Category: IAM

CIAM – What about it?

While we have had an opportunity to look at a few facets of conventional IAM it is time to thicken the plot and look at an important and critical sub-genre which is CIAM whose sole purpose is to ensure customer identity governance and management. Our vendors, partners and our B2B customers need access to platforms being operated by the organization and it is essential that this access also be managed not just for identities, but this could be integrated for various other elements like Licensing, Document management, Software Management, Patch Management and so on. We will be taking a holistic look at this today.

CIAM enables organizations to scale and ensure secure, seamless digital experiences for their customers, while collecting and managing customer identity data purposefully. There are solutions which provide a variety of key features including customer registration, social logins, account verification, self-service account management, consent, and preference management, single sign-on (SSO), multi-factor authentication (MFA), and adaptive authentication as well as other nice-to-have features.

CIAM <-> IAM – What is the difference?

IAM vs CIAM

Some key benefits of CIAM from a ROI perspective is as follows:

  • Provide a holistic view of the customer digital footprint to the organization and help understand customer actions and behavior.
  • Ensure seamless customer experience both from a UI and usability standpoint. This ensures customer wow and thereby retains them for a longer more fruitful relationship.
  • Is expected to come up with statistical and analytical data which can be used for sales opportunities.
  • Ensures all privacy regulations are met and answers to external audits as need be which thereby increases customer trust.
  • Acts as liaison between IT, Information Systems, Sales, Marketing, Analytics, and customers to deliver offerings that keep the customer delighted while ensuring a safe and secure environment.

Here is a look at some of the key features that builds a CIAM setup:

A very high level overview of CIAM capabilities

Each one of the above features will require a separate discussion but if we observe them, we understand that there is a slight difference between what we see here and conventional IGA for Enterprise especially around trust, digitization, privacy, and sales. This is the prime reason we have a niche area that is a must have for all organization that handle a customer base and struggle in maintaining inventory of this critical information.

To further expand on this idea, no CIAM setup can be complete without its key pillars and they are as follows:

  • Multi Factor Authentication
  • Privacy & Compliance
  • Scalability
  • API based Integrations
  • Analytics

Out of these we are primarily going to discuss about the subject of Integration because this is what makes things different for CIAM.

APIs & Integration

What API based systems look like. Quite a labyrinth, isn’t it?

Whenever we think about digital transformation within an organization; Integration efforts are going to be on the forefront of the requirement set and it’s the same within the CIAM ecosystem as well.

CIAM is usually not tied to a solution alone it is the ability to leverage one or more solutions to work together with smart initiatives of integration (whatever means necessary however API’s are the way to go). There are multiple options in the market which make it easy to use REST API’s and integrate a multitude of applications which cover the following broad domains:

  • Data Objects and Stores
  • Directory Services/LDAP
  • CRM Systems
  • HR/ERP Systems – Source of Truth
  • Marketing Solutions
  • E-Commerce Platforms
  • Analytics & Sales Solutions (Opportunity & Sales)
  • Content Management Systems
  • Fraud Detection Systems

Each one of these contribute significantly when developing a fully functional CIAM layer which needs to be supported as an organization owned IP and it usually needs to be maintained within the walls of the organization while being augmented by vendors and partners wherever possible.

Identity & Access Management – a business/security requirement.

In the current day and age of Information Systems where workloads are quickly being consumed by Cloud Service Providers as offerings in the range of IaaS, PaaS or SaaS; its only Identity, Access & Data which is always kept as a customer responsibility or an ownership accountability. This is something that can be decided and assigned by owners who know “Who is Who”, “Who needs access to What” and “For how much Time”.

This further contributes to plans around Data Security, which is of course augmented by other Security best practices, but all of that depends heavily on a simple question: ​​​​​​​

“Does the new person/system – and more recently a robot – who has joined our organization have access and if yes, is the access based on the least privilege and need to know principles?”

If we split IAM as a program, it constitutes of some key sections described below.

Executive Summary

Identity and Access Management (IAM) is the process of creating value and addressing IT governance and compliance through effectively and efficiently managing:

  • Creation of user identities (accounts) in application systems
  • Authenticating the identity of users
  • Managing users’ access to information resources
  • Monitoring what users are doing with that access
  • Improving provisioning turnaround times

Weak controls related to current IAM processes are a significant obstacle to achieve audit controls reliance across key business systems. This is formally recognized by organizations, their businesses and security teams and that is when an IAM Program is born.

In addition, IAM processes (notably on boarding of new users, movement within the organization & final termination related controls) should underpin the organization’s own governance framework and regulatory compliance.

If left un-managed, this can result in an end-to-end lead-time of several days for a new hire to get the required access. Therefore, there may be sharing of user accounts with limited ability to track individual user’s authorizations and user activity. 

The lack of appropriate processes and controls for de-provisioning of users will lead to the existence of rogue user accounts in multiple applications even though the users have left the organization or have moved to other departments. In addition, there are users with access that they no longer require in order to fulfill their current job role. Key management stakeholders, such as the CISO/CTO, also consider this to be one of the main causes of various frauds in an organization.

An IAM program aims to design and develop a robust IT Controls Framework for the organization around an Identity and Access Management suite and thereby aid in creation of an effective IT Controls environment.

Business Drivers

Let’s try to define the business drivers behind the Identity and Access Management efforts within an organization. It also lists the Critical Success Factors, which must be met by the project to declare it a success.

​​​​​​​1) Goals

  1. Devise efficient systems to allow it to comply effectively with the compliance requirements of the organization such as SOX and other mandated regulatory frameworks.
  2. Protect Sensitive and Personally Identifiable (SPI) client data which will allows the organization to maintain and gain the trust of its customers.
  3. Streamline and make the user identity and access management process efficient across IT systems which would enhance productivity per person.
  4. Reduce the cost of administration related to user ID, passwords, account approval, etc. which in turn will lead to increased productivity of critical and specialized system administrators.
  5. Reduce the cost of audits and governance by allowing to have a consolidated, real time view of the access owned by each user across multiple IT systems. This will also allow the organization to be proactive in detecting frauds and take necessary action to avoid damage to their brand.

Based on the business goals, the following objectives will be derived from the improved Identity and Access Management processes and controls. This shall include improved compliance; financial, legal and regulatory and operational risk reduction; cost containment and business agility.

The objective of the organization’s IAM Program is to manage and to improve controls reliance on core revenue generating and high-risk systems through:

  • Creation of user identities in appropriate IT and business applications
  • Verification of user identities
  • Appropriate authorization of users into systems
  • Management of changes to users’ roles and their related access
  • Removal of user access when access is no longer required
  • Maintaining an audit trail of the end-to-end user account lifecycle
  • Rationalized and simplified provisioning processes
  • Tracked allocation of assets and software licenses to individual users​​​​​​​

2) Value Proposition

The proposed Identity and Access Management solution will help the organization in:

  1. Establishing unified user ID across its IT systems which will lead to increased productivity and better traceability of user activities.
  2. Streamline and automate user account lifecycle process (creation, modification, deletion) which will lead to shorter turnaround time subsequently leading to increased user productivity and simplified user account administration.
  3. Establish access governance process by using various proven features like Account Recertification, Reconciliation.
  4. Provide a unified, centralized view of access owned by an individual in real-time which will lead to increased security posture and aids in satisfying regulatory requirements.

3) ​​​​​​​Success Criteria:

An IAM Program can be considered a success, if it provides the below high-level functionalities.

  • Establish a framework for user account lifecycle management processes
    • Establish a user ID policy to allow use of a single user ID across the organization.
    • Automated approval workflow for requesting and verifying required system access
    • Automated granting of user access and profiles
    • Reduce the user account provisioning time
    • User account revocation is almost instantaneous on critical systems
  • Establish a framework for access management process
    • Establish framework and infrastructure for performing Single Sign On (SSO) across applications.
    • Portal for providing access to entitled applications which will improve the organizations security posture and provide enhanced user experience.
  • Establish efficient process to meet Audit and Compliance requirements
    • Centralized location which provides data on all accounts existing on managed IT systems, dormant (in-active) accounts, non-compliant accounts as an example.
    • Provide Self Service Console for users to request access and perform password resets (good to have)
    • Reduce password reset calls. (Cost efficacy)
  • Create a common, architecture driven, standards-based infrastructure with capabilities that should be shared across and possibly outside the enterprise to provide secured access, threat aware identity intelligence and compliance services across applications and systems. ​​​​​​​

With that we conclude this thought and hope to continue this series as an organic and evolving one where more information will be shared and put up for discussion.