CIAM solutions are designed to address specific technical requirements that consumer-facing organizations have that differ from traditional “workforce” or Business-to-Employee (B2E) use cases. John Tolbert has revisited this market segments for the updated Leadership Compass CIAM and provides an update to the analyst chat episode 58 from December 2020.
Cybersecurity Leadership Summit takes place on November 8 – 10 in Berlin and online. Join us there.
Hi Matthias. Nice to see you again, too.
And great to have you, and for this episode, I checked back with the earlier episodes, since this podcast is in the third year. We want to talk about CIAM, Consumer Identity and Access Management and we did the last episode on that topic, and I have to check it, on the 14th of December 2020. And this was around the topic of the Leadership Compass CIAM. And today we are talking again because you did an update of this Leadership Compass. And way back then I checked the list of what we did in there. We talked about consent management, about CCPA, about device integration into CIAM, identity vetting, risk reduction and credential intelligence. The market has evolved to two years on. Are these still the main topics? What has happened in the meantime when it comes to the Leadership Compass on Consumer Identity and Access Management?
Well all those are still very relevant today. And in fact, I would say many of those criteria are even more important today than they were a couple of years ago. As you know, the pandemic has sort of accelerated the whole digital transformation. And we're seeing companies that are consumer facing that have evolving requirements in this space and the basics really haven't changed at all. But the necessity of additional features to sort of address those needs for identity proofing and fraud reduction and consumer IoT device integration just continue to expand.
Right. Are there new aspects that have been added over time that were not on your list way back then?
Well yeah, I think there have been some interesting changes in the market, especially not only what we hear from end user organizations, but from the vendors themselves. There has been increasing specialization. And one thing that we have noticed over the last six or seven years that we've been doing these reports is that sometimes CIAM can be kind of locally generated. You know, there are companies that form in specific regions that really understand the regulatory environment, the business environment of specific regions, let's say, even within Europe. So there have been a number of new entrants into this Leadership Compass that weren't there in the previous editions. Because of that, we'll see some regional players starting to emerge and gain some market share in areas where there may not have been that much CIAM exposure previously. But yeah, the basics are all still required, account registration, there's still a need for social logins and ways to recover the accounts. In the beginning it was mostly simple authentication and kind of previewing, and what I learned throughout this research cycle is there's still an awful lot of simple password based authentication out there, unfortunately. Consent was on the radar. But almost going on five years after GDPR consent is a very, very important thing and it continues to drive a lot of innovation in the market, I think. One of the main motivators for Consumer Identity Access Management solutions has always been to be able to get information about consumers that can be used for marketing. And then the identity analytics that can be used for protecting their accounts, too. And mostly in the beginning it was either on-premises or in infrastructure as a service kind of cloud deployment. But what has changed? Like I said, the pandemic has really accelerated digital transformation. This means every business that really wasn't trying to have a good web presence now needs that, and has needed it for the last couple of years. So the market has grown quite a bit, I think, and along with the increase in the size of the market, the sizes of transactions that are going by fraud is just skyrocketed too. And I see just about every consumer-facing organization now looking for some kind of either built-in or easy-to-add-on fraud reduction technology.
Yeah, we've been talking about, we’ve done episodes around this topic FRIP, Fraud Reduction Intelligence Platforms. They seem to me as if this is a carve-out functionality that originally comes from CIAM platforms. Is there integration or are these the same vendors? How does this play together?
It's mostly different vendors, vendors that can collect various forms of intelligence from many different sources and compile and make it easy to consume and integrate by, let's say, CIAM applications or even other lines of business applications. So the Fraud Reduction Intel Platform market is a highly specialized market, and I’m starting that research cycle actually right now to update that. But yeah, from the CIAM perspective, most of the vendors offer one or more integrations with different fraud reduction intel services and then we also see increased need for identity proofing and it's part of the overall fraud reduction picture, but it's also become highly specialized. And it too is kind of a fragmented market too, where identity proofing specialist companies will work in specific locales and have access to authoritative attributes, maybe from government or school sources, to be able to provide that, to offer a higher level of identity assurance at the time of registration or even periodically if it needs to be. You know, that's been the case for banking and the financial market for many years, the need for identity proofing at the time of setting up accounts. But we're starting to see that move its way into other industries outside of just banking and finance.
Yeah, just did an episode with Alejandro Leal who did a Leadership Compass on passwordless authentication. I see that on the slide that you're just sharing with me that this also has arrived in CIAM. Is this the same flavor of passwordless authentication? Is it WebAuthn and the FIDO2 standards? Yeah, I think that's a really good way of addressing the need for passwordless. You know, some of the things that we learn or... a lot of, even though the vendor products in many cases are Fido compliant, they are not being as widely used by the consumer facing organizations as we would like to see. So we still see a lot of password use. It'd be great to be seeing more MFA usage, especially passwordless. Many of the same mechanisms and the same vendors that are kind of in these passwordless markets certainly work with consumer-facing and customer-facing use cases. We now hear more and more about the need for B2B, business to business and business to business to consumer/customer kinds of use cases as well. And pretty much across the board, the companies that participated in this survey say that they're seeing a huge increase in the number of customers and prospects they're looking to use CIAM for these B2B kinds of use cases.
But these use cases also mean that you need to apply some kind of access control as well. So, you're structuring an organization, your customer organization, when it’s B2B or B2B2C. So this goes away from the flat, simple consumer and goes towards a structured organization that needs to be well reflected. And these are these use cases that you're talking about right now, right?
Yeah, exactly. You know, simple consumer interactions may not require the extensive kinds of access control that you're hinting at there. And I think that's exactly what's going on in the market with B2B use cases. You do need much more sophisticated access control mechanisms built into that. And you know, there are a couple of cases where we have vendors in this market that really specialized in those granular authorization for B2B sorts of use cases. Yeah, kind of talking through some of these points here already, we do see increasing use of CIAM solutions by government agencies like local and state governments for interacting with citizens, especially applying for permits or paying fines or taxes or things like that. This is an area where we see increased use of CIAM for that kind of use case. You know, another area that's really interesting, some crossover between the enterprise workforce and consumer technologies is the use of remote onboarding apps. And these have been around for a few years and I think in many cases they've gotten very good technically. We saw on both the workforce and consumer side much increased interest in using these remote onboarding apps to be able to, let's say in the case of workforce bring on a new employee or do the higher identity assurance verification for consumer use cases. These generally involve like a mobile application looking at an authoritative document matching it with a selfie and then being able to create a stronger credential as a result of that. And as we've said fraud reduction, important. IoT device identity management still greatly expanding as consumers all around the world want to integrate the various devices that they have, whether they be smart speakers or smart lighting systems or home entertainment with their digital consumer accounts.
But what strikes me most is that you mentioned on the slide, on the one hand, that password is still the most common authentication mechanism. And on the other hand, there are strong fraud reduction mechanisms in place, but they are not yet well used. Is this level of security, that level of intelligence into what's going on, on the platform just lagging behind or is there a general trend that organizations are refusing to use this, to the benefit of making it simpler for the end user?
You know, I can't really infer what the cause is there because the capabilities are present and have been present in many vendor solutions for a while. I mean, I would definitely like to see a better consumer experience that takes full advantage of all the passwordless or more user-friendly authentication and registration options that I know are out there. I can't really say why it's not as fully exploited as it could be at this point.
Right. So if you look at the Leadership Compass, as you have just presented, it is out, it's available on our website. When you look at these solutions and are comparing them with each other, and they are as diverse as you've mentioned, what are the criteria that you apply when you evaluate these different products against each other?
Well, in addition to our standard list of categories where we look at things like security and functionality, interoperability, deployment, and then the overall market standing, financial position, ecosystem, we look at specific technical criteria for each Leadership Compass. And these are the categories that we chose to look at this time around for this Leadership Compass. There are many similarities to previous editions because much of the functionality needs to be there. It's been gotten more detail around the kinds of things that are needed and more offerings in these specific categories as well. But what we see here are are the main categories that I reviewed for this Leadership Compass, and it covers onboarding, identity assurance, account takeover protection, authentication, consent management, IoT device management, identity analytics and marketing integration. I'll just add one thing at the end here about marketing integration. In the beginning, many CIAM solutions tried to pull a lot of marketing analytics functionality directly into the platform. But over the last few years we've seen more of an emphasis on just providing integrations to other data analytics solutions that are out there. So the marketing integrations kind of measure connectors for third party as well as any built-in capabilities that the solution has.
Right. If we look at the market, we are two years from the last edition. What has happened in the market is there is still a rapid change? Are there new entrants? Are there consolidations, mergers, acquisitions? And is it still an active market?
Yeah, it definitely is. I mean, there are a number of new entrants. I think this is our largest report yet in terms of number of vendors covered. And as I said, they're coming in from maybe specific regions to address those regional business and regulatory needs. There have been some consolidations. There have been a few acquisition that are in progress. And I would kind of predict that's going to continue as some of the smaller vendors in the surveyed here continue to gain ground. You know, there's room for alliances and acquisitions between them as well.
Right. So if you take a sneak peek at the results, what can you share with us when it comes to an overview of what has happened in the meantime?
Sure, so this is the way the Overall Leadership graphic turned out this time. I won't read through all of it because there are so many vendors. Just pause here for a minute and viewers can take a look.
And as you can see, there are quite some new names. Some might be just renaming new brands that are taking over the existing companies. But there are also the larger vendors that you would expect in that segment as well.
So I'll move on to the Product Leaders. In this category, we look at sort of an amalgamation of functionality and security within the product, how it can be deployed and overall product integration. And you know, we see a pretty good number of companies and they're just spread out.
As always, when we talk about a Leadership Compass, we must make this disclaimer or we really much must highlight that just looking at such a graphic and looking to the upper right and saying, okay, that's the best one for me. This is usually just wrong because that would not justify the report of, I don't know how much pages you have, 45 to 60 pages of your document with detailed analysis of all these vendors, because in the end the Leadership Compass is a tool for the individual organization to identify the solution which fits better for them, and that does not necessarily need to be the one to the right upper corner, but it might be also some other vendor, some other service that makes much more sense for them and to choose there properly. So it's really recommended to do this analysis with your own requirements, with your own use cases in mind.
Yeah, I think that's an excellent point. You know, each vendor has specific strengths and challenges. And any given organization’s requirements may match any number of different vendors. It's best to look at the whole report, not just the graphics, but read the details. We try to include as much relevant technical detail as we can fit into it. So check it out.
Right. And as I can see from this list of vendors that are just in this graphic, that hints at quite an amount of work that you did because the sheer number of vendors. I know you do briefings, I know you do fact checks with them. That looks like quite a substantial amount of work, but it's a great result to build upon for those who are trying to identify the right service for them. Anything that strikes you when it comes to innovation, you're showing this Innovation Leadership, which vendors come to your mind when it comes to specific innovations that have not been there two years before?
You know, I'm really looking at those that provide really either good built-in, in some cases there are some built-in account takeover protection or some are offering those remote onboarding apps, to make it easy for a customer to build in the connection to the CIAM providers from their own application. And those which are doing things that are really interesting in terms of making it easy to integrate and manage consumer device identities, as well as consent. Kind of everything that we've talked about before.
Right. So this really looks like a document that is of interest to many of our listeners and to the audience. So it's available on our website. I would really highly recommend that you head over to kuppingercole.com and pick your copy of the Leadership Compass CIAM, the 2022 edition that you just published. Any final words that you want to share before we close down? It's really interesting, and I know this is a topic that I'm dealing as an advisor in many of our projects just right now. And this is really just the topic, this is really of interest to many organizations right now.
Yeah. You know, it's always a fascinating topic to research and write about. Any questions? Let us know. Thanks for taking a look at it.
Absolutely. And also to the audience, if you have any questions, if you're watching this on YouTube, please drop your comments below and your questions. And we will pick them up. If there are topics that we should cover in this podcast that we have not yet covered or not yet covered in detail, let us know if there's feedback of any kind. Again, let us know either on YouTube and below in the comments, or just reach out to John and me. If you have any specific questions or comments, we are happy to answer. Thank you very much, John, for being my guest today, for spending the time for doing this awesome amount and results of this work. I'm really looking forward to digging deeper into the document also as part of my tool kit when it comes to doing advisory work. Thanks again, John. Looking forward to seeing you soon and again for another episode. Goodbye John.
Thank you Matthias.
How can we help you