Identity and Access Management (IAM) is evolving to be a key component of business transformation – helping to deliver secure and usable digital experiences. Transformation across retail banking, eCommerce, insurance, media and education, is driving a need for foundational services for account on-boarding, secure authentication and contextual adaptive access control.
Over the last 36 months, a new term has emerged to describe these projects, seemingly CIAM – consumer identity and access management.
How does that term relate to the more established identity and access management seen within enterprise, focused on employee enablement and federated access? Employee IAM is often now entering a period of modernization too, with cloud based services, bring your own device, working from home and zero trust design patterns being more mature. Many employee projects often use concepts of agility and improved user experiences learnt from the consumer world. There are however subtle differences between the two landscapes.
|Feature||Consumer IAM||Employee IAM|
|Volume of users||In the millions||In the thousands|
|System throughput||000’s transactions per sec||00’s transactions per sec|
|No. of apps accessed||< 10||> 50|
|Initial driver||User experience||Security and governance|
|Training||Self sufficient||Complex and ongoing|
|Data assurance||Starts from anonymous||Starts from position of assurance|
|Identity provider||Many – often social||1 or 2, highly controlled|
Both ecosystems seem to fall under the emerging umbrella term of “digital identity”. But what are these digital identity projects looking to deliver? The following sample matrix breaks down some of the major value driven outcomes from digital identity. It breaks down the focus from an inside-out perspective (addressing employee needs) versus an outside-in approach (addressing consumer needs).
Glossary: MFA – multi factor authentication; POLP – principle of least privilege; BYOI – bring your own identity; BYOD – bring your own device; SSO – single sign on; API – application programming interface; SDK – software development kit
The outcome combinations can be categorised into the following: employee/security, employee/UX & personalisation, consumer/security, consumer/UX & personalisation.
Within each outcome combination, various different capabilities have been mapped. These are not exhaustive, but give an example of how to start mapping different investment areas to different business objectives.
Many organisations follow an OST (objective, strategies, tactics) model with regards to future transformation and operation. An example OST could be the following:
This example shows an organisation looking to essentially undergo a digital transformation initiative – increase revenue, through the increased use of mobile applications and an open API style economy. The underlying digital IAM capabilities can then be over-layed as necessary. In this case, the projects would likely require capabilities such as API first development and protection, BYOI for rapid customer on-boarding and potentially adaptive access.
A second example is focused on the inside-out view of employee technology effectiveness:
This example is focused on both increased security for employees, but also their better use of existing and new technology investments. If employees are effective an organisation is typically more productive. Effectiveness can be measured in different ways, but improved personalisation (working from home capabilities) coupled with less reliance on the help-desk (access requests, password resets, application access issues) seem logical strategies. The tactics for this would be wide and varied but improved single sign on, a movement to wards passwordless authentication and app segmentation as part of a larger zero trust story, would improve security whilst increasing usability.
In summary, digital identity has broad and foundational features for many organisations. It is often not a point solution, but more a platform approach, that helps organisations deliver large, broad stroke business objectives. Capabilities can be mapped into both security and usability buckets, and often overlap between consumer and employee based user communities. Line of business leaders and architectural designers, need to be aware of the over arching business objectives in order to make more informed decisions when it comes to digital IAM use and selection. Guidance needs to focus upon strategy, versus tactics for the selection of vendors and design patterns.
By focusing at the strategy level, capabilities and patterns can be re-used in other parts of the business, resulting in increased efficiency from economies of scale, reduced change management and more business as usual response to external changes, such as increased market competition or regulatory pressure.