Not all leading identity and access management (IAM) vendors can also be successful as consumer identity and access management (CIAM) vendors. But with the right identity expertise, it’s possible. As Zero Trust mantras permeate the security and IT landscape, we know by now that everything’s about context, and not a single identity is to be trusted without being verified. But which identities are those mantras really referring to? Just internal users?

Entities must protect their sensitive internal data. Therefore, only the right people should access the right data at the right time. Yet, our digital world continues with endless frustration and borderline unusable web experiences for data and information sharing with arguably the most important identities we could spend time and money protecting — our customers.

Managing and protecting internal employees is very different from managing and protecting external users, such as customers, citizens or even Internet of things (IoT) devices. The former focuses on tight security and resource access. Meanwhile, the latter is concerned with simplified digital experiences, protecting personal data, self-management of that data and growing business goals through the acquisition and retention of users.

While many vendors do serve both use cases, it is difficult to do both and do it well. In this year’s Forrester Wave for Customer Identity and Access Management report, 13 of the major CIAM providers were evaluated against 32 criteria collectively assessing current offerings, strategy and market presence.

Which traditional IAM players were able to keep up with evolving CIAM trends at the same time as filling the needs of consumers? And, what distinguished the top CIAM solutions?

Read the report

Privacy and Consent Management are Key

As global privacy rules expand and evolve, some entities find themselves struggling to keep up. Developers would rather focus on core application development. But they need to implement legal and data requirements provided by privacy officers in order to accurately and respectfully handle customers’ data, especially within the bounds of local compliance laws.

While handling consent through user-attribute management or other workarounds is better than nothing, CIAM solutions should go further and reach beyond attributes and application programming interfaces. From that starting point, they should include out-of-the-box workflows that help developers and privacy officers collaborate more quickly and accurately. This, in turn, lets them embed requirements directly into applications and automate unnecessary repetition. Customers need to know how and why their data is being used, so consent information must offer the transparency and granular detail they expect to build trust.

Convenient Identity Verification Methods

Detecting fraudulent behavior is an ongoing battle, as bad actors adapt and pivot techniques across channels. Therefore, organizations should leverage advanced risk-based authentication methods to provide their best chance of preventing attacks like credential stuffing or account takeover while preserving a frictionless user experience. More modern methods for multifactor authentication (MFA) like FIDO2 hard tokens or QR codes have also shown better protection than typical knowledge-based questions or short message service (SMS) one-time passwords. Having these advanced methods as an option can be helpful when risk levels demand them.

To reduce the friction for onboarding of new users, many organizations default to social provider logins; however, those may not meet the security requirement for some organizations. At the same time, implementing advanced MFA capabilities to prompt users for a second factor on every login does not allow for a frictionless experience. Top CIAM vendors balance this with an adaptive and risk-based approach to only ask for MFA when required based on the users’ holistic risk.

Scaling to Tens of Millions of End Users

Businesses may deal with managing access levels of thousands of employees, but the CIAM world adds a few more zeroes. Companies may serve millions of customers, and government agencies provide public services to tens of millions of citizens. The best CIAM solutions simply have no option but to stay nimble and scale right away to carry higher loads. Solutions must provide high availability and reliable authentication services for any number of active users an organization’s case demands, even when it quickly changes.

IBM Named a Leader in CIAM

Forrester named IBM a leader in its new report, ‘The Forrester Wave™: Customer Identity And Access Management, Q4 2020’ along with only two of the other 12 CIAM providers considered. The Forrester Wave report cited IBM’s broad range of authentication protocols, FIDO2 and biometric support, integration with IBM’s own Trusteer and third-party identity verification and fraud management solutions, plus reporting and dashboarding.

According to Forrester, IBM is a “great fit for firms that need to combine risk-based authentication with CIAM or revamp an existing IAM or web fraud management portfolio from IBM.”

In IBM’s assessment of the vendors included in the report, noticeably absent from the leaders category in this year’s report are popular access management vendors. Some of these vendors lacked key authentication options, such as FIDO2 or biometrics, lagged in consent management workflows or required separate, on-premises components to accomplish key use cases. Regardless, these single sign-on specialists have not evolved enough in the CIAM space to be considered leaders.

IBM is the only vendor considered a leader in the 2019 Gartner Magic Quadrant for Access Management and in this year’s Forrester Wave for CIAM. IBM was also a Leader in this year’s The Forrester Wave™: Risk-Based Authentication, Q2 2020. Leading strategy and rollout across access management, CIAM and risk-based authentication, IBM has a special market position to guide every customer through zero trust initiatives, both inside and outside the enterprise.

Bringing IAM and CIAM Together

When a vendor like IBM offers a single identity solution to serve both internal and external populations, organizations and end users end up winning. The IAM-leaning development brings with it a swath of protections, including the integration of fraud detection capabilities and risk-based authentication. Meanwhile, the CIAM-leaning use cases inspire broad authentication options and developer-centric workflows. In the end, users benefit from both, too. In addition, organizations can experience licensing efficiencies when consolidating to a single platform for internal and external users, while only being charged for actual usage. As user numbers, service usage and product use cases vary over time, their identity tool belt will stand ready.

The next time you hear the term Zero Trust, we hope you will consider extending the paradigm beyond your organization’s walls to your external users as well. You can trust IBM to design purposefully built CIAM programs with secure yet engaging online experiences for your customers — they may just thank you with their attention, their business and their loyalty.

Learn why IBM ranked as a leader

More from Zero Trust

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today