Consumer Identity and Access Management (CIAM) is a sub-genre of traditional Identity and Access Management (IAM) that has emerged in the last few years to meet evolving business requirements. Many businesses and public sector organizations are finding that they must provide better digital experiences for and gather more information about the consumers who are using their services. Enterprises want to collect, store, and analyze data on consumers in order to create additional sales opportunities and increase brand loyalty. Know Your Customer (KYC) initiatives, particularly in the financial sector, are another example of the business driver motivating exploration and adoption of CIAM.
CIAM goes beyond traditional IAM in supporting some baseline features for analyzing customer behavior, as well as collecting consent for user data usage, and integration into CRM, connected devices, and marketing automation systems.
CIAM at first glance seems very much like Customer Relationship Management (CRM) software. However, it differs from CRM in that, with CRM systems, sales and marketing professionals are counted upon to enter the data about the contacts, prospects, and track the sales cycle. The focus of CRM is managing all processes around the customer relationship, while CIAM focuses on the connectivity with the customer when accessing all customer-facing systems, from registration and throughout the relationship. With CIAM, similar kinds of information as in CRM systems can be collected, but the consumers themselves provide and maintain this information. In this sense, CIAM solutions are self-managed CRM systems for consumer-facing organizations, particularly in the retail, media, finance, and health care industries. CIAM solutions are also beginning to be used by governments for government-to-consumer (G2C) use cases.
Traditional IAM systems are designed to provision, authenticate, authorize, and store information about employee users. User accounts are defined; users are assigned to groups; users receive role or attribute information from an authoritative source. They are generally deployed in an inward-facing way to serve a single enterprise. Over the last decade, many enterprises have found it necessary to also store information about business partners, suppliers, and customers in their own enterprise IAM systems, as collaborative development and e-commerce needs have dictated. Many organizations have built extensive identity federations to allow users from other domains to get authenticated and authorized to external resources. Traditional IAM scales well in environments of hundreds of thousands of users.
Consumer IAM systems are designed to provision, authenticate, authorize, collect and store information about consumers from across many domains. Unlike regular IAM systems though, information about these consumers often arrives from many unauthoritative sources. Some solutions in this space provide connections to various identity proofing services to strengthen the veracity of the consumer attributes. CIAM systems generally feature weak password-based authentication, but also support social logins and other stronger authentication methods. Information collected about consumers can be used for many different purposes, such as authorization to resources, or for analysis to support marketing campaigns, or Anti-Money Laundering (AML) initiatives. Moreover, CIAM systems must be able to manage many millions of identities, and process potentially billions of logins and other transactions per day.
In order to reduce money laundering, cyber-crime, terrorist financing, and fraud, regulators are requiring banks and financial service providers to put into place mechanisms for “Knowing Your Customer”. Government regulators expect banks to utilize analytics to develop baseline patterns for all their customers, and to be able to spot deviations from individuals’ normal parameters. Suspicious transactions must be flagged for investigation, specifically to prevent the aforementioned criminal activities. Having IAM systems dedicated to hosting consumer identities and their associated profiles is a good first step toward KYC.
Support for self-registration and social network logins is now nearly ubiquitous among vendors; and the key differentiators have become the use of new technologies to:
- comply with privacy regulations
- step up the user’s authentication assurance level
- collect and analyze information for fraud prevention
- collect and analyze information for marketing purposes
- connect consumer identities to IoT device identities, e.g. Smart Home devices and apps
The entire market segment is still evolving. We expect to see more changes and more entrants within the next few years. This year we are reviewing a number of new product and service entries in this report.
IT departments should welcome CIAM initiatives, as they provide an opportunity for IT, usually considered a “cost center”, to closely team with Marketing, a revenue producing center.
This KuppingerCole Leadership Compass provides an overview of the leading vendors in this market segment. Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a customer and his requirements. However, this Leadership Compass will help identify those vendors that customers should look at more closely.
1.1 Market Segment
The CIAM market is growing, with some vendors offering mature solutions providing standard and deluxe features to support millions of users across every industrial sector. As will be reflected in this report, the solutions in this space are quite diverse. Some vendors have about every feature one could want in a CIAM product, while others are more specialized, and thus have different kinds of technical capabilities. For example, some smaller vendors are targeting the government-to-citizen (G2C) market as well as business-to-consumer (B2C). We often see support for national e-IDs, x.509 certificates, and higher assurance authentication mechanisms in these vendors’ products compared to the rest.
Furthermore, KuppingerCole research indicates that the particular market segments that vendors choose to target often has a direct effect on the type of features available in their CIAM solutions. CIAM vendors that are primarily pursuing retail and media companies as clients tend to not have the customer-driven pressure to support high assurance authentication and complex attribute-based access controls.
The number of vendors in the CIAM market has grown, in response to the increasing market size. Many of them are built from the ground up as purely consumer-oriented identity solutions. Other vendors have modified their traditional LDAP-based, Web Access Management (WAM) components to accommodate consumers. The major players in the CIAM segment are covered within this KuppingerCole Leadership Compass. This Leadership Compass will examine solutions that are available for both on-premise and cloud-based deployment.
Other vendors are taking an “API-first” approach to CIAM, which allows organizations with in-house expertise to extend their existing IAM infrastructure to accommodate consumer use cases better. The API-first approach also permits in-house developers to easily “bolt-on” CIAM features to existing or legacy Line of Business applications, without necessarily investing in a full-size CIAM solution. Identity API platforms are not always completely assembled products and services. Rather, these platforms are collections of tools, code, and templates. Identity API platforms may contain many open source elements, and generally leverage well-known standards. KuppingerCole is also producing a Leadership Compass focuses on Identity API platforms.
In this report we consider three major categories of CIAM products and services: the all-in-one turn-key solutions; solutions which need to be installed, configured, and perhaps extended with customization; and those which may require extensive assembly, integration, and some coding.
The three genres of CIAM:
- Turn-key CIAM: Organizations deploying CIAM solutions often have markedly different requirements. Some may already be embracing the cloud and mostly utilize SaaS solutions. Generally, these organizations have small IT staffs, preferring the “outsourced” approach. For these kinds of companies, a turn-key SaaS-based CIAM solution would work best. It fits with the existing architecture, whether explicit or not, and it’s highly unlikely that a CIO would hire a staff just to manage a CIAM system. Thus, these solutions don’t usually require a lot of effort by IT staff to deploy and maintain. Turn-key CIAMs often include lots of marketing analytics capabilities within the platform, which can be accessed and extended by customer marketing teams. Such packaged solutions may offer less flexibility from an IT standpoint, but function well for many organizations.
- SysAdmin CIAM: Other organizations have adequate IT staffs and their own data centers. The choice for approach to CIAM can become more difficult in this case. If the organization has a cloud migration strategy, it may make sense to start all new projects, including CIAM as SaaS. However, if they have enterprise IAM, there may already be some mixing of employee and customer data. Some companies decide to add CIAM as a new instance of their enterprise IAM, if their enterprise IAM has sufficient consumer-facing features. Others may have specific requirements, often around authenticator types supported or intelligence-to-risk-engine integration that are best achieved with a more configurable CIAM solution. This style of CIAM solution requires more expertise from system administrators, since these systems generally run on-premises or in IaaS. In many cases, marketing and identity analytics reports may be more basic within the solution, but accessible by 3rd-party analytics tools.
- Dev-centric CIAM: Lastly, some organizations may want a completely customizable CIAM solution. Some may have a predilection for open-source and build their own from components. Others only need limited CIAM functionality, such as wrapping a single consumer-facing application with a CIAM layer. In these cases, SaaS and fully packaged CIAM solutions may not be the best fit. Dev-centric CIAMs allow customers to build a modular solution around existing infrastructure or services, without having to buy more features and functionality than needed. As the name implies, in order to successfully deploy a Dev-centric CIAM system, knowledgeable developers are required and will have the most work to do.
In Chapter 5, the differences in these categories are represented in the spider charts as “DIY”. Turn-key solutions have low DIY values, whereas SysAdmin or Dev-centric CIAM products have higher DIY ratings. Each vendor entry in Chapter 5 will have more information about vendor subjects.