An Interview With Sarah Cecchetti
Hiya,
After a year of writing to you all about my views on CIAM, the complexities of it, and the features that make it different, I wanted to invite some new voices to share their vision. This is part of an ongoing series where I ask CIAM experts a few questions and share their views.
Sarah Cecchetti is my first interviewee. She will shortly be the Head of Product for Beyond Identity (I think by the time this publishes, she will be in that role). She co-founded a professional organization for identity practitioners called IDPro, which has a great intro to CIAM I wrote about. She is a contributor to NIST 800-63-C Digital Identity Guidelines and O'Reilly's "97 Things Every Cloud Engineer Should Know." She was named one of the 25 titans of identity by Okta Ventures. She has spoken on information security at the RSA Conference, and keynoted Identiverse and Authenticate Conference. She has been quoted as an industry expert in The LA Times, Forbes, and Wired.
I am thrilled to have her share her views on CIAM.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Sarah: I’m taking a couple weeks off between AWS and Beyond Identity, so, very very briefly I am at literal inbox zero and have no customers. BUT I can tell you the benefits I’ve seen in the wild in my career. I think there are three that are really critical: the first is fraud reduction - it’s expensive to host a really great web experience and the more bots you have creating fake accounts and interacting with your site, the more money you waste.
The second is usability; Alex Simons once said “the only person who should ever see a password prompt is an attacker” and I think that’s the right way to think about it. Passwords should be one authentication factor, and that factor should be a last resort when you’re fairly certain you’re dealing with an attack - everything else should be passwordless.
The third is multi-tenancy. If I’m a huge Forrest Brazeal fan (and I am), should I need separate login methods for merch and books and consulting and live performances? No. Consumers deserve the ease of single-sign on just like workforce users do.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Sarah: The biggest one is the classic innovator's dilemma between investing in CIAM and investing in workforce identity. Unless you are a pure-play CIAM company, it’s likely that your workforce deals are going to be more predictable upfront money, where your CIAM deals will be riskier and grow over time.
As an executive, where are you going to fund more features? You’re going to fund workforce of course because it’s a known quantity. So CIAM often gets the short end of the stick, even though there’s actually a lot of low-hanging fruit out there in terms of product innovation.
Dan: What excites you about the future of CIAM? Any predictions?
Sarah: Is it ridiculous to say that I’m excited about availability?
Look, if you’re a tax company and your CIAM goes down April 15, you’re screwed.
If you’re a retail company and your CIAM goes down on cyber Monday, you’re screwed. I
f you’re a day-trading platform and your CIAM ever goes down, you’ve got angry customers all over the globe.
We (the identity industry) have yet to offer a CIAM that promises and delivers four nines. It’s never been done. I think we’re on the brink of that, and that’s exciting!
Thanks again to Sarah, and thanks to you for reading!
Dan