​The Eight Stages of Effective Customer Identity Access Management

Mark Perry, APAC Chief Technology Officer and Principal Architect, PING Identity

As commerce continues to shift online, IT managers are finding themselves juggling two competing priorities. On one hand they need to provide a frictionless experience for customers, while on the other they need to ensure underlying systems and data remain secure.

Getting the access and security balance right is critical for a business. If customers find it too hard to purchase products or services from one firm they will simply shift to a competitor. Also, they want the ability to use a range of different channels for their interactions and will gravitate to those firms offering the best experience.

For businesses, this trend has brought the issue of Customer Identity Access Management (CIAM) into sharp focus. Businesses need to find an effective and seamless way to create new customer accounts and manage these relationships over time.

There are eight key stages to consider when deploying a CIAM system and they include:

1. Registration and ID creation

The registration process will be the first interaction a new customer has with a firm's IAM system, therefore the goal has to be to create the least amount of friction while at the same time ensuring an appropriate level of security.

Options on offer for customers should include the ability to complete registration without needing to speak to an agent and the ability to use an existing ID login such as those provided by sites such as Google, Facebook and PayPal.

While customer profiles will become invaluable to the business over time, it's important to start out by requesting the least amount of information necessary to create a new customer ID. Further details can be gathered as the customer begins to interact with the business.

To assist in this initial stage, a CIAM system should provide either pre-built registration forms that can be customised to suit the business or APIs that allow original forms to be built and used.

2. Identity storage

Once a new customer profile has been created, the ID data must be stored in a secure repository. Because a business may end up having hundreds, thousands, or even millions of user profiles, the repository must be able to scale.

Many CIAM systems rely on directory services to support authentication and authorisation and database technologies to house the identity repository. However, because of the need to handle what is an unpredictable and potentially high volume of IDs, a cloud-hosted option is more appropriate.

A cloud-based repository can readily scale to match growing demand with the provider also taking responsibility for utilisation and performance.

Because data entered by customers will be in both structured and unstructured forms, the ID repository must also be able to accommodate both types. Also remember that cloud storage should be in-country where privacy and data sovereignty requirements mandate it.

3. Data aggregation

The challenge of effective CIAM is further complicated by the fact that relevant data may be distributed across multiple locations within a business as well as in third-party databases and marketing systems.

One way to achieve this is through application integration where data is synchronised bi-directionally between the user profile and third-party applications such as marketing and CRM systems. Another option, called progressive profiling, uses dynamic forms to gradually gather demographic data from customers over time.

4. Account validation

As customers continue their relationship with the business, regular account validation will be required.

Options include the use of CAPTCHA tools to determine that the customer is a human (and not a bot), and data validation measures which involve comparing entered details with known confirmed information about them.

5. Identity proofing

At times when it makes sense to apply additional techniques to ensure the authenticity of a customer, ID proofing can be employed. Indeed, look at adopting push notifications to a registered device to ease the process.

6. Strong authentication

Strong or multi-factor authentication is another key step in having secure CIAM in place. It involves having a procedure that requires the combination of two or more authentication factors, including things such as PINs, passwords, tokens, smart cards and fingerprints or iris scans.

While it's always important to strike a balance between security and user experience, authentication beyond the scope of just a username and password is a requirement for an increasing number of CIAM systems.

At the same time, a MFA system should allow for specific CIAM requirements such as environments where there may be a mixture of device types, and a requirement for use among elderly and disabled users. After all, Not everyone can easily type a number in to a tiny screen.

7. Single Sign-on (SSO)

While single sign-on is relatively common within organisations it can be harder to put in place for customers if they need to access multiple websites or applications.

One way it can be achieved is through automated account linking. If a customer has multiple accounts within the same organisation they can be automatically linked to provide SSO. Another option is to offer customers the chance to link multiple social accounts (such as Facebook and Google) to their account with the business so they don't need to remember which one they used when the account was established. Either can then be used to sign in.

8. Customer Profile

As the relationship between the business and its customers grows over time, the final stage of effective CIAM is the management of created profiles. To ensure data accuracy is maintained, profile management rights should be given to delegated administrators, while at same time customers are also offered the ability to self-manage certain data and settings.

Implementing an effective CIAM system is a vital step in ensuring online relationships with customers can be established and maintained. By following these stages, a business can ensure it has the right CIAM system in place that will support growth well into the future.

Join the CSO newsletter!

Error: Please check your email address.

Tags SSOCRM systempaypalID logincaptchaAPIsIT managementCIAMcyber securityFacebookregistrationGoogle

More about FacebookGooglePayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Perry

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place