IAM vs CIAM
The functional difference between IAM and CIAM (Customer IAM) is this: are you managing internal employee identities (IAM – aka legacy/enterprise/internal IAM) or external customer identities (CIAM)?
- IAM (Identity and Access Management) – control of what employees can & cannot do within corporate networks, making sure that the organisation’s systems are not accessible to anyone external.
- CIAM (Customer Identity and Access Management) – managing external identities – be it customers, consumers, partners, contractors, things or residents/citizens. More on the function of CIAM and managing customer identities here.
While it may not be immediately clear that this difference would call for drastically different platforms, these groups actually demand very different use cases.
On the contrary, user experience for customers (customer experience) is one of the key success factors in today’s digital business. If you deliver a bad experience, your customers will leave unhappy, quickly moving to another service provider and taking their money – your revenue – with them. For externally-facing Customer IAM systems, an intuitive UX is not a ‘nice-to-have’ – it’s a prerequisite to success.
Another IAM vs CIAM difference is in how the environments are treated. In an enterprise environment (IAM), changes to the system tend to be slower, and the systems are quite inflexible. It’s not commonplace for such systems to constantly keep up with the latest trends and hop on board with every new technology. This is in stark contrast to customer facing solutions, which do update system features on a regular basis, as it could be a way to stand out from the competition.
Rigid enterprise IAM solutions are not built for these kinds of demands, but CIAM should enable quick changes to be made through simple configuration rather than a full recode. CIAM is designed to be flexible enough to keep up with consumer trends, and nowadays, most likely deployed as a managed service such as IDaaS.
Scalability is a big differentiator between IAM and CIAM. For any size of company, the number of employees rarely matches the potential number of consumers. For example, a customer-facing solution might have a million users, but nowhere near that many employees. Therefore, the scalability requirements for IAM and CIAM solutions are hugely different.
Using an IAM solution for an external customer-centric service with a substantial number of users is a recipe for disaster, as an IAM solution is not likely to scale to meet the requirements.
IAM should provide capabilities such as single sign-on (SSO), identity directories, access management, authentication methods and workflows, and employee provisioning.
CIAM, however, focuses on the needs of the customer, and should offer specialised capabilities designed for customer usage. CIAM capabilities should include but also go beyond IAM capabilities. This includes identity proofing, strong authentication, user friendly authentication methods, consent management, identity and attribute data directories.
Do you need to make use of Identity Providers (IdP)? Managers of internal IAM systems can dictate to employees how they verify their identities. Usually, this step is carried out by HR during onboarding.
Customer IAM systems allow for choices of Identity Provider when it comes to verification. Bring Your Own Identity (BYOI) should be supported – enabling social login, or use of verified identities like BankID, NemID or regional eIDs. Where existing digital identities do not exist, CIAM should enable real-time identity verification.
Internal IAM is driven by the Human Resources team and the number of identities doesn’t usually fluctuate rapidly. Adding or removing employees, or amending roles and access, is a maximum difference of a few hundred per day in even the largest organisations.
Compare this to an external system, where the number of users (hopefully) grows rapidly, and the need to effectively manage these identities is crucial. CIAM is built for you to know exactly who is accessing your online services, but also in which role they are entering, or which organisation they represent, without manual effort from the IT administrator.
For customer facing applications, it becomes essential that the solution enables users (customers) to manage their own identity data and credentials.
Privacy, security, trust & data regulation
Companies want to own their employee identities, at least to some extent. The concept of Bring Your Own Identity (BYOI) might change this to some degree, but still the ownership of access management and privileges (roles, authorisations) should remain in the control of the company, not the user, for internal identities.
For external identities, trust and users feeling in control of their personal data is much more important, particularly in light of certain regulations (such as GDPR). CIAM can provide crucial transparency and the possibility for the end customer to manage, erase and export/transport their own personal data, providing the much-needed trust element.
The final difference is quite a simple one – does the solution bring in revenue? Internal IAM, with the emphasis on employees, isn’t intended to bring revenue to the company. An effective IAM solution should have a strong impact on managing risk, achieving compliance, and reducing operational costs.
CIAM solutions may well bring in revenue by enabling new digital services, or at least saving on support costs. Customer IAM will also increase customer-facing security and privacy compliance. But it should also increase customer conversions, engagements and revenue. It may even create new revenue opportunities, and certainly should reduce costs for support and administration.
In summary, the underlying technology for both IAM and CIAM can be similar, but what differentiates the two is the functionality built on top of those basic building blocks.
For more detail on IAM vs CIAM, including applied use case examples during identity-driven digital transformation initiatives, download the white paper: The Difference Between Internal IAM and Customer IAM.