CIAM

What is CIAM?

CIAM stands for Customer Identity and Access Management, the functionality for managing customer user accounts and access rights. With CIAM, organisations can ensure that their customers have secure access to, for example, a customer portal and other applications and data intended for them.

What is the difference between CIAM and IAM?

Both CIAM and IAM deal with managing user accounts and access rights to an organisation’s IT systems. The difference lies in the target audience. IAM systems are developed for the organisation’s own employees, the ‘internal users’ of the systems. CIAM is aimed at external users; customers, of course, but also partners with whom the organisation collaborates. It usually involves only a few of the IT systems and only the data of that specific customer or partner. In consumer applications, it often concerns a much larger number of accounts.

Why is CIAM important?

CIAM is important because access management for customers and partners often has slightly different requirements. Digital access must be secure and user-friendly for employees, but from a ‘customer perspective’, you need to be even more critical. Customers often only have contact with your systems sporadically, and at those times, access must be completely intuitive and seamless. Privacy also requires extra attention. Employees should not have unnecessary access to customer data, but if customers can access each other’s data, it would be disastrous.

Moreover, you want your CIAM functionality to scale effortlessly. While it may involve hundreds to thousands of employees, for consumers, it could easily involve a portal with millions of users.

Examples of CIAM

How does CIAM functionality work in practice? Here are some examples:

• Through a CIAM platform, customers of financial institutions such as banks can have direct access to a personalised portal with all their account information, transactions, loans, etc.
• In schools, not only teachers and staff need access to lesson schedules and school results. You also want students and their parents to have access to their personal information, with exact access rights and possibilities depending on the student’s year and age.
• In our own HelloID platform – a cloud-based IAM environment – every customer has their own account on the service desk system. There, the customer can manage their configuration and view logs and reports.

When you zoom in on such examples, you also see the difference with regular IAM functions. In a modern IAM platform like HelloID, there is usually an automatic connection with the HR platform. In that scenario, a person’s access rights are always directly derived from their role and other information as recorded in the HR system. If someone gets a different role in the organisation, this is adjusted in the HR system, and the IAM solution ensures that the corresponding access rights are updated accordingly. Additionally, employees – or their managers – can request additional access rights for, for example, a temporary project.

This is different for CIAM. Customers, students and partners are usually not registered in the HR system. For provisioning such accounts, we need to unlock other source systems. The student administration system in educational institutions, a customer system of the bank, and for B2B customers, the CRM system is often the source.

Apart from different source systems, additional layers of control may be necessary. For instance, account managers themselves register customer data in the CRM system, but mistakes and duplicates are quickly made. We will discuss this further in the last paragraph.

Additional benefits of CIAM

We previously mentioned the different CIAM functions necessary to make access management for customers secure and user-friendly. At the same time, a CIAM solution can provide additional insights into customer behaviour. You can register all access attempts and by analysing this data, learn more about customer satisfaction and improve customer loyalty.

What to consider when choosing a CIAM solution

You can implement a specific CIAM platform to organise account and access management for customers. In particular in case of large numbers of consumers, this is often a logical choice. If smaller numbers are involved, a modern IAM platform may suffice if it is prepared for the necessary CIAM functionality. This way, you use one solution and work towards a ‘holistic identity management’.

HelloID is an example of this. Within a B2B organisation, you can manage customer accounts for the customer portal alongside your employees. For regular employees, HelloID often uses the HR system as the source. Since contract data and job changes are always accurately recorded, it forms the ideal framework for your identity lifecycle. Managing customer accounts usually requires more attention. When you create a new customer relationship in the CRM, you can automatically provide customer accounts through a connection with HelloID. At the same time, a CRM system does not usually set an end date by default. Account managers also tend to be less focused on keeping customer data up-to-date. This means it is helpful if you can also automate regular checks or clean-up actions. HelloID’s service automation module is ideally suited for this.

We often introduce such a ‘blended IAM & CIAM’ solution for educational institutions as well. Educational systems often accurately register the start and end dates of students and pupils. This allows us to automatically manage all student or pupil accounts with HelloID, in addition to staff accounts. And you can secure access with MFA (Multi-Factor Authentication) to protect the privacy of sensitive student data.

In higher education, people often have mixed roles. A senior student can also guide first-year students as an employee; academic staff often take courses as students. In such a setting, it is particularly useful not to have separate IAM and CIAM platforms but an integrated (C)IAM solution with HelloID.