Customer identity and access management (CIAM) governs the digital identities of customers and other users who sit outside an organization. Core CIAM functions include capturing customer profile data, authenticating users and facilitating secure access to digital services, such as e-commerce sites.
CIAM sits at the intersection of customer experience and cybersecurity.
Organizations use CIAM solutions to create consistent, branded user registration and login experiences across their digital ecosystems, from websites and mobile apps to Internet of Things (IoT) devices and beyond. CIAM tools also help automate and streamline customer data collection at each point in the ecosystem, allowing the organization to give each customer a defined user identity. No matter where users go, they see the same login portal and user account.
At the same time, CIAM tools protect customers’ accounts and personal data from fraud and abuse by implementing security controls such as identity verification, multifactor authentication and anomaly detection.
Early CIAM solutions focused exclusively on consumer identities. Some CIAM tools have evolved to support identity lifecycle management for all kinds of users outside the organization’s workforce, including partners, vendors, citizens and business-to-business (B2B) customers.
Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox twice weekly. See the IBM Privacy Statement.
Identity and access management (IAM) is a broad discipline that governs how users access digital resources in enterprise networks. CIAM is the subset of IAM that focuses on managing access for customers and other people who sit outside of an organization, as opposed to employees and internal users.
Organizations treat CIAM as a distinct branch of IAM because external customers and internal employees have different needs and priorities when managing their identities and using digital resources.
In particular, there are three key differences between IAM and CIAM.
Customer data is extremely valuable, but asking for too much of it can be off-putting. CIAM tools and processes help organizations create optimized workflows for inviting—and enticing—users to share their personal data.
In contrast, traditional identity access management practices focus less on data capture. If an organization needs information from employees, it can simply ask.
Customers want frictionless digital experiences. If they run into roadblocks, they might give up—even abandoning their shopping carts midpurchase. To avoid harming customer retention, CIAM tools and processes must strike a balance between security, data collection and user experience.
Traditional IAM solutions focus on security over convenience for a couple of reasons. First, attackers can cause more damage with a stolen employee’s account than they can with a customer’s account. Second, employees have a higher tolerance for less-than-ideal experiences. To put it bluntly, they can’t “give up” on enterprise systems they dislike.
Because IAM solutions primarily serve internal users, they only need to accommodate tens or maybe hundreds of thousands of users at most. CIAM systems must scale to serve millions or even hundreds of millions of customers. As such, CIAMs often emphasize self-service account management and scalable cloud infrastructure.
While organizations do need slightly different approaches for IAM and CIAM, they do not necessarily need to use separate identity solutions. Increasingly, many IAM tools can handle both workforce and CIAM use cases.
CIAM is a cross-discipline effort typically involving stakeholders from IT, security, marketing and elsewhere in the business. Many organizations build their CIAM processes around four key pillars: data capture, user engagement, self-management and system administration.
At the heart of any CIAM process is a CIAM solution. These solutions unify an organization’s digital assets and services in a single, consistent, branded user experience. No matter where users log in—a desktop site, mobile app, even the website of an affiliated brand—they are taken to the same user account.
On the back end, the CIAM captures customer data from all these touchpoints in a centralized, secure repository, creating a single identity for each user across the organization’s entire digital ecosystem.
Most CIAM tools are delivered as cloud-based software-as-a-service (SaaS) solutions. SaaS solutions can scale as more customers register, and they can connect to the organization’s various digital properties. Vendors are also starting to deliver CIAM solutions as flexible microservices to better accommodate increasingly popular identity fabric architectures.
Users self-manage their accounts, from account creation and onboarding all the way to deletion (if necessary). Users can set account and communication preferences, update their profiles and conduct password resets without needing organizational help.
CIAMs capture and securely store important customer data, such as demographic details, payment information and order histories.
Many CIAMs support “progressive profiling.” Instead of requiring users to complete their profiles at the time of registration, CIAM tools ask for data in stages and only when necessary. For example, a new user on an e-commerce site might need to provide only a username and password at sign-up. They don’t need to share their address or credit card details until they make a purchase.
Many CIAMs can connect with internal systems such as data warehouses and customer relationship management (CRM) tools so that customer data can be used for analytics and business intelligence.
Most CIAMs have self-service consent management tools, where users can grant—or deny—organizations permission to use their personal data in certain ways. This can help organizations comply with data privacy laws that require obtaining user consent.
Some CIAMs include extra compliance tools, such as activity tracking, auditing and data governance policy enforcement.
CIAM solutions typically support multiple user authentication methods. These methods commonly include:
CIAM systems also support authorization—that is, the act of granting verified users the appropriate permissions in a system. Access control is straightforward for customers: Logging in gives you permission to access your own account and nothing else. Organizations might use more granular systems, such as role-based access control (RBAC), for suppliers, contractors and other partners.
Many CIAM systems offer dashboards and reports that administrators can use to track system and user activity, such as authentications, app usage, login trends and other data points. These tools can help organizations better understand both their CIAM processes and their users.
To deliver seamless customer experiences, CIAM solutions must integrate with various assets and systems. Most CIAMs have prebuilt application programming interfaces (APIs), software development kits (SDKs) and other tools and connectors to work across mobile apps, websites, devices and other digital experiences.
To facilitate identity orchestration workflows, many CIAMs also support no-code and low-code methods for building unified authentication and authorization processes across disparate systems.
Many CIAM solutions support bring your own identity (BYOI) and social logins, which use third parties such as social media sites and other forms of federated identity as identity providers. Instead of creating their accounts from scratch, users can import their profile details, including credentials, from these third parties.
To protect user data, CIAM systems include built-in security controls such as fraud detection, identity proofing, account takeover protection, anomaly detection and adaptive authentication.
CIAMs can also typically integrate with external security tools, such as security information and event management (SIEM) solutions, to better detect and prevent suspicious activity and cyberattacks.
While CIAM and CRM solutions both help manage customer data, they serve distinct purposes. CIAM tools are customer-facing. They focus on allowing users to manage their accounts in an organization’s ecosystem. CRM tools are business-facing. They focus on business functions such as lead generation and sales pipelines.
The names of these tools help highlight the distinction: CIAM tools manage users’ identities, while CRM tools track a business’s relationships with its users.
These tools often work together, with CIAMs feeding customer data to CRM tools for further analysis, but they are ultimately two different tools with different sets of capabilities.
CIAM solutions have uses in various domains, including:
CIAM systems help organizations deliver frictionless, personalized experiences to customers at scale.
With a CIAM solution, an organization can create distinct, traceable identities for each customer. These identities allow them to understand customers more deeply—to get to know their preferences, purchase histories and other important details. This data can, in turn, be used to develop and deliver more targeted marketing, messaging, offers and recommendations.
CIAMs can also help build customer trust by allowing companies to create consistent brand experiences across all platforms and portals. If a brand’s mobile app looks markedly different from its desktop site, users might not trust that the app is authentic. With a CIAM, the user would have the same login experience with both the app and the website, allaying fears of fraud or unreliability.
CIAM systems can help optimize customer data capture by empowering customers to control what data they share and how and when they share it. Progressive profiling can also help encourage users to share more data as they build out their profiles over time. Furthermore, self-managed consent tools enable organizations to record the permissions they need to process this customer data.
As a result, CIAMs can build up rich customer datasets that organizations can feed to CRMs, business intelligence suites and even AI and ML apps for analysis and insights.
CIAM systems are as much cybersecurity tools as they are customer experience and marketing tools. Like any IAM system, they give organizations insight into who is doing what in their systems. They can be used to apply access controls and detect suspicious behaviors, including insider threats—such as people misusing customer data.
CIAMs can also help protect customer data against hackers by placing strict authentication measures around users’ accounts.
Many governments use CIAMs for identity verification for citizens. CIAMs help combat fraud and abuse by ensuring that only authentic citizens can use digital government portals to access services, file taxes and conduct other important business.
CIAMs can help simplify collaboration across organizations by providing secure, seamless access to partner portals, vendor platforms and enterprise services. CIAMs help ensure that each business partner, contractor or supplier has the right level of access to shared systems and data without unnecessary friction.
The average data breach costs an organization USD 4.44 million. Stolen or compromised account credentials are behind 10% of these breaches, according to the IBM Cost of a Data Breach Report.
Hackers cannot usually escalate into sensitive enterprise systems from a stolen customer account, but they can still wreak plenty of havoc, such as stealing personal data and making fraudulent purchases. If customers don’t think an organization’s systems are safe, they might stop using them.
Organizations have good reason to secure user accounts, but if security requirements are too onerous, users might object to them. Business partners, contractors and suppliers might have a slightly higher tolerance, but their patience isn’t infinite.
CIAMs can help balance consumer experience and security. CIAMs can help organizations build convenient login experiences while facilitating secure customer access through means such as adaptive authentication, which prompts users for extra credentials only when risk levels are high.
CIAMs can simplify and streamline the process of complying with data privacy and security laws such as the General Data Protection Regulation (GDPR). Self-service consent management tools enable users to set their preferences, and they allow organizations to keep records of consents and preferences. Consent management can help organizations build trust with customers and avoid penalties for noncompliance.
In creating a unified experience for all customers, a CIAM also creates a single source of truth for customer data. When customer activity is tied to specific profiles, it becomes easier for organizations to unlock the value of that data.
Users might interact with different pieces of a digital estate, but on the back end, one CIAM powers all these login experiences. All customer identity data feeds into the same repository. Organizations no longer need to stitch multiple datasets together to get a basic understanding of their customers.
CIAMs also help knock down data silos. Regardless of where or how customer data is captured—newsletter sign-ups, orders, app logins—it pours into the same data store. From there, data can be shared with data warehouses, BI apps, AI models and other analytics tools.
