The Leading Educational Resource for IT Professionals

Customer (Citizen) Identity and Access Management


There are varying schools of thought regarding consumer identity and access management (CIAM). The Gartner viewpoint considers CIAM as separate from IDM. They maintain that it’s so functionally different from the identity management that it needs to be treated differently with a different set of rules applied. The KuppingerCole viewpoint is that CIAM is just one end of the continuum that sees a deep hierarchical IDM for a relatively small number of staff at one end, to a flat, but very wide IDM for a large number of customers at the other.

Perhaps the best approach is to treat CIAM as a component of the identity management task and ensure it is addressed in the IDM strategy. This will ensure that it is properly planned rather that “allowed to happen” as so often occurs as we clamber to use cloud-based applications.


  • CIAM is dealing with an order of magnitude more identities than IDM. The infrastructure must be able to support a large number of identity records that will need to accommodate fast lookups and support large throughputs.
  • CIAM must be strategically planned. Regardless of the technology used the system must be able to support the organization’s business processes and it must adhere to the adopted governance model.

Why is getting our CIAM right so important?

Consumerisation will be the most significant causal agent for digital transformation over the next decade. Retail companies and consumer-facing organisations can either adapt or suffer the consequences. Society is rapidly changing from the value-led baby-boomers to the millennials who want experience. Organisations dealing with the public who fail to provide this experience will find themselves the subject of tweets and re-tweets decrying their poor user experience; and a shrinking clientele. This is most unfortunate because, with a little forethought and planning, the requisite customer experience can be provided and customers will pay for it.

Gone are the days of interactive voice recorders to ensure your customers don’t talk to a human being, no longer should websites be devoid of a contact phone numbers or an email address so that your customers can’t contact you. Systems to facilitate customer feedback are required in order to understand the difficulties they are having with your products/services; and you want to hear from sales staff what customers are asking for.

Know-your-customer (KYC) has gone mainstream. Understanding what customers want and meeting or exceeding their expectations is part of running a successful business. As baby boomers with their focus on value, give way to millennials with their appetite for experience, knowing your customer becomes increasingly important. This means combining the data you know about them: demographics, relationships and buying habits, into a picture that will let you gauge their propensity to purchase so that you can engage in targeted promotion. CRMs have gone from being simple recording facilities to providing predictive capabilities with the potential to significantly improve business profitability.

In the banking and finance sector, start-ups that can provide customer service more effectively and more efficiently by building a KYC capability are a distinct threat to the established banks. Banks must use the wealth of information they maintain on clients more intelligently. This means that data, which is often spread over multiple silos in different divisions of the bank, must be integrated.  Then artificial intelligence needs to be applied to allow banks to replace the human interface while still provide the services customers want.

For the healthcare sector there is a large cohort of external service providers such as radiologists, pharmacists, equipment technicians and emergency services personnel whose access to health systems must be facilitated but controlled. On top of that, patient access must be managed, particularly the level of consent a patient gives to components of their electronic health record. Software vendors are increasingly being called upon to to assist healthcare professionals in the better management of access control to health data and to facilitate the user experience by making their systems more intuitive and simpler to administer.

Universities also have a complex identity management environment with the need to manage the identities of academic staff, administrative staff, prospective students, enrolled students, researchers and alumni. One area generally requiring attention by universities is the learning management systems (LMS). The IdM system should provide sufficient data so that students aren’t  required to navigate through multiple pages to find courses in their area of study. Also, the LMS should collect information such as tutorial memberships, this data should flow back to the university’s identity repository so that other applications can make use of it.

Governments too have some non-trivial identity management requirements. On the citizen side governments need the capability of accepting transactions for government services with the least intrusive effect on users. The IdM system should be able to authenticate a user to the necessary level for the service being requested. As with the banks, government departments need to learn to share data so that a meaningful citizen experience can be provided.

It is quite clear that we are entering into a time of significant change in the delivery of customer services. In the retail, corporate and government sectors KYC programs are going to deliver an unprecedented level of sophistication allowing organizations to develop customer/citizen relationships that could only have been dreamt about just 5 years ago. While this will require storage of an increasing amount of consumer data, the cost pales into insignificance in comparison to the benefits.

This series of blogs looks at the major components of identity and access management to encourage discussion and raise awareness.

Graham Williamson is the author of Identity Management: A Business Perspective.

Also in MC Press Articles

Federated Authentication – there is no Plan B


Federated authentication is essential for businesses. It's the only way to effectively manage external access to business systems and it's absolutely necessary in order to manage authentication to SaaS apps. if you don't want to expose your identity records to potential compromise.

Continue Reading →

Access Control – RBAC & ABAC


Access Control is the core of the identity and access management task. Once we have correctly provisioned user data into the enterprise’s identity service we need to leverage it for access control. The vast majority of organizations use role-based access control, but increasingly, access control based on attributes is gaining traction.

Continue Reading →

Identity Management Provisioning and Workflow – A core competence


Identity provisioning, with an approval workflow, is a core competence for CIOs yet many struggle with a confusing array of tasks that form the provisioning process within their organisations.

Continue Reading →