What is customer identity and access management (CIAM)?

CIAM sits at the intersection of customer experience and cybersecurity.

Organizations use CIAM solutions to create consistent, branded user registration and login experiences across their digital ecosystems, from websites and mobile apps to Internet of Things (IoT) devices and beyond. CIAM tools also help automate and streamline customer data collection at each point in the ecosystem, allowing the organization to give each customer a defined user identity. No matter where users go, they see the same login portal and user account.

At the same time, CIAM tools protect customers’ accounts and personal data from fraud and abuse by implementing security controls such as identity verification, multifactor authentication and anomaly detection.

Early CIAM solutions focused exclusively on consumer identities. Some CIAM tools have evolved to support identity lifecycle management for all kinds of users outside the organization’s workforce, including partners, vendors, citizens and business-to-business (B2B) customers. 

Identity and access management (IAM) is a broad discipline that governs how users access digital resources in enterprise networks. CIAM is the subset of IAM that focuses on managing access for customers and other people who sit outside of an organization, as opposed to employees and internal users.

Organizations treat CIAM as a distinct branch of IAM because external customers and internal employees have different needs and priorities when managing their identities and using digital resources.

In particular, there are three key differences between IAM and CIAM.

Customer data is extremely valuable, but asking for too much of it can be off-putting. CIAM tools and processes help organizations create optimized workflows for inviting—and enticing—users to share their personal data.

In contrast, traditional identity access management practices focus less on data capture. If an organization needs information from employees, it can simply ask.  

Customers want frictionless digital experiences. If they run into roadblocks, they might give up—even abandoning their shopping carts midpurchase. To avoid harming customer retention, CIAM tools and processes must strike a balance between security, data collection and user experience.

Traditional IAM solutions focus on security over convenience for a couple of reasons. First, attackers can cause more damage with a stolen employee’s account than they can with a customer’s account. Second, employees have a higher tolerance for less-than-ideal experiences. To put it bluntly, they can’t “give up” on enterprise systems they dislike. 

Because IAM solutions primarily serve internal users, they only need to accommodate tens or maybe hundreds of thousands of users at most. CIAM systems must scale to serve millions or even hundreds of millions of customers. As such, CIAMs often emphasize self-service account management and scalable cloud infrastructure.

While organizations do need slightly different approaches for IAM and CIAM, they do not necessarily need to use separate identity solutions. Increasingly, many IAM tools can handle both workforce and CIAM use cases.

CIAM is a cross-discipline effort typically involving stakeholders from IT, security, marketing and elsewhere in the business. Many organizations build their CIAM processes around four key pillars: data capture, user engagement, self-management and system administration.

• Data capture: Creating convenient, streamlined workflows for account creation and data collection to motivate users to sign up and share their data.
  
  
• User engagement: Using simple, secure logins and progressive profiling to engage customers and keep them coming back.
  
  
• Self-management: Giving users control of their profiles, including the ability to choose what sensitive data they share and how that data is used.
  
  
• System administration: The ongoing management of CIAM tools and processes, including integrating new apps, acquiring new users and monitoring activity to prevent fraud and derive insights.

At the heart of any CIAM process is a CIAM solution. These solutions unify an organization’s digital assets and services in a single, consistent, branded user experience. No matter where users log in—a desktop site, mobile app, even the website of an affiliated brand—they are taken to the same user account.

On the back end, the CIAM captures customer data from all these touchpoints in a centralized, secure repository, creating a single identity for each user across the organization’s entire digital ecosystem.

Most CIAM tools are delivered as cloud-based software-as-a-service (SaaS) solutions. SaaS solutions can scale as more customers register, and they can connect to the organization's various digital properties. Vendors are also starting to deliver CIAM solutions as flexible microservices to better accommodate increasingly popular identity fabric architectures. 

Users self-manage their accounts, from account creation and onboarding all the way to deletion (if necessary). Users can set account and communication preferences, update their profiles and conduct password resets without needing organizational help. 

CIAMs capture and securely store important customer data, such as demographic details, payment information and order histories.

Many CIAMs support “progressive profiling.” Instead of requiring users to complete their profiles at the time of registration, CIAM tools ask for data in stages and only when necessary. For example, a new user on an e-commerce site might need to provide only a username and password at sign-up. They don’t need to share their address or credit card details until they make a purchase.

Many CIAMs can connect with internal systems such as data warehouses and customer relationship management (CRM) tools so that customer data can be used for analytics and business intelligence.

Most CIAMs have self-service consent management tools, where users can grant—or deny—organizations permission to use their personal data in certain ways. This can help organizations comply with data privacy laws that require obtaining user consent.

Some CIAMs include extra compliance tools, such as activity tracking, auditing and data governance policy enforcement. 

CIAM solutions typically support multiple user authentication methods. These methods commonly include:

• Basic username and password authentication.
  
  
• Multifactor authentication (MFA), in which users must supply at least two pieces of evidence to prove their identities.
  
  
• Adaptive authentication, which uses artificial intelligence (AI) and machine learning (ML) to analyze user behavior and change authentication requirements in real-time as risk level changes.
  
  
• Passwordless authentication, which uses something other than a password to verify user identity, such as biometric authentication or passkeys.
  
  
• Single sign-on (SSO), which allows users to access multiple apps and services with one set of login credentials. SSO systems use open protocols such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) to share authentication data between services.

CIAM systems also support authorization—that is, the act of granting verified users the appropriate permissions in a system. Access control is straightforward for customers: Logging in gives you permission to access your own account and nothing else. Organizations might use more granular systems, such as role-based access control (RBAC), for suppliers, contractors and other partners. 

Many CIAM systems offer dashboards and reports that administrators can use to track system and user activity, such as authentications, app usage, login trends and other data points. These tools can help organizations better understand both their CIAM processes and their users. 

To deliver seamless customer experiences, CIAM solutions must integrate with various assets and systems. Most CIAMs have prebuilt application programming interfaces (APIs), software development kits (SDKs) and other tools and connectors to work across mobile apps, websites, devices and other digital experiences.

To facilitate identity orchestration workflows, many CIAMs also support no-code and low-code methods for building unified authentication and authorization processes across disparate systems.

Many CIAM solutions support bring your own identity (BYOI) and social logins, which use third parties such as social media sites and other forms of federated identity as identity providers. Instead of creating their accounts from scratch, users can import their profile details, including credentials, from these third parties.

To protect user data, CIAM systems include built-in security controls such as fraud detection, identity proofing, account takeover protection, anomaly detection and adaptive authentication.

CIAMs can also typically integrate with external security tools, such as security information and event management (SIEM) solutions, to better detect and prevent suspicious activity and cyberattacks.

While CIAM and CRM solutions both help manage customer data, they serve distinct purposes. CIAM tools are customer-facing. They focus on allowing users to manage their accounts in an organization’s ecosystem. CRM tools are business-facing. They focus on business functions such as lead generation and sales pipelines.

The names of these tools help highlight the distinction: CIAM tools manage users’ identities, while CRM tools track a business’s relationships with its users.

These tools often work together, with CIAMs feeding customer data to CRM tools for further analysis, but they are ultimately two different tools with different sets of capabilities.

CIAM solutions have uses in various domains, including:

• Customer experience
• Business intelligence and data 
• Cybersecurity
• Government services
• B2B activity

The average data breach costs an organization USD 4.44 million. Stolen or compromised account credentials are behind 10% of these breaches, according to the IBM Cost of a Data Breach Report.

Hackers cannot usually escalate into sensitive enterprise systems from a stolen customer account, but they can still wreak plenty of havoc, such as stealing personal data and making fraudulent purchases. If customers don’t think an organization’s systems are safe, they might stop using them.

Organizations have good reason to secure user accounts, but if security requirements are too onerous, users might object to them. Business partners, contractors and suppliers might have a slightly higher tolerance, but their patience isn’t infinite. 

CIAMs can help balance consumer experience and security. CIAMs can help organizations build convenient login experiences while facilitating secure customer access through means such as adaptive authentication, which prompts users for extra credentials only when risk levels are high.   

CIAMs can simplify and streamline the process of complying with data privacy and security laws such as the General Data Protection Regulation (GDPR). Self-service consent management tools enable users to set their preferences, and they allow organizations to keep records of consents and preferences. Consent management can help organizations build trust with customers and avoid penalties for noncompliance. 

In creating a unified experience for all customers, a CIAM also creates a single source of truth for customer data. When customer activity is tied to specific profiles, it becomes easier for organizations to unlock the value of that data.

Users might interact with different pieces of a digital estate, but on the back end, one CIAM powers all these login experiences. All customer identity data feeds into the same repository. Organizations no longer need to stitch multiple datasets together to get a basic understanding of their customers.

CIAMs also help knock down data silos. Regardless of where or how customer data is captured—newsletter sign-ups, orders, app logins—it pours into the same data store. From there, data can be shared with data warehouses, BI apps, AI models and other analytics tools.