Digital customer access is at a turning point. For years, customer identity and access management (CIAM) wasn’t given much forethought. Companies deployed an identity and access management (IAM) suite like Okta Workforce Identity or Microsoft Active Directory for internal employees and casually threw bits of customer information with password-username pairs in static databases on the side for each new user-facing project. But in an era of growing digital complexity, this is proving insufficient for managing customer identity at scale.

Jacob Ideskog, CTO of Curity

Product managers want to continue delivering new consumer digital services, but after a certain point, identity gets in the way, says Jacob Ideskog, CTO of Curity. “People don’t really think about CIAM until they get to the point where they realize they need that piece,” he says. “You realize that identity needs to stand on its own legs as a distinct component.”

In this age, customer identity must evolve beyond ad-hoc, homegrown solutions tied to specific functions. Instead, smart organizations are rethinking how they handle customer identity and decoupling it, following a ‘separation of concerns approach,’ says Ideskog. This can bring business benefits, like unlocking development agility and standardizing secure customer access.

Setting The Stage For CIAM

Consider the state of modern large enterprises. Today’s businesses have a broad digital footprint, engaging with various external consumers through different touchpoints. Once monolithic, digital customer systems are increasingly decomposed over time, largely due to pressures to increase speed and agility. They’re becoming API-heavy, relying on various connected microservices to power applications across mobile, web, and other platforms.

In addition, software applications are now expected to offer deep customer personalization, unique privileges, and various subscription tiers. All of these rely on intricate customer identity information and high standards for authentication and authorization at their core. For instance, multi-factor authentication adds to the fragmentation and complication of customer identity and access management, says Ideskog.

Not defining a singular point of entry can seriously drain development efforts. You also don’t want to pass complexity onto the user — consumers shouldn’t be forced to onboard with multiple user identities and logins across different business functions. “It becomes complicated and fragmented if you don’t pull it together,” says Ideskog.

Therefore, detaching identity is necessary to support multiple sites or applications simultaneously without overcomplicating the user journey. Ideskog refers to this as treating identity as its own product. “Any system you build is easier to maintain over time if you follow the principle of separation of concern,” he says.

Why Traditional IAM Isn’t Enough

Identity and access management (IAM) is well-established in corporate environments. Most business systems leverage internal role-based access control (RBAC) systems to map permissions to employees’ roles. However, “There’s no adoption of new innovation happening here, really,” says Ideskog. Even worse, the consumer side has lacked comparable investment in identity management.

“Historically, the industry has placed much more effort into employee-based role-based permissions,” he says. Traditionally, customers were just entries into databases without the bells and whistles of full-on identity systems. And when consumer systems were eventually built, they were typically cumbersome and interwoven with monolithic systems, says Ideskog. Then, mobile, single-sign-on finally ushered in decoupled identity. Now, moving to standard-based systems using OAuth and OpenID Connect makes a lot of sense.

But still, most large enterprises haven’t invested in a decoupled, robust approach to CIAM, for whatever reason. The irony is that, whether they acknowledge it or not, most enterprises are managing consumer identities — they’re dealing with usernames, subjects, and countless attributes.

Defining CIAM

Although there are many interpretations on the market, Ideskog defines CIAM as “the authentication and account management of users when the users are consumers or customers outside of the organization.” Consumer identity profiles store attributes such as address, subscription level, purchase history and tastes, and more — data that has become business critical. “In order to authorize requests, 80% of APIs are interested in identity information tied to your user,” he says.

In the API landscape, there’s a gradient of use cases and consumers, and sometimes, the same service must cater to both enterprise identity and consumer identity. There are also similar needs when managing external consumer identities for a B2B or partner relationship, creating a new subcategory called partner and identity access management (PIAM).

Ideskog also considers API security under the umbrella of CIAM. “The goal of authentication is to access something, and it’s almost always an API,” he says. “That API needs to have identity information in order to process. If you don’t think about that all together, all you get is log in.”

Identity systems are essentially bigger than CIAM since they can act as a common contract for any type of API. The OAuth system should be agnostic, using the information in an identity token to route the request, regardless of whether employees or consumers are making the calls. Decoupling in this way can help make the same internal system easily accessible for any type of user.

Advantages of Implementing CIAM

Giving CIAM the attention it deserves leads to several business benefits, says Ideskog. One is enhanced agility — CIAM grants a faster time to market for both user-facing applications and the APIs that support them. Since the user identity component is standardized and abstracted from development requirements, it’s easier to pop in for new applications and avoid duplicated effort from project to project.

Although CIAM might not directly reduce friction in the login process, it can benefit customer experience in other ways. For instance, centralizing access management allows you to introduce new authentication options, like passkeys, across deployments in one fell swoop. It can also enable you to perform AB testing for customer flows from a single location.

But a primary benefit is improved security. Naturally, user permissions are mapped more effectively, avoiding data overexposure and promoting a zero-trust approach. The power to centralize access control brings ancillary benefits, too, such as better auditability for compliance purposes, and the ability to adapt to forward-looking technologies like verifiable credentials. “You get better resilience because you can better change and adapt to new needs,” says Ideskog.

Who Really Needs CIAM?

Large, highly digitized organizations, or those undergoing digital transformation processes, are the prime scenarios that could really make use of CIAM. “And heavily digitized typically means you are API heavy or are becoming API heavy,” says Ideskog. “If you’re not incorporating these techniques, it’s going to be very hard.”

In addition to size and complexity, there’s the geographic footprint to consider. Global organizations with cross-regional systems typically benefit from decoupling their identity layer to avoid data compliance issues. “When you encounter heterogeneous systems with a bunch of arrows back and forth, it’s a sign you need to pull something out,” says Ideskog. “That’s often the identity piece.”

It’s also good to remember that it’s not just end-user-facing companies that create external-facing applications — many B2B organizations require CIAM-like capabilities for their partners. Alternatively, software platform companies may require an integrated consumer identity system for their customer’s users. Therefore, the use cases for CIAM are broader than you may initially think.

CIAM: More Than A Toy

Organizationally, the IAM team was typically not responsible for CIAM, which evolved out of a need for consumer identity management. Homegrown identity and access management systems can produce significant maintenance hurdles, requiring the attention of a product in its own right. This could inhibit agility as application developers create new services.

Although CIAM has been a “toy” for a while, says Ideskog, it’s now time to start taking it seriously — for him, this involves detaching the bespoke customer user identity process and replacing it with a decoupled standards-based mechanism.

With API access and authorization issues so prevalent in today’s top breaches, better access control is imperative to protecting the organization. Failure to do so could result in duplicate efforts, security gaps, and non-compliance. Conversely, treating CIAM as a tool can kickstart smarter innovation in consumer software.