who administers the solution? Who guides the internal roadmap? Who liaises with the vendor? How is identity and marketing analytics information consumed? If consumer accounts are breached, what is the appropriate response, and which department leads the external communication and remediation efforts?

Understand the risks to systems and information assets. Base access control and security policies on risks and appropriate mitigation techniques.

Train admin users to securely administer the solution. Train incident responders how to investigate incidents involving consumer identities, contain damage from events, and restore to fully operational state.