IAM vs CIAM: What’s the Difference?

In posts prior, we here at Solutions Review have tried to solve the difference of IAM vs CIAM. Is Customer Identity and Access Management (CIAM) truly all that different from traditional or classic Identity Access Management (IAM)?

It’s a contentious question. Solutions providers around the world have positioned their products on either side of the IAM vs CIAM debate, with several prominent vendors proclaiming their specialization in CIAM. Other solution providers argue that the IAM vs CIAM question is semantic and that comprehensive IAM solutions can secure CIAM use cases.

In summary, the distinctions between the two are blurry. But why?

IAM vs CIAM: Technological Twins?

One reason there is so much controversy over whether the IAM vs CIAM is even a valid debate is that the two share more similarities than differences in their technical capabilities, including:

• Single Sign-On
• Authentication Protocols, including MFA
• Access Management
• Identity Behavioral Monitoring
• Centralized, Universal Directories
• Lifecycle Management
• Authorization
• Federation

Additionally, both fall under the preview of privacy regulations like GDPR, as the storage and usage of employee and consumer data are equally protected under the rules.

On the other hand, CIAM use cases require tools that IAM solutions typically don’t possess, including:

• Branding Control
• Consent Management
• User Registration
• Profile Personalization

Furthermore, CIAM needs to be even more accessible than IAM (which itself needs to be quite accessible to perform its functions) as any issues could obstruct your e-commerce and thus your bottom line. These solutions also need to be able to scale so that it can accommodate the hundreds of identities a single customer might possess.

Yet at the same time, many IAM solutions market their products as flexible enough to accommodate CIAM use cases. While some certainly can’t, others can match the needed scalability and accessibility of CIAM.  

But what if IAM vs CIAM isn’t a technology question at all, but a question of philosophy?

IAM vs CIAM: The Needs of the Many?  

In the most basic understanding of both solutions, IAM emphasizes is internally-facing while CIAM is externally-oriented.

IAM tends to focus on authenticating and monitoring employees within your enterprise—making sure your network has strong authentication policies, employees only have the credentials they absolutely need to perform their respective roles, and that your IT security team can revoke inappropriately assigned permissions and privileges, etc.

The main goal of IAM is to secure users’ identities so that they are not abused by either internal or external threat actors leading to a security breach or compromised data. IAM will most likely use a user portal to manage employee access to on-premises applications and require multiple logins to ensure the most comprehensive security possible.

In CIAM, the situation isn’t as simple. Security remains vitally important—losing customer data or allowing their identities to be compromised is a fast way to lose those customers—but it isn’t as central as it is in IAM. Overemphasis on security, requiring them to enter through a third-party portal, or requiring multiple logins will alienate customers before and during their transactions. This could drive them to the arms of your competitors.

Instead, CIAM needs to accommodate consumers entering through a website or mobile app that exists outside the typical digital perimeter. It needs to facilitate the personalization of user interfaces and, most importantly, convenience: the customer-facing identity interface needs to be easy-to-use for registration, login, and account management functions.   

This last value cannot be overlooked. If anything separates IAM vs CIAM, it’s the emphasis on convenience by the latter. In the former, it would be a nice perk but ultimately not a necessity and in some cases even possibly poses a security risk for enterprises. But the latter is vital to ensuring a smooth and pleasant user experience that will encourage future transactions.

Nowhere is this divide more evident than with authentication. In IAM the new paradigm is moving to a Multifactor Authentication model that can require up to five factors before allowing users access. By contrast, CIAM often utilizes social sign-on—using social media account credentials as login authentication factors—or passwordless authentication. Both are convenient methods of login but neither could be called “secure” on an enterprise level.

No Clear Answer  

In our research, we discovered an argument that CIAM could be considered as another component of role management; consumers simply serve a very limited role within the enterprise compared to other roles and their authentication and access are limited in turn.

Whether that is accurate or not, it highlights just how murky the question IAM vs CIAM remains. Enterprises need to review their own use cases and carefully investigate possible solutions providers in order to find the best fit for their needs.

It may not be clear-cut, but your consumers and employees’ security are in your hands. You owe it to them to make the best decision possible. You may not get another chance at it.

Thanks to Okta, Ubisecure, and Ping Identity for their help with the research!

Other Resources:

The Top 4 CIAM Vendors and Solution Providers to Watch in 2018

Defining CIAM Solutions: Your Top Questions Answered!

Comparing the Top Identity and Access Management Solutions

How Top Identity and Access Management Vendors Respond to GDPR

Identity’s Competitive Advantage—Do You Know What It Can Do For You?