As a consumer, have you ever visited an online retail site only to be bombarded by a pop-up window asking for your email address in order to get a nominal discount? Or consider the process of exploring a home mortgage with a major financial institution. Your first interaction with the bank or financial institution prompts a request for your Social Security information, date of birth or some other piece of personally identifiable information (PII), even when you only want to evaluate the home mortgage options available and learn more about the credibility of the provider.

The company doesn’t know if you’re a registered customer or not, yet implies that you’re willing to share your information in exchange for receiving more information or a small discount. That is a broken customer experience with too much friction. Consumer identity and access management (CIAM) aims to address the poor customer experience and connect the brand to its consumer in a more personalized way.

What Are Workforce and Consumer IAM?

Workforce identity and access management (IAM) focuses on governing data and system access rights for an employee base. It allows employees to connect to internal systems and applications while keeping bad actors out. Essentially, it employs the principle of least privilege, meaning users should only have the minimum access rights needed to perform their job.

While workforce IAM focuses on a high degree of security, consumer IAM must balance user experience and security at all times. This becomes a challenge as more consumers demand a frictionless and personalized experience.

With CIAM, instead of maintaining least privilege, we allow unknown users to sign up or log in without friction. As a user interacts with the brand, the organization converts the interaction activity into a fully self-profiled customer so you can deliver highly personalized content and offers.

Identity Plays a Big Role in Both Use Cases

Identity plays a key role in both consumer and workforce IAM. Yet the processes, operations and use cases in both instances are very different. For instance, as shown below, consumer IAM must scale for millions of users, whereas workforce IAM typically scales for hundreds of thousands of business users.

Consumer IAM Environment

Workforce IAM Environment

  • Manages consumer identities on consumer-facing omnichannel sites (web/mobile/IoT)
  • Users sign up themselves and generate their own profile data
  • Authentication against public services such as OpenID and social media
  • Users are unknown and can create multiple accounts (trust cannot be assumed)
  • Customers have very low tolerance for poor performance and have alternative choices
  • Scalable for hundreds of millions of user IDs
  • Many heterogeneous IT systems on public networks and connections
  • Many decentralized identity providers (IDPs) — e.g., social login
  • Customer data collected for business-critical processes — transactions, marketing, personalization and business intelligence
  • Subject to a broad variety of privacy and data protection regulations that differ between regions
  • Manages mainly employee identities for internal access
  • Users are signed up by HR or IT
  • Authentication against internal directory services
  • Users are known and captive (trust is assumed)
  • Users are tolerant of latency, bad user experience (UX) and poor performance
  • Scalable from tens to hundreds of thousands of user IDs
  • Many IT systems on a closed, corporate network
  • IDP is typically one central, internal IT system
  • Profile collected for administrative and operational purposes
  • Subject to global corporate policies
Scroll to view full table

Consumer and traditional IAM are similar in that users must be able to obtain access seamlessly. However, traditional IAM solutions are not well-suited to manage and secure the diverse array of external platforms and authentication technology and protocols. A CIAM platform must also be developer-friendly so that customization and integration enable ease of use.

The Key Differences Between CIAM and Workforce IAM Solutions

Some other key differences between consumer and workforce IAM systems include:

  • Customer authentication preferences: Consumers can choose the device, provider and level of security used to authenticate their identity — e.g., email or phone login, Facebook or Google single sign-on (SSO), multifactor authentication (MFA)
  • Security, privacy and consent management: Consumers handle the management of their personal data and can change privacy and consent settings at their choosing
  • User experience: Consumers can log in and sign up across a multitude of platforms seamlessly with minimal interaction with the company
  • Integration: The enterprise can connect the CIAM platform to customer relationship management (CRM), marketing, business intelligence, enterprise resource planning (ERP), security information and event management (SIEM) and other systems
  • Analytics: The enterprise can leverage collected customer data for more personalized offers, all while providing a delightful customer experience

It’s worth mentioning that a consumer identity and access management program is not simply a technology platform, but instead a holistic solution. A programmatic strategy with a future state envisioned and ongoing management must be prioritized to maximize the benefits of a successful CIAM implementation. A well-deployed consumer IAM program can help your organization offer delightful customer experiences, improve overall brand reputation and increase your customer lifetime value and return on investment (ROI).

Learn how you can build consumer trust, protect privacy and deliver great customer experiences

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today