In addition to asking about specific features, there are several questions that are worth asking vendors. The following questions help in understanding the maturity of products and focus on potential breakpoints of projects.
What are the most requested new features?
Getting a view of other customer enhancement requests will provide insights into how the solution will evolve. If a preponderance of customers is asking for the same features, it is more likely to happen in the short term.
How often do you release product or service updates?
For SaaS solutions, many vendors practice DevOps and releases happen frequently and are usually transparent to the tenant/customer and consumer. For on-premises products, timely updates get new functionality into the market quickly. If your enterprise requires lots of innovative features to be added to satisfy consumer demand, be mindful about the effect of release timing may have on your consumer satisfaction.
Do you specialize by serving specific industries?
Large vendors will have customers across most industries. Some smaller vendors may focus on specific industries, such as retail, media, health care, finance, etc. In some circumstances, vendors with industry-specific experience and focus may provide more value.
How are you helping your tenants/customers with EU GDPR, California’s CCPA, etc.?
CIAM vendors take at least 3 approaches to privacy management: 1. Put the responsibility on the customer via contract, while providing limited tooling for support; 2. Provide basic compliance capabilities, such as initial consent capturing and auditing, but without complete functionality such as user dashboards or data export; 3. Provide complete privacy compliance facilities within the product or service. Depending on your staffing and responsibilities, as well as in which jurisdictions you are doing business, the differing approaches taken to privacy compliance by vendors as noted here should guide the down-select process.
What are your plans for additional support for IoT, SmartHome, and wearable device identities?
The linking of consumer identity to device identity is at the forefront of innovation today. Some solutions allow password management of devices in a proprietary way, while others are supporting the IETF OAuth2 Device Flow specification. Additional standards need to be defined to enable more functionality in this area. It is a good idea to probe vendors about their plans if device identity integration is on your own capability roadmap.
Are enhancements planned for marketing analytics and marketing automation?
One of the primary motivations for adopting CIAM solutions is to yield better results for marketing and sales. For those that have all-inclusive marketing analytics, what are their plans for expanding reporting capabilities? Do they tie-in to marketing automation tools? If not, are these features on the roadmap? For CIAM packages that outsource marketing analytics to third-party programs, what improvements do they have planned? Custom connectors? Better integration with more third-party analytics programs?
Is the product derived from enterprise IAM or built for CIAM from the ground up?
CIAM emerged as a specialty within IAM at least in part due to companies that formed to address what they saw as deficiencies in the traditional IAM approach to consumer identity. Since CIAM as a separate discipline and product/service suite has been successful, many traditional IAM vendors have enhanced their products to contain many of the same consumer-oriented features. Thus, purpose-built CIAM solutions tend to be streamlined to just consumer feature sets, whereas IAM products that now have a “C” in front may contain legacy IAM features and constructs. Examples of legacy IAM features in CIAM products that may be useful in some environments include some limited identity governance and LDAP synchronization. CIAM solutions that have arisen from older IAM products may have limitations in terms of authentication options, built-in marketing analytics, consumer profile storage constraints, and user schemas.
What are the current and planned future authentication mechanisms supported?
Username/password is insufficient for administrative access. Any use of weak authentication in the administrative processes increases the risk of compromise. This is even more important for cloud-based consoles. Strong and multi-factor authentication are always recommended in these situations.
Does the solution support a delegated administration model?
Most organizations today are not monolithic, meaning different groups manage IT and IT Security for different parts of the organization. There are likely different groups in charge of assets in the EU vs. APAC vs. Americas. Sometimes departments have their own identity administrators. All IT solutions today need to support at least role-based access control (attribute-based access control preferred).
Can I speak to some reference customers?
Finally, it is usually enlightening to speak to one or more reference customers. It is most helpful.