Rawpixel.com - Fotolia

Consumer identity management will benefit business

Businesses should embrace consumer identity management to improve marketing capabilities and help drive regulatory compliance, says KuppingerCole

Consumer identity and access management (CIAM) is the fastest-growing subset of identity management because of the benefits to business, says John Tolbert, lead analyst at KuppingerCole.

“CIAM is not going away and many organisations are starting to realise the value of better targeted marketing as well as different kinds of regulatory compliance,” he told Computer Weekly.

The biggest reason businesses are looking at CIAM is to get more accurate and comprehensive information about their customers for marketing purposes, said Tolbert.

CIAM is all about the consumer, and so is also key to anything involved in digital transformation, including smart homes and wearables, he said.

“The internet of things [IoT] is going to be increasingly a bigger driver for CIAM, and there is a lot of nascent work being done by CIAM suppliers to make it easier for people to connect IoT devices to their consumer identity, and I think we will see a lot more of that in the next year or two,” he said.

The focus on the consumer is driving differences in the way CIAM is implemented from a technical point of view compared with traditional identity and access management (IAM), said Tolbert.

“Because CIAM systems are specifically tailored to consumer information, it means they are more scalable than many IAM systems, particularly the older, more siloed ones,” he added.

Although some more modern systems can be adapted to manage consumer identities, Tolbert said IAM systems tend to be more focused on access control and less well suited to progressive profiling of customers.

“Consumer-specific systems also tend to be cloud-based, which enables organisations to implement these systems faster than they could adapt existing IAM systems,” he said. “They also provide greater flexibility and can be scaled up and down according to demand.”

In the US, for example, most people update their details and choices with their health insurance companies only once a year, resulting in a “peak season” of high utilisation.

Attempting to adapt existing IAM systems that do not have the flexibility, extensibility or scalability required is a common pitfall of organisations seeking to benefit from CIAM, said Tolbert.

“Some organisations have incorrectly assumed that their traditional IAM infrastructure can handle a consumer-facing aspect,” he said.

In addition to flexibility and scalability, dedicated CIAM systems also tend to be designed in a way that helps businesses comply with the consent requirement of the EU’s General Data Protection Regulation (GDPR), he said.

“The GDPR requires organisations to collect explicit consent from each person for each purpose they intend to use the information collected, and most CIAM systems have pretty good consent collection and auditing capabilities,” said Tolbert.

And there are other regulatory regimes that CIAM can also help organisations with, he added, such as know your customer (KYC) and anti-money laundering (AML) at banks.

However, collecting information about customers means organisations also need to ensure the data is adequately protected to avoid news headlines about yet another personal data breach.

As well as risking loss of reputation and therefore customer and shareholder support, organisations risk sanctions under a growing number of data protection regulations, including the GDPR.

GDPR bandwagon

As a result, many CIAM providers are climbing on the GDPR bandwagon to win competitive advantage by claiming they can help organisations comply, he said.

But Tolbert said organisations should ensure they carry out the necessary due diligence before signing up to these services and that the organisation itself has all the required processes and safeguards in place.

“Regardless of suppliers’ claims about GDPR compliance, organisations need to understand that, ultimately, responsibility lies with them because they are collecting and storing the information,” he said.

Organisations should also use the move to CIAM as an opportunity to carry out privacy impact assessments required by the GDPR, said Tolbert.

This involves looking at what data organisations already hold about their customers and establishing whether consent has been given for that.

“If not, organisations will have to start building the processes for collecting consent, both retrospectively and going forward,” said Tolbert.

Real need for data?

But, at the same time, organisations should consider whether they really need the data they already hold, he said. “If it is not adding value, purge it and quit collecting it.”

Until now, many businesses have tended to collect as much information as possible in the hope that some of it may prove useful, said Tolbert.

But with consumer identity and personally identifiable information, the GDPR will force organisations to reconsider what information they collecting and for what purpose, he pointed out.

“The bottom line is that CIAM is here, it is growing and there are things it can do to help business to achieve different kinds of organisational goals,” said Tolbert.

But he said it is important that organisations undertake proper due diligence in the process, whether they are doing it through a third party or building it themselves.

“And the GDPR should make people reconsider why they are collecting information on customers and what they are going to do with it,” he said.

“CIAM is an interesting intersection between new developments in the identity management technology space and in the regulatory space.”

Tolbert will address the topic in more detail at Consumer Identity World Europe 2017 in Paris from 27 to 29 November in a session entitled The future of identity management – is now.

Read more on Privacy and data protection