How do you choose a CIAM solution?

Focus on the usability, security, and scalability of access management. If it does not involve a large number of consumers, it is advisable to check whether your IAM solution can also support customers. HelloID would be a good option for this use case.

Why is privacy important for CIAM?

Privacy is important for both IAM and CIAM systems. Privacy is sometimes emphasized more with CIAM because mistakes in CIAM management can increase the impact of a data breach. You do not want customers to gain access to each other’s data by accident.

What type of user is CIAM intended for?

CIAM stands for Customer Identity and Access Management. CIAM capabilities are also used for partners that organizations work with. They often receive access to a subset of applications and data.

Customer Identity & Access Management (CIAM)

What is CIAM?

CIAM stands for Customer Identity and Access Management, the capability to manage customer user accounts and access rights. With CIAM, your organization can ensure that customers have secure access to a customer portal and to other applications and data intended for them.

CIAM typically encompasses the following capabilities:

Self-service registration
Password and consent management
Profile generation and management
Authentication and authorization into applications
Identity repositories
Reporting and analytics
APIs and SDKs for mobile applications
Social identity registration and login

CIAM vs IAM: What Is the Difference?

Both CIAM and IAM manage user accounts and access rights to an organization's IT systems. The difference lies in the audience. IAM systems are designed for your own employees, the internal users of the systems. CIAM focuses on external users; customers, of course, but also partners your organization works with. It typically involves only a few IT systems and only the data for that specific customer or partner. For consumer use cases, it often involves a larger number of accounts.

Benefits of CIAM

The benefits of CIAM include the following:

Improving customer registration and login experience
Protecting customer data
Consolidating various identity stores
Seamless, secure end-user experiences

CIAM improves both the security and experience of customer registration and logins. One way of doing this is to enable the use of social media identities (e.g. “Login with Google/Facebook”). By integrating authentication with these platforms, tedious registration processes are bypassed and all future authentication occurs much quicker. Most everyone has a Google or Facebook account. Enabling the use of social media-based SSO is a critical advantage of CIAM, and can be enhanced with multifactor authentication (MFA).

Another benefit of CIAM is that it’s a strong method for protecting customers’ data at a large scale. For example, logging in may require multifactor authentication (MFA) via email/SMS-delivered PIN code or other methods—common in the financial industry. These stronger CIAM authentication processes reduce the likelihood of a data breach within the network because of the behaviors and actions of external users.

Identity stores are digital repositories of data that verify machine entities or individual users are who they claim to be when logging in. Large organizations with more than one web property likely employ a separate identity store for each site. By integrating all identity stores under one CIAM, an organization simplifies account management and provides a seamless, “single logon” experience. For example, if a clothing retailer owns multiple brands with their own websites, customers would remain logged in while navigating between each.

CIAM Examples

How does CIAM work in practice? Here are some examples:

With a CIAM platform, financial institutions such as banks can provide their customers with direct access to a personalized portal with all account information, transactions, loans, and more.
In schools, teachers and staff need access to class schedules and academic results. However, you also want students and their parents to access their personal information, and the exact access rights and capabilities may depend on grade level and age.
In our own HelloID platform, a cloud-based IAM environment, every customer has their own account in the service desk system. There, the customer can manage their configuration and view logs and reports.

Looking at these examples also shows the difference from standard IAM functions. In a modern IAM platform like HelloID, there is typically an automatic integration with the HR platform. Access rights are derived immediately from the role and other attributes stored in the HR system. If someone changes roles in the organization, this is updated in the HR system, and the IAM solution then adjusts the corresponding access rights. Employees or their managers can also request additional access rights for a temporary project, for example.

With CIAM, this works differently. Customers, students, and partners are normally not registered in the HR system. For provisioning these accounts, we must source data from other systems. In education, this is the student information system; at a bank, it's a customer system; and in B2B scenarios, the CRM system often serves as the source.

Beyond using different source systems, additional validation layers may be required. Account managers enter customer data in the CRM system themselves, which can easily introduce errors or duplicates. We cover this further in the last paragraph.

Scalability of CIAM

One common difference between CIAM and IAM is the scale of active users. Whereas IAM mostly applies to employees, CIAM must account for all external users. Massive consumer-focused companies, such as retailers, likely have public-facing sites and apps as well as service, support, and account management operations. In these instances, a CIAM solution must be able to support potentially unlimited users—and their data—from around the globe.

In addition to the number of users served in a region or location, CIAM solutions must provide access to unlimited customers during peak usage times. For retail, this may be during certain sales events, promotions, holidays or heightened user engagement. Any quality CIAM solution must be able to handle peaks in user volume while delivering an excellent experience to the customer. Ideally, the CIAM solution should scale up and down automatically, elastically adjusting the resources handling traffic volume. This maximizes performance while minimizing any potential downtime.

Security and accessibility of CIAM

CIAM and IAM differ in their ability to provide security and accessibility to data. CIAM balances customer ease-of-use with the security of their and the organization’s data. When MFA is added to the access provision process, CIAM solutions must provide this additional layer of security without causing undue friction to the customer experience.

Likewise, CIAM technology allows organizations the ability to provide customer accessibility no matter the device or browser that is used to access data. This provides a consistent and seamless experience, whether the customer accesses the brand property from a website, app, store, or kiosk.

What Should You Look for When Choosing a CIAM Solution?

You can implement a dedicated CIAM platform to manage customer accounts and access. This is often a logical choice for large consumer volumes. For smaller numbers, a modern IAM platform can also suffice if it is prepared for the required CIAM functionality. This allows you to use one solution and work toward a 'holistic identity management' approach.

HelloID is one such example. Within a B2B organization, you can manage accounts for the customer portal in addition to your own employees. For regular employees, HelloID typically uses the HR system as the source. Since contract data and role changes are maintained accurately there, it forms the ideal backbone for your identity lifecycle. Managing customer accounts usually requires more attention. When you create a new customer relationship in the CRM, a connection with HelloID allows you to create customer accounts automatically. At the same time, a CRM system does not set an end date by default. Account managers are also usually less focused on keeping customer information continuously up to date. It then helps if you can automate routine checks or cleanup actions as well. For this, the HelloID service automation module is ideally suited.

We also often introduce a blended IAM and CIAM solution for educational institutions. Education systems usually record student start and end dates accurately. As a result, we can automatically manage all student accounts with HelloID, in addition to employee accounts. You can further secure access with MFA (Multifactor Authentication) to protect sensitive personal data.

Moreover, in higher education, people often fulfill a mix of roles. A senior student may also work as an employee mentorin Ig first-year students, and academic instructors often enroll in certain courses as students. Therefore, it is especially useful to avoid separate IAM and CIAM platforms and to use an integrated (C)IAM solution with HelloID.