Customer identity access management
Customer (or consumer) identity and access management (CIAM) is a subset of the larger concept of identity access management (IAM) that focuses on managing and controlling external parties' access to a business' applications, web portals and digital services.
The biggest difference between typical IAM and CIAM is that CIAM gives its users (consumers) significantly more control over their identity. Unlike traditional (or inside-out) IAM, which is generally driven by operational efficiency, CIAM is built on a user-first, outside-in approach that gives customers the agency to make changes to their security, privacy and personalization settings. 
At its most basic level, CIAM is a system for establishing and maintaining persistent customer data, authenticating legitimate users, denying access to threat actors and authorizing customers to access digital assets. While there is a vast number of additional functions that CIAM solutions can provide, they are secondary to external-facing authentication and authorization.
CIAM can be composed of a wide array of tools and applications, often combining software from multiple vendors to achieve the desired functionality. For this reason, businesses often take a phased approach to CIAM by implementing technologies that suit their most immediate needs rather than attempting to roll out a comprehensive solution.
Rather than being defined by a specific set of tools, CIAM is more accurately described based on its capabilities. Generally speaking, a CIAM environment includes:
- Identity administration
- User privacy and consent management
- Fraud prevention capabilities
CIAM solutions may also include but are not limited to: secured APIs, SDKs for mobile apps, single sign-on (SSO), social logins (BYOI) and fraud detection or behavior monitoring. CIAM environments are designed to scale far beyond the typical scenarios of internal IAM, with millions of concurrent users.
CIAM environments can also work adjunctively with a Customer Relationship Management (CRM) system to provide personalized content or manage user behavior. The digital identities managed by a CIAM solution are used to give access to different business applications, portals and webshops. Due to the fact that all these transactions are logged, the data can be used for profiling purposes. Transaction data can be correlated to the digital identities of the customers, and that data can be seen as a relevant component of CRM systems.
CIAM and cybersecurity
CIAM environments protect their owners from a different set of cyber threats than traditional IAM solutions. Financially motivated threat actors attacking a CIAM solution will steal services or make illegitimate purchases rather than ransom business infrastructure.
CIAM solutions are tasked with protecting customer accounts without significantly compromising a smooth or convenient experience. They do not have the benefit of dealing with internal users like employees, and thus CIAM environments are typically designed to contain self-service components for account maintenance or troubleshooting. For example, a CIAM customer might be able to easily reset their account's password through automated dialogues. However, this has led to self-service mechanisms becoming frequent targets for fraud schemes.
Because of this, many CIAM implementations are designed to authorize users based on their perceived level of trust, only enforcing a secondary step-up authentication when the user tries to take a particularly sensitive action.
Privacy and consent management
Because of the nature of CIAM — which involves a user logging in, managing their profile and accessing services — CIAM solutions collect personally identifiable information. Privacy laws, such as the GDPR in the European Union, hold CIAM providers accountable for processing this kind of data, hence the providers have taken steps to restrict the processing of these data by implementing Consent Management services. For every data element, users can define whether a provider can process or transfer the personal data. For instance, a user can give or revoke consent to process transaction data for marketing purposes.
Vendors primarily identify their products and services as CIAM components as a way to appeal to potential clients. CIAM is still relatively new as a market apart from IAM, and few providers offer comprehensive solutions, or those that include all of the proposed functions of a CIAM implementation. Analysts are still divided on what the terminology includes, but it is generally accepted that CIAM represents an external and user-centric alternative to legacy IAM.
- Digital identity
- Electronic authentication
- Federated identity
- Identity assurance
- Identity management
- Privacy by design
- Strong authentication
- "CIAM is a growing trend".
- "Tech Support Trends for 2018". blog.capterra.com.
- "IAM vs CIAM: What's the Difference?". Solutions Review.
- "CIAM as a Key Factor in the Digital Transformation". KuppingerCole.
- "What is Identity and Access Management (IAM)?". Oracle.
- "CIAM vs. IAM - Inversoft". www.inversoft.com.
- "Customer Identity and Access Management (CIAM)". Gartner.
- "Decoding Customer IAM (CIAM) vs. IAM". Okta. 7 July 2017.
- Moffatt, pp 69
- "What Is Customer Identity and Access Management (CIAM)?". Transmit Security. 8 August 2021.
- Moffatt, pp 285
- Moffatt, pp 75
- Moffatt, pp 116
- "Does your customer identity and access management (CIAM) inspire trust?". PwC.
- "What Is Customer Identity Access Management (CIAM)?". Security Intelligence. 28 September 2021.