An intro to CIAM from IDPRO
First, though, what is IDPRO?
IDPRO is an organization for identity professionals. They have a board, regular meetings, a community and more. They also have a certification program (CIDPRO). I took the certification a few years ago and it is no joke.
They also have a Book of Knowledge (BOK), where identity professionals can publish relevant articles. When I studied for CIDPRO, I spent some time reading the BOK, especially about some of the identity terms and concepts I was less familiar with.
Recently an “Introduction to customer identity and access management” (CIAM) was published in the BOK. The author is a longtime identity practitioner and co-founder of IDPRO.
It’s long and thorough.
My favorite part of it was the differences between traditional, workforce oriented identity and access management (IAM) and CIAM:
Some readers may be more familiar with the primary goal of workforce IAM to deliver the right access to the right people at the right place and time. To meet this goal, IAM practitioners deploy, for example, automated user provisioning, birthright policies triggered by a small number of central authorities, access request systems, and authorization policies governed by a central Identity Provider (IDP).
CIAM has a different goal. It supports organizational digital engagement efforts to deliver the right experience (in addition to access) to the right people at the right place and time. In collaboration with Chief Information Security Officers, Chief Digital Officers seek to ensure engaging, personalized experiences at every touchpoint during an individual's relationship with a given organization – and doing so securely. With this goal in mind, CIAM professionals deploy different tools, including just-in-time user provisioning, social sign-on, and user registration. This article will continue to draw out further differences and similarities between workforce IAM and CIAM.
The differences between CIAM and IAM are rooted in the relationship between the company providing the access management and the user.
To be blunt, with IAM, the company is paying the user money as an employee or contractor. Provisioning and lifecycle is more straightforward. The company is in control. If they want to force MFA for security compliance, they can.
With CIAM, the company is being paid by the user as a customer. This means that UI and UX expectations are higher, CIAM is a key part of revenue generation, and the company has, in general, less control. If they want to encourage MFA for security compliance, they can, but they can’t dictate it without affecting customer retention.
Yes, yes, there are free users in CIAM, but the company is still being paid, either with attention that translates to ads, data that can be used to make money, or by some percentage of free users converting.
The whole article is worth reading. It takes an academic tone and is a bit dry, but if you've always wanted to learn about the differences between profile and credentials data or the components of a CIAM system, this article has you covered.
Dan