KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Consumer Identity and Access Management (CIAM) is many things. For some it’s all about streamlining the user experience through technologies and practices that make it easier for them to securely logon. For others, IAM is all about identity lifecycle management – ensuring that accounts are set up, modified, and retired in a timely, accurate, and secure manner. And for still others it’s focused on security and compliance through technologies and practices that make governance activities such as attestations easy and complete, or adding a layer of control and visibility to privileged accounts and“superuser” access. The reality is CIAM is all of this, and more.
Consumer Identity and Access Management (CIAM) is many things. For some it’s all about streamlining the user experience through technologies and practices that make it easier for them to securely logon. For others, IAM is all about identity lifecycle management – ensuring that accounts are set up, modified, and retired in a timely, accurate, and secure manner. And for still others it’s focused on security and compliance through technologies and practices that make governance activities such as attestations easy and complete, or adding a layer of control and visibility to privileged accounts and“superuser” access. The reality is CIAM is all of this, and more.
Good morning. I think we'll get started. People will continue to filter in after they get their coffee, but I'm John Tolbert lead Analyst here at KuppingerCole. And I thought I'd just start us off here on a couple of days of the conference and talking about the journey to consumer identity success. So first off, you know, why are we interested in consumer identity?
Well, honestly, a lot of people that I know are consumers and I've occasionally bought things too. So it's, it's something that's actually very useful for all of us. And it has benefits for both the consumer, as well as the companies that are doing business with consumers. I often get asked the question, so what does the C and cm stand for as a consumer or customer? And I try to draw the distinction between consumers as just like the end user customers.
And, you know, in this context, the customers are the organizations that are purchasing services or product from CIM solution vendors. So that's kind of how I will use the term, although I'm not even consistent with that.
So, you know, we always say the best thing to do is figure out what do the consumers want. So one thing we know that they don't want, and again, this may be from personal experience. We don't wanna register, we don't wanna create another username password. We don't wanna have to uncheck that. We wanna receive special email offers and things like that. So it's just a burden to do it, but fortunately there are ways to sort of shortcut that and, and make it easier for the consumer and consumer identity management systems will do that for you.
Consumers also want authentication options that are right for them. Username and password is inherently insecure. We heard a lot about that yesterday at the Fido workshop, which was great workshop by the way, Andrew. So passwords problems, both with usability and security, but you know, on the consumer side, you know, you see the little image of the smart card and the USB token. It's not that likely that that retailers are gonna be handing out smart cards for people to authenticate to their online presence.
So yeah, it's really good, strong authentication, but it, it doesn't really work for all scenarios. The knowledge based authentication the big one there in the middle.
You know, I think in a lot of ways that's less secure than even passwords. So, you know, using that as a fallback method to reset your passwords, just like double negative, which is not a positive, then SMS OTP, you see the one time password over there.
Again, we're all probably pretty familiar with that have had to do that many times before. But even that, as we discussed yesterday has a lot of different security problems. The one at the bottom, you know, mobile app swipe, push to accept those kinds of things. I think they're, they're a little better, but even there you've got security considerations. You need to take into account like making sure the apps themselves are secure.
I always like to recommend global platforms, secure elements, trusted execution environment, or for iOS secure enclave, And then the one in the middle social logins. And that's the way that we can help shortcut the registration process and even use social media providers as an authentication service. So what else do consumers want out of their consumer identity?
Well, we're all buying many smart devices, particularly smart home devices. And a lot of them have a concept of at least digital identity in one form or another. So first off, you know, you can kind of associate a user identity with a device identity, but we need more sophisticated user to device interaction possibilities. And that's where we see a lot of innovation going on in the consumer identity market right now. And we'll try to dive into that a little bit later over the next two days as well.
You know, yesterday there was a point that was made about users don't really want security. Well, I think they don't want to be encumbered by security, but at the same time, you know, they don't want to be a victim of identity theft data breach, you know, and I like this website. It's not exactly real time, but it can kind of give you the scope of, you know, the breaches up to, you know, the last few months, even. So users definitely don't want to be a victim of either a breach or an identity theft attack. So many of us are familiar with good old fashioned. I am traditional. I am.
I just thought I'd do a quick compare and contrast what makes consumer identity different. Obviously, you know, if you have an enterprise I am is for employees, maybe contractors, occasionally in B2B scenarios, you might have other companies, employees in your database, CIM is all customer or consumer facing. And thinking about authentication methods. If you're a company you can mandate that everybody has to have a smart card that really doesn't work as well.
On the consumer side where we're either left with username password, or hopefully social login or mobile login options, which is, you know, you've gotta meet the consumer where they are When we collect attributes for enterprise IM usually that's done all upfront by HR. You get all the information you need from somebody. And when you provision the account, it's already all there for you. And those attributes are used for authorization. What groups are they in?
You know, maybe if you're working in an export sensitive area, what's their citizenship, all that stuff is prepopulated at provisioning time on consumer identity systems. It's about getting to know your customer for a variety of reasons, probably the cheapest of which could be marketing. So the more you know about your customer, the better business that you can do with your customer, I am systems good, old monolithic L depth SQL databases, where you can store all that stuff.
But, you know, consumer identity systems have a much richer set of features. And in many cases they can store lots of unstructured information like audio or video along with a customer profile. So that doesn't necessarily fit real well with LD and SQL.
So you've got other kinds of no sequel kinds of options that many of the consumer identity vendor solutions support today on the IAM side, you know, we used to use SAML for the longest time for single sign-on OAuth and O IDC are now great layout number SAML deployments for consumer facing applications and all this IM stuff in the enterprise is for access control. Whereas on consumer side, it's for being able to protect their privacy, provide them with a better user experience or for marketing.
So to get around that, not being able to collect information all at once from a consumer, there's a couple of interesting methods that most of the vendor solutions use. Self-registration where you can have a white labeled Porwal. You don't really know whose product you're using on the back end, but you come in and register. You give up whatever information you want at the front. You can use a social login to pull in attributes. Many of them allow you to check off which ones you're willing to share with a particular provider. And you ask questions over time.
So as not to burden the user upfront with 20 questions about what your preferences are, but you can get more information if they let you, if you get their consent about their social media likes and other activities, or maybe purchase history, this gives you a much better view of the consumer than you would've had without a CIM solution. And then we start to see, you know, the supply chain of consumer identity feeding CRM systems, which then in turn can feed marketing campaigns, marketing automation systems.
For years, we've talked about bringing your own devices, which has been a reality in some organizations and maybe a struggle in others, but on the consumer side, really most of the time now we're having them bring their own identity, whether that be social login, some other email address or whatever information they want to bring to the, the beginning, beginning of your relationship, omnichannel means customers expect the same kinds of functionality in a web-based experiences they would get in mobile or tablet, or in some cases, even the same feel you would get.
If you're in a brick and mortar location enterprise, I am scales well to hundreds of thousands, but in many cases, many of the vendors that we know are helping provide solutions for really large global companies. And in many cases they have billions of users. So the scale is, you know, many orders of magnitude higher with cm solutions than traditional I, so I thought it'd break out a couple of the major kinds of data that we like to talk about with regard to what can be harvested from consumer identity systems and on the one side there's identity analytics.
And then there's what you can do with data for marketing. So identity analytics, I think of, as you know, purely about actions of the user with the underlying identity management system, did they register, did they abandon the registration? There's a lot of interesting information that can be gleaned from just that analysis. Then there's also logins per user, or you could look at different time periods, kind of figure out, you know, when your business is the busiest things like failed login attempts, password resets, or failed password resets.
Those are interesting from a security perspective. And it's good to be able to provide linkages between your consumer identity management solution and your backend security solutions, such as SIM or user behavioral analytics on the marketing side, they like to collect demographic information age, where do you live that sort of thing, search history, what are you interested in? What have you bought before?
And again, this is so that they can tailor marketing campaigns or offer you a discount and be able to pull in social media activities. So we think, you know, consumer identity and there's a lot of case studies you'll hear more about over the next two days case studies that say a really good consumer experience will be beneficial, not only to the consumer, but to your company, but at the beginning of it all, you really need to think about consent, especially for GDPR.
If you're doing any business with people in the EU or even other jurisdictions around the world, and now California will have a privacy law, a consumer privacy law. So being able to collect consent upfront from a GDR view, you know, per, per data item, per purpose for processing, that's something that you need to consider when beginning to build your solution, make sure the vendors that you pick support that consumers also wanna know, what do they get out of it? You know, so I give up all this information. It's gotta be a two way street.
So, you know, you, you need a reward for that. I think this will lead to even more business models that exploit freemium. Like I give up a little bit of information. I get so much, you know, so much of a service or something like that. The more you give up, the more services that you get, then you can, that can lead to a subscription model.
Or there may be even possibilities for revenue sharing between, you know, if your consumers are actually providing you useful information that you can monetize, then that information could be, they could be compensated for that, but you have to get the balance, right? And again, this is about the progressive profiling. Everybody talks about a frictionless experience, but collecting information is always gonna involve a little bit of friction. It's just how you go about doing it. And then I like to throw something in off the wall.
You know, the, the tech world, we're all happy about things like Uber and Lyft and all these services. But if you think about it, I mean, these require a lot more information up front than just walking out onto fifth avenue and getting a taxi.
So, you know, no phone, no app, no user ID needed for the taxi, but you do need a notion of identity for these more sophisticated services. And, you know, their business model depends on your satisfaction with those more sophisticated services that are made possible by consumer identity. So I thought I'd close with just a couple of ideas, you know, from the vendor perspective, you know, don't be creepy with your consumer identity management.
You know, I found this, you know, it's, is this an app or is this spyware? You know, if it's tracking everything that you're doing and you may not have consented to it. So just make sure that you're collecting the right amount of information, because again, in different regulatory regimes, the more you collect, the more you're responsible for.
So don't, don't collect more than you want to, than you can either use or you wanna be responsible for, and don't annoy your customers. I mean, if you browse to a page, you move your mouse and you get a pop up, you know, for a chat window. Like I just got here, I don't necessarily want to chat just yet.
You know, same thing with move your mouse and join our mailing list. Well, maybe let me see your products first, But on the getting to know your customer side, you know, looking at the analytics attributes that we saw a minute ago, you know, they can have a lot of value for both marketing and, and making that better user experience, but it also gives you as the deployer of these solutions, better insight into what your customers really want.
You know, this can help you tailor not only marketing campaigns, but if you've got product lines, you can get more advanced notice of thing products that are selling versus the ones that aren't, then you can reach out directly to those consumers and find out what it is that they don't like about something or what they do like about it, but probably don't wanna survey them to death either. So, yeah, like we were saying, you know, you can offer discounts, you can use this as a way to increase your brand loyalty and, and hopefully, you know, get to higher revenue because of this.
And lastly, I save regulations for last, because most people don't like them all that much, although they are necessary and they are beneficial in many cases. And if you're in the security and identity business, it's provided us with a lot of work over the years, too. I put GDPR at the top, you know, we're not in Europe, but a lot of us do business with Europe. And it's very important to have this framework in place so that you don't have to face potential legal action later.
So, I mean, GDPR is a huge topic. Happy to talk about it with anybody afterward, California, then, then there's know your customer and anti-money laundering, which in a way seem to be at odds with some of the privacy regulations, because you're sort of obligated to collect information about financial consumers so that you can do things like anti-money laundering, but they're not necessarily in conflict.
And again, that's a, a fun discussion we could have later. And in Europe, there's also PSD two, which I think is really interesting. It's kind of redefining the interactions between banking, fintechs, and consumers.
But again, that's kind of a deep topic and happy to chat with anybody about that later, too. So I've exhausted my time. I'd like to bring up Patrick Sawer from giga now an SAP company.
