Exploring the reasons why traditional Identity and Access Management (IAM) systems are not very suitable for managing customer identities. Welcome to IAM vs CIAM.
IAM vs. Customer IAM (CIAM)
Which type of identities are you managing?
Internal or External Identities?
- IAM systems are designed to manage and protect internal, employee identities.
- Customer Identity & Access Management (CIAM) systems are designed to manage and protect external identities, such as customers, citizens, partners, contractors, APIs or things (think IoT) – and is therefore optimised for very different use cases.
How are you verifying digital identities?
Do you need to make use of Identity Providers (IdP)?
- Managers of internal IAM systems can dictate to employees how they verify their identities. Usually it’s done by HR during onboarding.
- CIAM systems allow for choice of Identity Provider when it comes to verification. Bring Your Own Identities (BYOI) should be supported for social login, or use of verified identities like BankID, NemID or Regional eIDs. Where existing digital identities do not exist, there should be real-time identity verification.
How scalable does your system need to be?
Is your customer base larger and faster growing than your employee base?
- Your customer base will already be larger and be growing much faster than your internal employee base, so Customer Identity & Access Management systems should be more scalable than internal IAM systems.
Who owns the data?
How important is trust?
- Internal employees generally trust their HR team with their data in work IAM systems.
- Consumers want control over their own identity data and consent attributes and how they are used. Customer IAM is set up to help organisations achieve and maintain GDPR.
How important is User Experience (UX)?
Are users trained on the systems? Is intuitive UX critical?
- In-house IAM systems need to meet certain expectations of user experience, but individual users will receive training on how to use the software properly.
- For externally-facing CIAM systems, an intuitive UX is not a ‘nice-to-have’ – it’s a prerequisite to success.
How flexible should the system be?
Does it need regular changes?
- Internal IAM doesn’t need to be updated regularly – and updates can be made over longer periods of time.
- Customer Identity & Access Management should be flexible enough to keep up with consumer trends, and nowadays, most likely deployed as a managed service such as IDaaS (Identity-as-a-Service).
Is manual management realistic?
Can you dedicate resource to manually adjusting customer accounts?
- Due to lower number of users (employees) and generally a lower growth rate of new users, internal IAM systems are generally set up for manual or semi-automated management of identities.
- Customers amount to thousands, sometimes millions of user identities. A CIAM system should allow customers to manage their own identities and, in common use cases, delegate management of accounts to enable scalability.
Is your goal to increase revenue, reduce operational costs, or both with you IAM system?
- Internal IAM is not intended to generate revenue, but will have strong impact on security, compliance, and reducing operational costs.
- Customer IAM will also increase customer-facing security and privacy compliance. But it should also increase customer conversions, engagements and revenue. It may even create new revenue opportunities, and certainly should reduce costs for support and administration.
IAM vs CIAM Blog
You may already have an IAM system in place in your organisation, for example to manage internal/employee identities. So why can’t this be used for your customer-facing application?
IAM vs CIAM White Paper
How user experience, platform flexibility, business performance, revenue, privacy, trust & data regulation and compliance (among others) are driving the need to adopt Customer IAM solutions.