Customer IAM (CIAM) – Turning Identity Data Into Gold!

8 Apr, 2018

Transforming the customer experience is at the heart of digital transformation. Digital technologies are changing the game of customer interactions, with new rules and possibilities that were unimaginable few years ago. Customer Identity and Access Management (CIAM) is an emerging area in IAM, which is an essential ingredient for creating digital customer experiences. Today’s increasingly sophisticated customers view digital interactions as the primary mechanism for interacting with brands and, consequently, expect deeper online relationships delivered simply and seamlessly.

The role CIAM plays in an enterprise today has the same weight a business API had in the industry for several years. In 2013, 90% of Expedia’s business was coming through its APIs. Salesforce generates almost 50% of its annual $3 billion in revenue through APIs, while at eBay APIs contribute 60% to the annual revenue. In the same capacity in which APIs became the public face of your company, CIAM drives revenue growth by leveraging identity data to acquire and retain customers. It’s your new public face!. CIAM builds a layer of interactions with the customer — or in other words, CIAM drives the layer of interactions with the customer.

According to the latest Forrester report on CIAM, 67% of the Asia Pacific market, 64% of North America market and 54% Europe market have adopted CIAM.

Workforce IAM vs CIAM

Customer focused IAM systems are different from their traditional IAM (Workforce IAM) counterpart. Workforce IAM looks inward. It focuses on B2E (business-to-employee) and B2B (business-to-business) interactions. The goal of workforce IAM is to reduce the risk and cost associated with on-boarding and off-boarding new employees, partners, and suppliers, while the purpose of customer IAM (CIAM) is to help drive revenue growth by leveraging identity data to acquire and retain customers. If CIAM processes are cumbersome, customers will go to your competitors where these processes are more streamlined or easier to use. The same is not true of employees. Very few employees leave their employer because business-to-employee (B2E) IAM processes are archaic or difficult to use


In B2E IAM, on-boarding is the responsibility of the employer, while in B2C mostly it’s self service. In other words, for employees, it’s the HR department who initiates the employee on-boarding process and remains the owner of user accounts, while for customers, it can be any of the following cases:

Progressive Profiling

A CIAM system provides ingredients to nurture an anonymous user to a well-known customer. Progressive profiling is the process by which a system learns about a customer in a progressive manner. First, the anonymous user is just a visitor to the company web site. His/her preferences can be tracked via cookies and the company can promote content that is interesting to him/her. At one stage, the anonymous user will become a lead, by completing a contact form. Now the CIAM system has the opportunity to link all the preferences tracked against the anonymous user with the new lead. Over time the preferences of the lead can be tracked in a more meaningful way — and the company’s marketing/sales team can work in a collaborative manner to make him/her a customer. At this point you collect the most reliable data about the customer — with proper verification. From there onwards, the CIAM system will keep tracking customer preferences — and will produce more meaningful data to company management to make much informed decisions. Once the customer decides to sign up with credentials (may be to use the company’s online portal), the CIAM system has the opportunity to track and relate all user interactions together to build one unified user profile.


Authentication in a CIAM system differs in many ways from a traditional IAM (workforce IAM) system. Let’s walk through the differences and the similarities:

Self-service Portal

The audience of the self-service portal in a CIAM system is the customer. It is the one-stop shop for a customer to view/ update his/her profile, manage consent given to third party applications, reset password, manage credentials, manage preferences, configure account recovery options, view concurrent login sessions, view activity logs, request for a data export, associate social login, etc. Security and compliance are two important aspects in CIAM. If you are familiar with the General Data Protection Regulation (GDPR), you might have already noticed that some of the self-service portal functions listed above are driven by it.

CxO Dashboard

One of the key objectives of CIAM is to drive revenue growth by leveraging identity data to acquire and retain customers. The audience of the CxO dashboard is comprised of corporate executives who are keen on tracking the revenue growth from multiple angles. The CxO dashboard, which talks to multiple data sources, will focus on building insights around the following – the growth of customers/leads over time, the growth of the customer/lead base over time, active customers/leads over time, customers/leads by geography, the conversion rate over time from leads to customers, the frequently used business functions by customers/leads, the conversion rate over time from existing customers to online customers, inactive customers/leads by age (inactivity) by region, and customers/leads access patterns by the channel (web/mobile).

Security, Compliance, and Fraud Detection

Any CIAM system should make security as its top most priority. Any kind of a security breach at this layer  would have a direct impact on the company’s revenue  and reputation. As organizations grow ,  more and more customer identity data are collected to make more personalized, context-based decisions. These can be personally identifiable information or contextual information. Whatever it is, organizations are bound to follow rules and regulations enforced by governments and different industrial bodies. For example in the US, we have the federal level legislation such as SOX(Sarbanes-Oxley Act) and GLBA(Gramm-Leach Bliley Act) focused on the financial sector, FERPA(Family Education Rights and Privacy Act) in the education sector, and HIPAA((Health Insurance Portability and Accountability Act) in the healthcare sector. 

GDPR in Europe intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of GDPR are to give EU residents control of their personal data and simplify the regulatory environment for international business by unifying the regulation within the EU. In Singapore, PDPA (Personal Data Protection Act) stipulates that consent must be obtained before personal data is collected. The Privacy Act in Australia regulates how personal information is handled.

With the rise of online fraud by 40% in the last year in the US alone, fraud detection has become an integral part of a CIAM infrastructure. A CIAM system can contribute to fraud detection in two ways: feed the fraud detection engine with security related events and listen and enforce the feedback from it. For example, all your login and access patterns will be fed into the fraud detection engine and then based on the anomaly detection algorithms/rules you define, the system has to respond to fraud events, possibly by blocking the transactions, locking the customer accounts, and generating alerts to the responsible parties. If you login to your account from USA first and then within one hour from China, that’s possibly a fraudulent event with a high fraud score. If you access online services between 9 PM to 11 PM GMT 90% of the time, and if someone suddenly accesses the system between 2 AM to 3 AM, then it too could be a fraudulent event with a medium fraud score.

Some CIAM systems do assign a trust level to each account at the point of on-boarding. This score is based on past behavior and takes phone number intelligence, AI-based traffic pattern analysis, and data from global information services into account. This helps the business to make policy decisions about how to treat such identities.

Omnichannel Access

When you subscribe to Newsweek magazine, you pick the type of subscription, either print or digital  or both. The digital subscription is available through web, iPhone or iPad. In an omnichannel environment, customers interact with the business via multiple channels, but will still get a seamless  and continuous user experience. For example, if you use the Newsweek iPhone app to highlight some content, once you view the same content from the web, you should find that it’s still highlighted. Amazon took the retail order placing system to the next level with Alexa. An Amazon customer can place an order via its web site, mobile app, kindle in addition to Alexa. Amazon has brick and mortar stores too. When Jeff Bezos announced the launch of Amazon Books (brick and mortar store) a couple of years back, his intention was to bring the same digital experience to the real world. You will be able to see the book reviews, ratings, and many other features in the digital world in Amazon Books.

One cannot stop talking about Amazon repetitively when talking about the innovation happening in the retail sector. The Amazon Go convenience store in Seattle uses sensors to track items as shoppers place them in baskets or return them to the shelf while the shopper’s Amazon account is automatically charged. This is an even better experience than shopping via its online counter part. The wifi-connected Amazon Dash button provides a store-less experience to Amazon customers – one click allows you to place your order and have it delivered to your home.

The bottom line here is that companies in many verticals (not just retail), are looking to deliver better, seamless customer experiences through multiple channels. The role of a CIAM infrastructure in an omnichannel environment varies from authenticating the customer through multiple channels to managing the customer preferences through multiple channels to build a unified customer profile.

Help Desk and
Delegated Administration

a reporter for the Wired magazine in San Francisco, experienced a situation where all his iPhone, Mac Book, and backups on iCloud were wiped out by hackers. He also lost control of his GMail and Twitter accounts. All this started with a simple social engineering hack executed against the Amazon help desk. The hackers were able to figure out the last four digits of Honan’s credit card by talking to the Amazon help desk, then used these details and Honan’s billing address (which was readily available under the whois internet domain record Honan had for his personal website), the hackers were able to call the Apple help desk to reset his iCloud password.

In general, many help desk operators worry about verifying static data about the customer. For example, mother’s maiden name, birthdate, last four digits of the social security number, billing postal code, etc. None of these data are hard to find if someone is a little desperate. What would be the best way to identify a customer who is calling to the help desk? This is where the progressive profiling comes in handy. Let’s say it’s a bank — you can ask about which restaurant the customer visited the most in the previous month, what is his/her favorite grocery store, when did he/she pay the last credit card bill, etc. Some do verify that the caller is the true owner of the account by sending a code to the registered phone or email address. However, these questions cannot be used individually – there has to be a collection of them.

Identity verification is only one part of the help desk administration. The CIAM infrastructure should allow granular access to relevant personal and transactional data, possibly via an API to the help desk operations. Apart from the authentication, the API should audit all the queries done by the help desk administrator — and any query from a help desk administrator should be able to mapped into a help desk request from a customer. Even though help desk administrators have access to some customer data, they should not have the right to query the data with no consent from the corresponding customer.

Impersonation is the other key part of the help desk administration. Once the caller is identified, the help desk administrator may need to login to the customer portal as the customer and see what he/she has done  or guide him/her through what needs to be done. CIAM systems should provide the ability to the help desk administrators to impersonate other users (customers). Both the CIAM system and the customer portal should be aware that everything done by the help desk administrator is an impersonation act. Possibly during an impersonation act, when the help desk administrator tries to login to customer’s account, the system should send a message to the customer’s registered mobile number or the email address seeking approval. The approval granted should be valid for a few minutes only and the portal should auto logout the help desk administrator once it expires.


A CIAM system has to worry about scalability from day one. A workforce IAM system may expect thousands of users  whereas a CIAM system works with millions, resulting in thousands of concurrent logins. You will find a considerable difference between average load and peak load in most of these systems. The peak load is many more times the average load, and would only occur for few hours in couple of days per month. Let me give you an example. One of the financial institutes that WSO2 worked with was building an IAM infrastructure for over 1.5 million customers. In an average day, they expect 350,00 logins  with daily peak times around 9 AM to 10 AM, 12 PM to 1 PM, and 3 PM to 4 PM. Even if we assume 300,000 users will login to the system during these peak times, the expected load per minute would be around 1,700 users. However for 2 days every month, they expect 5,000 logins per second, that is 300,000 users per minute. That’s a huge difference between the daily peak load and the monthly one. It’s not cost effective to plan the infrastructure and keep it running to target the peak load all the time, as it’s a waste of system resources and money. In such cases, the best option is to build a dynamic scaling model   where the system resource will spin up to address increasing load  and when the load goes down, the servers will shutdown too.

High-availability is another key aspect in a CIAM infrastructure. You may have geographically distributed data centers  where some may act as active data centers while others are used for disaster recovery (DR). Active data centers will cater to active traffic, but the DR centers will be on stand by mode so that if one entire data center is down, the traffic will be deviated to the DR center. Within an active data center itself, there will be a cluster of nodes taking the load in a equally distributed manner. Hence if one node is down  it will not take the whole infrastructure down.

APIs and Integration

A CIAM system is not an all-in-one solution. Its power depends on how well it can function in a larger ecosystem. A CIAM system should know how to integrate with multiple data sources, customer relationship management (CRM) systems (like Salesforce, Sugar CRM, Microsoft Dynamics, Net Suite CRM, etc.), marketing platforms/solutions (like Dataxu, Appboy, MailChimp, Google Analytics, Salesforce Pardot, etc.), e-commerce platforms (like Shopify, Magneto, Oracle Micros, etc.), fraud detection solutions, risk engines, content management systems (like Microsoft SharePoint, Drupal, WordPress, Joomla, DotNetNuke, etc.), data management platforms (like Blueconic, DoubleClick, Lotame, Krux, etc), and many more.

CIAM, Marketing Automation, and CRM

A CIAM system is not going to replace the need for a marketing automation platform or a CRM system — but integrates with them— and provides a layer of foundation for more target marketing and lead nurturing. For example, Marketo, a leading marketing automation software provider, defines marketing automation as a system that allows companies to streamline, automate, and measure marketing tasks and workflows. Salesforce, a leading CRM software provider, defines CRM as a strategy for managing all company interactions with current and prospective customers. The marketing automation system tracks the behavior of an anonymous user throughout the phases of being a raw lead, a viable lead, a nurtured lead, and an active lead. The CRM system starts from where the marketing automation stops — it tracks the user throughout the phases of marketing qualified lead, sales accepted lead, an opportunity, and finally closed won. Up to this point the CIAM system does not know anything about the user  and at the end of the day the customer will be on-boarded. The CIAM system can now track all the user access patterns in more trust worthy manner   and with data feeds from the CIAM system, the marketing automation system can drive its marketing campaigns in an identity-driven approach. Following are some of the key benefits of a CIAM system that integrates well with marketing automation and CRM systems:


CIAM drives revenue growth by leveraging identity data to acquire and retain customers. It’s the new public face of your company. CIAM differs from traditional IAM (or workforce IAM/Employee IAM) in many ways. User experience rules everything in CIAM , in addition to privacy and security — it’s not an ‘or’ but an ‘and’. Customer on-boarding, progressive profiling, social integrations, strong authentication, self-service, help desk, and delegated administration and scalability are the key areas any CIAM infrastructure should worry about. Identity data is the new gold and CIAM is a mainstream business capability.