CIAM has been recognized as a distinct category of identity and access management since 2015. Not surprisingly, the list of vendors in the space is growing. But not all solutions are created equal. There are several considerations when evaluating CIAM solutions for your organization. Generally, you want a solution that:
Offers scalability and elasticity to accommodate growth, even to hundreds of millions of customers.
Provides flexible deployment options (including cloud, on-premises or as a PaaS).
Requires minimal operational staff by giving responsibility to the vendor for maintenance, certificate management, etc.
Centralizes security and administration, so app development teams aren’t burdened with security, scale or other CIAM concerns.
Eases migration of data from your existing, disparate identity silos into a unified profile (using advanced migration and data synchronization capabilities).
When evaluating vendors, there are the obvious considerations of experience, financial viability and customer references. But selecting a CIAM vendor also requires a deep dive into the solution’s purpose, its capabilities and future direction. There are several questions you should ask before choosing a CIAM solution:
How complete is the solution?
Many CIAM solutions offer surface-level features catered towards marketing and business teams. These teams may not be equipped to fully evaluate the technological capabilities and fit of a solution. It’s imperative that you involve IT teams early to assess a solution’s scalability, security and ability to work with your existing applications and infrastructure.
Does the vendor have flexible deployment options?
Many enterprises, particularly larger ones, simply aren’t ready for full cloud migrations of all of their customer identity data. Based on your situation, you’ll want to know how well a solutions meets your deployment needs for cloud, on-premises or a hybrid environment.
Does the vendor have a customer MFA solution?
Customer credentials can be exposed in a number of ways that are outside of your organization’s control. MFA solutions are becoming a requirement to increase your defense against compromised customer credentials. But finding a workable solution is key. Customers don’t want to download a third-party MFA app, and certain second factors, such as SMS, are less secure than push-notifications. You’ll want to prioritize vendors who offer customer MFA solutions that balance security and convenience.
Can the vendor help create a unified customer profile?
Organizations often have customer identity data stored in disparate user stores. CIAM solutions should facilitate creation of a unified customer profile by migrating or synchronizing customer identity and profile data from any source. The unified profile must be secure, scalable, able to store unstructured data and accessible to all applications through REST APIs. A solution should not require the organization to clean up their own data before doing a batch migration into a CIAM vendor’s directory.
How will the vendor secure my customer identities?
Securing your customer identities is a crucial part of CIAM. There is a long list of security best practices and capabilities that CIAM vendors should have. These include secure data encryption in every state, passive and active alerts, and customer MFA, among others. All vendors will position their solution as secure, but it’s imperative that your security or IT team evaluate the specific security capabilities of a CIAM solution to make an informed decision.
Can the vendor scale to meet your growing customer needs?
As your customer base grows, CIAM scale becomes vital. The solution should be able to manage tens or even hundreds of millions of customer identities and billions of attributes. Also look at the vendor’s ability to handle peak usage scenarios at large scale. Make sure that any vendor you engage has referenceable customers that match the level of scale you’ll need in the next few years.
Will the vendor implement the solution?
Will you need to hire a team of experts to implement and maintain the solution? If the vendor doesn’t have the resources you need for implementation, do they have a strong partner ecosystem to help you? Ask these questions to ensure you choose trusted IT pros to work with your team.