Believe it or not, Customer Identity and Access Management (CIAM) is embedded in every ‘login’ experience we have, and yet it’s one of the least popular terms you will hear in a conversation around cybersecurity best practice.
Essentially, it’s the complicated piece of logic that decides who has access to applications and what data they have access to beyond that..
And as you might expect, it is tricky to get right. You’re attempting to securely handle your customers’ most sensitive data across the public internet and between applications – in real-time! It’s not a project for the faint hearted, however it is a crucial one for all organisations to embark on.
In my opinion, the CIAM conversation develops into two key areas: customer experience and security. In a consumer driven market, both are important, and one cannot be traded for the other.
In my previous role, I once had a couple of Year 11 Computer Science students show me that a well-known learning platform we were using in the school was sending passwords across the network in plain text. This meant that anyone who was able to intercept our internet traffic would be able to read actual, unencrypted, passwords. If we were to use my password as an example, was designed to meet the school policy, and was also used for my emails and the student data platform. At this point, I’m sure I don’t need to explain the security risks that could arise as a result of this, but the shocking part is that, this experience is much more common than you might think.
With customer expectations at an all-time high for a frictionless online experience from all of their favourite brands, doctors’ surgery, schools and local takeaways means that security is not being prioritised in the way it should be. Shortcuts are being made to offer the experience with CIAM coming as an afterthought.
Ensuring a secure registration and login (authentication) experience that does not compromise customer data is a labour-intensive task for most engineering teams. Add into that the expectation of providing the option of social logins shortcuts via Gmail or Facebook, AND then the ability for customers to choose the type of multifactor authentication they provide such as a password or SMS authentication.
Oh and of course we can’t forget MFA (Multi Factor Authentication), which is steadily becoming an expectation among customers looking to secure their accounts. While we are there, let’s ensure this is a frictionless experience and teams should also be ensuring that the customer experience is perfectly replicated across web, IOS and Android applications.
Finally, it’s important to make sure this experience has been future-proofed and has a level of consistency across new builds and legacy apps, with some room for innovation in the future as customer demands evolve.
Wow…that’s quite the shopping list.
Step in CIAM vendors. Their technologies offer Identity as a Service (IDaaS), which allows them to focus all of their engineering might on making sure their platform offers the most secure approach to registering and authenticating users.
Customers who use this ‘plug and play’ approach to authentication, are then free to focus on innovation of their own consumer-facing resources. Adding MFA for customers is often as simple as logging into the admin console of your CIAM provider and switching it on. Most CIAM vendors offer Bot protection, breached password detection and DDoS protection as standard with their platforms taking away the strain from time poor developer teams who are building these tools from scratch.
It just makes sense; hand over the complicated identity piece to the specialist, save money on additional resource, double down on the great customer experience and keep the branding consistent at the same time.
So my question to you is, why is CIAM still a relatively unknown solution? Why is it rarely talked about as a security solution?
Customer facing applications are the globally exposed front doors into a company’s network, so surely, this is the area we should be reinforcing?
If you take just one thing away from my thoughts today, it’s that the perimeter of security has and always will continue to shift. As we allow customers to have their on-demand content and access their accounts in real-time, we will at the same time be opening our front doors to threats.
The onus is on the organisations to ensure their perimeters are kept watertight and the threats are kept out, yet they don’t have to go it alone. Technologies such as CIAM is here to help lift the load.
If you would like to find out more about CIAM, I’d recommend reading this research paper by CIAM specialists Auth0 which features some very interesting statistics and thoughts from over 17,000 global organisations on their CIAM experience.