Laatste update:
Under the hood there isn’t really a huge difference between CIAM (Customer Identity and Access Management) and IAM (Identity and Access Management).
We manage the lifecycle of users, we authenticate and identify them, assign a profile, and based on that profile we decide which resources they are entitled to access. And from a technical point of view, it doesn’t matter whether they are employees, partners or customers.
Most vendors even use the same core technology but nevertheless the C really makes a difference.
The IAM flavour
Traditional IAM focusses on employees and partners. IAM is characterised by smaller user communities but larger sets of resources. These users simply must accept that the onboarding and authentication process isn’t always smooth. In larger organisations new employees often must chase colleagues for weeks until they have access to everything they need for their job. And the offboarding process is probably even more complex or not even existing. And it’s not the employee leaving the company who will warn superiors about potential ghost accounts they are leaving behind.
In IAM, where users most of the time have roles that are associated with privileges, RBAC (Role Based Access Control) is still very popular. ABAC (Attribute Based Access Control) can however help to deal with occasional exceptions (e.g., roles associated with regions).
Key aspects of IAM are provisioning and de-provisioning, Single Sign-on (SSO) and auditing.
Provisioning and de-provisioning make sure users are known by all applications they need to carry out their daily work. SSO takes away the burden of having to sign on, time and time again, to each of these applications. And finally, auditing allows organisations to be in line with regulation and help reducing the risk for data breaches.
The CIAM flavour
With CIAM customers are at the centre of attention. Here we are dealing with larger user communities but far less applications; sometimes even only one. Where IAM is about efficiency, CIAM is about user-friendliness. An employee won’t walk away when the onboarding process is cumbersome, but a customer will.
Customers don’t have roles. They have attributes related to the services they use (e.g. bank account number) or preferences (e.g. the brand of a device). So, ABAC is definitely more suited in a CIAM context.
Key aspects of CIAM are onboarding, personalisation, privacy and of course size
Don’t forget it isn’t only your customer. Customers don’t want to enter all there data again for each new party they are dealing with. Onboarding should support integration with social media or, better even, with national identity (e.g. the Belgian ITSME) systems. If you bother customers with data they are not interested in (e.g. I don’t care about a new sailing yacht) you will drive them away. Only provide personalised information and get a consent for doing so in marketing campaigns. GDPR and especially the right to be forgotten are only two of the privacy aspects customers care about. And last, but not least, you better scale.
Conclusion
While there are vendors out there that focus on either CIAM or IAM, most long-standing vendors have solutions that support both.
And that is because the underlying technologies like RBAC, ABAC and PBAC (Policy Based Access Control, basically a smarter way of doing ABAC) for authorisation, OATH (Initiative for Open Authentication) and FIDO (Fast Identity Online) for authentication and Kerberos, SAML (Security Assertion Markup Language), OAuth (Open Authorisation) and OIDC (OpenID Connect) for SSO are the same.
Orchestration of user journeys (see another blog) is what makes some vendors outstanding in dealing with customer requirements.
But there is still one other thing that might make a difference when selecting a vendor. SSI (Self Sovereign Identity) is a pretty new concept that protects even more the privacy of users and that will allow them to make official online statements of their identity, preferences and achievements and that all under their own control, not of some 3rd party like Facebook, Google or even the government. But we’ll address that topic later.
