Market Overview CIAM: Customer Identity & Access Management

Thank you. Thanks for staying out here. Close to the end everyone. So yeah, today wanna give an overview of the, the latest iteration of the consumer or customer identity and access management leadership compass, which came out last September. So just start with some overview and trends. As Alexa alluded to, you know, sometimes there's some confusion between what does the C and CM stand for? So I often like to say, well, it's both, or actually all three because it can be consumer, you know, like retail use cases or banking, it can also be customer. We've heard a lot about B2B or B2C kinds of interactions this week. So you know, businesses buying things from other businesses throughout the supply chain and you know, different logistics operators, but can also be citizens. So we often see G2 C use cases now that are covered by CM Solutions and that can be, you know, doing things like paying your taxes or trying to get a license.
So what, what are the goals and have they changed at all? What you know for organizations that are looking for CM first up, often they try to replace something that might be inefficient. You know, maybe utilizing an older enterprise workforce I am system, or maybe even something that was homegrown time to get rid of that and get something more modern. Just because not only is the support easier, but I mean you can't really do in-house what the vendors can do in terms of keeping up with, you know, new features and things like that. They offer self-registration, host consumer profiles. A lot of this stuff is pretty much the same as it has been for the last few years, but you know, there's been more emphasis on authentication as we just talked about several times here. Better account recovery methods. That's always kind of tricky. That was a great question and still an interest and need for both identity analytics for security as well as marketing analytics to get the value out of the, the consumer and customer profile information.
Some of the obstacles that have been encountered by, you know, previous iterations of CM Solutions, you know, a lot of 'em were kind of monolithic. Even the first versions that were in the cloud, they were, weren't sufficiently exposed by APIs, but pretty happy to report, you know, most of the solutions that are out there today have pretty good API access. They may not have had good support for legacy applications. That's often still the case. There may be a need for customization to connect to, let's say backend financial applications. All the identity and marketing analytics were tied directly to the CIM solution. It was hard to get it out. It was a silo. I know that's a term we tend to use a lot at conferences like this. Then there's also scalability. You know, again, one of the problems of on-premise solutions, if it's kind of client server model that just doesn't scale very well. It requires hardware and software. I mean, you can use cloud architecture in a private cloud deployment.
Many only had weak authentication methods available as we'll see in a minute. That's still kind of a, there are good methods available but just not, not widely used. Consent collection, obviously GDPR has been around for about five years now and we've been talking about consent for a few years before that even started. But now we see a broader array of privacy regulations around the world that have some notion of consent and it doesn't all necessarily map directly to what GDPR does. So it gets a little bit complicated. More modern CM solutions can help with that.
And then, you know, actually an area of innovation can be how these things are licensed to the customers and what the subscription models are for the CM solutions. So, and another word we've heard, or a term we've heard a lot is around digital transformation. Obviously we had a lot of that accelerated by the pandemic as businesses had to scramble to make sure that they could continue to do business. Fraud is skyrocketing. We've heard about fraud several times this week. I think it's an important thing that CM systems have to be able to integrate with fraud reduction intelligence platforms.
Part of that has to do with the need for identity proofing. You know, identity proofing has been historically important for like banking, you know, being able to do anti-money laundering and kyc. But vendors have reported over the last couple years an increase in, you know, at least some in need for better identity assurance for different kinds of use cases outside of banking and finance, privacy regulations, passwordless, that's all the buzz. Certainly most of us who are consumers would prefer passwordless authentication, API interoperability. We continue to see need for iot device identity management. This is something that, you know, as more and more devices become smart, we need to be able to link our consumer identities to those so that we can say do delegated administration or, or family management. You know, you think about media industry and their use cases where, you know, a head of household will wanna be able to set up permissions for who could watch what and then even though B2C has been sort of the main driver, we have heard more and more about the B to B2C kinds of use cases sort of really taken off in the last year or so.
So many of these solutions have lots of good MFA options, but they're not as widely utilized as I would like to see. I certainly have to put in passwords and reset accounts and look at OTPs and plug 'em in more often than I would like to do. Government agencies are increasingly using cims, they're more of those GC kinds of use cases. When CIM first started off, we saw a lot of companies that would put like detailed marketing analytics right, in their own dashboards. Now, you know, keeping that up to date is less important than say, making that available to third party data analytics programs. So that's again where APIs are important. Oh, as I was saying, identity proofing beyond AML and K Y C. A good example of that is hospitality and short-term rentals. I heard that a number of times during the research cycle.
Short-term rental operators wanting to have a little bit of identity assurance about who's going to be renting the property, increased offering of and use of remote onboarding apps. We've, most of us have probably seen examples of this too, where, you know, taking a a selfie and then taking a picture of a driver's license or a passport for remote onboarding, IOT device identity again, and really as we'll see here in a minute, these solutions have tons and tons of features, but it seems like they don't get as widely utilized as they should be. I don't think a lot of customer organizations are making full or taking full advantage of what's available in the products. We've talked quite a bit too this week about identity fabrics. You know, a lot of the emphasis may have emphasis may have been on how does this work in an enterprise situation.
But identity fabric, you know, perfectly applies to consumer identity as well. It's just some of the terms and some of the technologies might be a little bit different. But you know, you can see we've got consumers, partners, different kinds of customers. You know, the identities of things on the, on the left over here we have a certain set of capabilities, they're slightly different. But again, some of the technology could be reused. Things like, you know, fraud reduction intelligence, identity analytics, marketing analytics, you need to comply with regulations. These get instantiated as services. Things that we commonly see for CIM as a user self-service Porwal, that's very important. That's for collecting and managing consent, authentication services, risk engines for doing risk adaptive authentication and authorization. Glad to hear much more emphasis on authorization, especially on the consumer side this week too. And then in order to be able to comply with things like GDPR to be able to export the data for right to be deleted kinds of requests. On the architecture side, microservices seems to be becoming standard. They're, most of the solutions in the space are using microservices and they're container based. So they can be offered, you know, for either on-prem, private cloud deployments or that's how they deploy their own SaaS. And then api, api API connectivity, both inbound and outbound to the CM solutions as well.
So to talk about the leadership compass itself, I thought I'd go over the evaluation criteria that I used. We break it down into up to eight different categories that we rate, and you'll see that in the spider chart at the end. But the ones I chose this time around are for onboarding. And this includes, you know, how easy is it to customize the orchestration workflow as well as, you know, support for AML kyc, whether or not they have a remote, remote onboarding app, identity assurance, ATO protection, that's account takeover protection. Some of the solutions do have, you know, some pretty good or rudimentary capabilities in that area. Authentication mostly about the different options that are available. Preference given to things like 5 0 2 and passwordless, consent management, iot, device management, and then identity analytics. That's more on the built-in side. I think most enterprises wanna be able to see the identity analytics and be able to plug that into their SIM and source systems if needed. But marketing integration, as was mentioning, is kind of more about API access from CM to whatever third party data analytics programs you prefer to use.
And a little bit about our process. We start off by identifying all the, the vendors that we think are out there in the CM space, regardless of size or where they're located. Then we create a giant technical questionnaire full of hundreds and hundreds of questions. Send those off to the vendors, get briefings, demos, talk to some customers. Once we get all that information, we do the analysis, we do the write-ups for each company and do the ratings for the charts, which will show you a preview of here in a minute. Then we go through fact check. Sometimes it can be weeks between the time we write and the time we're getting ready to publish. So we like to make sure that information is as fresh as possible. And then once all that's done, we publish the leadership compass online. We have nine standard categories. We rate all vendors on, across all of our different types of leadership compasses.
And here we look at security. This is internal product security functionality, how we define, you know, what a complete product in this case in the CIM space would be. Integration or deployment. This has to do with, does it require you licensing multiple different products and you know, how would you go about deploying it? Is it something that can be deployed easily? Cloud, private cloud? Do they still offer on-premises options interoperability? This is where standard support is very important. Things like O O I D C, SAML jot tokens for communicating with other systems. Usability, we try to look at both the end user experience as well as the administrative user experience for rating this category.
Innovation, I'll, I'll show you what I considered innovative when we get to that chart. But in innovation market size that also includes not only how many customers but where those customers are. Ecosystem is, you know, system integrators, resellers, technical support options for different geographies and then just overall financial strength of the companies. So we have three subcategories and then one major category for our leadership charts. There's product leadership that's taking all the factors in, in rating them on how, how complete the product is. Market leadership, that's an amalgamation of the, the market strength, the ecosystem and financial strength innovation, just like it sounds like. What are they doing that's innovative? And then those three roll up into our overall leadership graphic. So let's look at the results of the last one. Here are the vendors that won't read off all the names, but you know, it's a pretty wide selection, pretty large number of vendors in the space.
One thing that we have noticed is that, you know, as the years have gone on, and I think this is the seventh year that I've been working on this report, is new vendors continue to enter this space every year. You know, they might start off, you know, as a smaller vendor, kind of focused on one region, but you know, in those cases they really understand the business and and government regulatory context in those regions and they tend to grow. So always fun and interesting to keep an eye on how all the vendors are doing and to watch new vendors enter this space.
So here are the overall leaders for the 22, 20 22 leadership compass on cm. And you can see that the leaders, the overall leaders are primarily large vendors with a long history. Both in Im enterprise, IM and cm, and you know, some that are, were powerhouses and IDAs when we, when we called it that the product leaders really the major categories beyond the security and and interoperability and things like that. The things that I was really looking for here, how do they handle registration, onboarding, authentication, consent management, identity analytics, marketing analytics and automation integration with those kinds of products. And then overall API and application integration. And you know, there's a really, really good distribution of capabilities I think reflected on the chart here. But you know, we always caution people when looking at the charts, you know, you don't necessarily need the one that's on the, you know, the top right. You know, each one has special strengths that that may be more suited for particular kinds of use cases in particular industries.
Here's the one for innovation leadership and here are the things that I found as a result of the research that I thought were most innovative this time around. It had to do with, you know, the registration workflow customizability. That is something the, the workflow and orchestration piece turned out to be really big this year. And with vendors offering lots of interesting, you know, flowchart style capabilities to allow their customers to easily say plug in identity proofing service providers and you know, making that easy for a customer I think is is is definitely good for their business user self service. This has been a kind of a key concept all along. Not all the vendors have had really strong capabilities in that area, but as of now I think, you know, many of them are doing much better and they have much more intuitive user self-service portals, MFA options, you know, I strongly lean on Fido as we were heard, you know, with the last presentation. I think Fido support is really, really important as is just passwordless in general risk adaptive policy making, being able to choose when step up authentication or or additional authorization needs to happen in a transaction workflow. Many are now offering things like low-code, no-code interfaces. Again, I think that's very useful from the business perspective because oftentimes the, the person with the business knowledge doesn't have the coding knowledge. So being able to offer them something that makes it easier for them to write the policies that they feel like really match those use cases, that's very helpful.
Also looking at, you know, the inclusion of behavioral biometrics, I talked about that yesterday with the fraud reduction leadership compass. I'm pleased to see that some of the C I M providers are offering that as part of, you know, say a risk adaptive workflow too, how and what they do with IOT device identity management. I think that's, that's really interesting. You'll see some of the, the vendors here are, you know, working with certain kinds of device manufacturers. So those strong relationships between the device manufacturers leads to support for some pretty interesting use cases that I think has the potential to, you know, draw in lots and lots more business for them.
Identity proofing integrations and then also data subject access request facilities for customers. Having that built in or at least having some templates can be very useful too. Then market leadership, as I said before on the overall, you know, the leaders are mostly the IAM stack vendors, but the challengers and followers are a mix of the growing regional vendors I was hinting at and others that are targeting specific kinds of industries. You know, some of 'em are looking at, well a lot of 'em wanna look at finance cuz finance is where the money is. But there's also, you know, some that just specialize in in media, you know, and and handling media subscriptions. So I think there's a lot of room for growth and again I think that's a pretty good distribution from top to bottom. And we always want to toss in a spider chart that kind of represents the different categories, show you how they're rated. Again, those categories were onboarding, identity assurance, ATO protection, authentication, consent management, iot device management, identity analytics and marketing integration. So with that I encourage you to read the full report. It's out on our website and if you have any questions you can ask me now or later.
Well thank you very much John, that was really insightful. I think that deserves at least a round of applause. So please if anybody has any questions, raise your hand in the meantime. I actually had one question from the tablet and it's really kind of resonated a lot with my own concerns. So you mentioned that MFA adoption was one of the challenges for many customers. Like why is that? Isn't it like the lowest hanging fruit?
I think, or what I continue to hear is that these consumer facing businesses really don't want to introduce any friction if they don't have to. Anything that chases a customer away or a potential customer and you know, having MFA options, they're a little bit clumsy to use, might turn off a potential customer. So I, I think that sometimes they accept the risk of weaker authentication at the risk of every, you know, at the benefit of keeping customers,
There are a couple of products that are using graph DBS as their center of their way of managing information. Do you think this is something that's gonna come becoming important or is this more of a, a fringe activity?
I, I, yeah, I think that will become more important. I think that that may be something I consider an area for innovation next time around. Actually I did hear a little bit more in terms of support for that now I think that that's a good observation.
You were mentioning that the C and c iams may stand for consumer customers and citizens alike. For me, coming from public agency, keen on getting to know, do you recognize any difference in how governments are using CM solutions the same that they are selling to the private sector or is there something that the governments do differently with, with these suites or,
Well, I think, you know, in a way the government's, it depends on the agency, you know, and what their use cases are. In most cases, the, the types of information that they need to protect the kinds of accounts that they have do require a bit more due diligence in terms of identity assurance in the beginning. And then they also need, you know, stronger authentication pretty much all the time. I mean, I know one of the other things that came up during the pandemic was an awful lot of like tax refund and welfare fraud, you know, worldwide in the state. I came from Washington, we, we made the news for really not doing such a great job with that in the beginning. So, you know, there's a strong need I think for higher levels of identity assurance during registration time and you know, ongoing as well. So I think, you know, looking at commonalities between the use cases, I think what you see on the GC side, agencies are gonna be looking for similar kinds of solutions that maybe you would say finance, banking customers would want to use. But then also you could see parallels with like healthcare because personal health information is particularly valuable, but unfortunately there a lot of the healthcare practices or agencies, you know, in different places around the world don't have sufficient security there either.
But yeah, I think there's things in common between government and say finance just, just around the way they need to securely register and then subsequently authenticate and, and maintain the life cycle of those citizen digital identities as well.
Okay, great. Any
Further questions?