This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Companies that sell products and services to consumers are collecting and storing massive volumes of customer data from not just POS, order management, customer service and e-commerce systems, but also mobile apps, social media feeds, online campaign forms and Web applications such as lead enrichment databases. As a result, new types of identity management systems have emerged to address the broader scale and risk of Web-based business processes and to give customers more control regarding how corporations use their data.
+ ALSO ON NETWORK WORLD Identity and access management for 10 million users? No sweat! +
Enterprises today typically use Enterprise Identity Management Systems (EIDM). These applications were originally intended to manage employee profiles for risk management and to ensure that only certain employees could access certain data sets, depending upon their position and responsibilities.
EIDM uses an older, legacy technology that works amazingly well for this specific task. The core features include: enterprise single sign-on, web access management/web single sign-on, password management, directory management, user provisioning, federation and role-based access control. EIDM is all about automating repetitive tasks while providing visibility into who is accessing internal apps and why.
One downside of EIDM is that it runs into serious problems when a company attempts to use the technology to manage tens of thousands of profiles or more, which is the case for most good-sized consumer product companies. The technology, based on traditional or legacy directory or database stores, is not designed to handle low latency at large-scale, when a company might be managing millions of records and a large number of data attributes.
EIDM systems are primarily designed for tracking and managing employee access to applications, not the external activity of protecting and managing customer identities to support business growth.
A newer version of identity management tool is often called Consumer Identity Management (CIDM). These systems, which were originally home grown, were built with the idea that B2C companies need to worry more about access to customer data, over access to applications.
Here’s a common scenario that CIDM prevents: Each time a customer creates a profile through a different channel or application, a new record is created, expanding the customer “footprint” so to speak. Without containing all customer data in one place and the ability to apply proper controls and user preferences around specific data sets (a.k.a., individuals or segments of them), risk grows. There’s more opportunity for malicious insiders or external hackers to exploit customer data, with sensitive information such as phone numbers, email addresses and credit card information spread in multiple locations.
The reality of customer data living in silos also makes it harder for companies to have fruitful relationships with customers by not having a “single version of the truth.”
CIDM technology, which consists of identity data stores that are built to scale horizontally and integrate with modern application architectures and policy-based RESTful APIs, allows for the faster processing speed required to manage millions of profiles. Compared to EIDM, CIDM supports the sharing of profile data from multiple channels and multiple apps, which can drive new customer experiences and engagement models. CIDM can ultimately help companies better monetize their customer base through applying personalization.
Typically, CIDM allows consumers to manage their own profiles and designate which data will be shared with the company and how they would like to receive content (and which types) from the company. This process can occur from multiple channels, such as from the company’s website, social media accounts or at the cash register.
Whereas with enterprise ID management, the users (employees) have no choice about what data is provided and how it is used, with CIDM, the users (consumers) demand control of their data and proper protection. If they have doubts, they’ll go somewhere else.
To ease IT management, CIDM offers identity consolidation, which discovers multiple records for the same individual and combines them into one record. These systems also can provide adaptive access control so that if, for instance, the system detects a suspicious login attempt (from the middle of the night, in a location not typical for the user) it will add a step to the sign-in process for added security.
Considerations in deploying EIDM and CIDM
EIDM and CIDM solutions serve different purposes, although there is some overlap in access control, auditing, multifactor authentication and federation. Consumer ID management can handle some aspects of enterprise ID management, but EIDM is not well-equipped to handle large-scale consumer data management, as described above.
There are other reasons why EIDM is not ideal for consumer data management, including the lack of or limited identity proofing, support for third-party social media login, just-in-time provisioning and adaptive access controls. You can use the following guidelines for deploying and managing identity management solutions:
* Optimizing EIDM. Enterprise IDM is about automating processes for managing account provisioning, access management, changes to account access and terminations for the purposes of giving the right access to the right people at the right time. Optimizing EIDM platforms hinges on working with HR, application, and operations teams to capture existing provisioning processes and understanding core elements for deployment.
Operations teams are under significant pressure to keep up with account access requests. Many of these tasks can be automated through an employee self-service portal. Centralizing access management simplifies and speeds up the process of how employees login and request access to applications. Active accounts of terminated employees pose a significant risk to the enterprise. Partnering with HR to automate terminations will significantly improve these processes and reduce unauthorized breaches. Finally, automating reports for audit groups and providing access to data prior to the actual audit will save precious time and resources.
* Optimizing CIDM. Because CIDM platforms manage more data from more channels and are linked to customer experience, there’s a higher bar for performance than with EIDM systems. Availability and low latency is especially critical, and can affect results and brand if employees cannot access customer data in a timely manner for support or sales activities.
What’s more, customers demand quick response times for updating their own profile information (read: instantly). This can be achieved through proper instrumentation: a real-time view into system state using full stack tracing will help you achieve desired service-level agreements for uptime and optimizing the user experience. Consumer ID management should be both compliant and revenue-generating, thus it requires high scalability built on a carrier-grade, Internet infrastructure.
There are two core deployment options for CIDM. In the first, a broker model pulls data from many systems and creates a single view of the customer where IT can apply controls for access, security and preferences. The separate systems continue to exist and operate. This model is fine for the interim, but a best practice is to move to an aggregated or federated model to reduce vulnerabilities, eliminate silos of data and simplify controls. The federated model compiles all data from different systems into one central repository during the implementation phase. This simplifies the process of creating a rich, unified profile for each customer, which ultimately can drive better service and personalization to grow the business.
The final analysis
Enterprise identity management systems deliver the capabilities for risk management concerning employee access to applications and can save IT operations staff a lot of time. Employees benefit from a simpler login process and self-service portals that minimize time away from their core job function.
For large enterprises that collect, analyze and store consumer data, consumer identity management systems are the thread that ties together marketing activities, security and privacy needs, standardization efforts and governance. In many respects, a CIDM can help a company strike a balance between protection and access, which in the end should build trust with customers and still allow the business to pursue its revenue goals.
Aannestad is Director of Product Management at UnboundID.