cIAM in the Cloud: What’s in it for You?

2

cIAM in the Cloud: What’s in it for You?

The New Challenge for ITThe demand from business leaders for technologies that leverage the massive amount of data now being generated by customers online is having a dramatic effect on the role of IT. Safely bringing this data into established business systems has presented challenges that are being addressed by players in some familiar spaces—like legacy Identity and Access Management (IAM)—and by newer providers that are leveraging virtualization and cloud computing to solve issues surrounding cost, scalability, and security.

Some legacy IAM providers claim to have the pedigreed background to solve these challenges, but there are significant differences between managing corporate data resources and managing customer-generated data:

• Scale and scope: The largest on-premise IAM systems must accommodate users and devices that number in the hundreds of thousands—occasionally millions—but managing the amount of data that comes exclusively from outside the organization can easily increase those numbers one hundred-fold. Also, legacy IAM solutions are designed to integrate primarily with internal applications and processes in order to simplify and enhance the employee or partner experience. Managing customer identities entails integration with a vastly different set of applications that have completely different functionalities and purposes.

• Data structure: Legacy IAM systems are typically built on highly structured data schemas, but much customer-generated data is relationally unstructured. So-called “exhaust data”—generated by the billions of activities performed by online users every day—is ubiquitous already, and the volume of this type of data will only increase as we move into the age of the Internet of Things (IoT).

1.44BILLION

Facebook—the largest social network provider in the world—had 1.44 billion monthly active users as of March, 2015.

2.2MILLION

Wal-mart Stores—the largest employer in the world—employed 2.2 million people during fiscal year 2014.

3

In order for these unstructured attributes to have value, they must be normalized so that they can be queried alongside structured data.

• Security: Established perimeter-based security measures used by legacy IAM providers have proven less effective when handling customer identity data that must interact with multiple third-party service and identity providers, since profiles must maintain their integrity even as they are continually amended.

These and other issues have given rise to new kinds of solutions for managing customer data. Customer Identity and Access Management (cIAM) is a new way to approach the challenge of leveraging the increasing onslaught of first and third-party data.

What’s In cIAM For Me?Increasingly, IT leaders are assuming a kind of “service broker” role, leading the charge to new growth by connecting their businesses to customers in increasingly complex ways. Identity and Access Management is what enables many of these strategies—not an esoteric concept for anyone running a large IT department. The difference is this: whereas managing user identities from a legacy IAM perspective is essentially a cost, managing customer identities can (and should) lead to increased revenue. It’s a challenge that must be met in order to compete, and meeting this challenge can add tremendous value to the role of IT in the company at-large. To do this, until recently, IT executives have had to decide between repurposing a legacy IAM system to accommodate customer identities or building a solution themselves from the ground up. Fortunately, a third option is now available that can be implemented quickly and with relatively low up-front costs: The purpose-built cIAM platform.

“Increasingly, successful information governance is about advocating the use of information as a source of value, not just controlling and monitoring it.”

— According to Gartner Analyst Deb Logan†

†Gartner Press Release, Gartner Says CIO and CDOs Must “Digitally Remaster” Their Organizations, February 2, 2015, http://www.gartner.com/newsroom/id/2975018

4

Here are some of the key functions that a well-designed cIAM system should offer:

• Enhanced user experience: Self-service registration and password management plus single sign-on access across sites and properties reduce friction and drive customer engagement.

• Valuable customer insights: Omni-channel data synchronization maintains a single, definitive customer view—gained through functionality such as progressive profiling—providing a deeper understanding of customers and building trust over time.

• Security and compliance: API-focused, transactional security, data encryption and redundancy, plus automatic compliance with social network privacy policies and governmental regulations keep businesses safe and compliant in an ever-changing marketplace.

A cIAM platform that is cloud-based can offer further benefits, like plug-and-play integrations, instantly scalable architectures, and a notable absence of software updates and patches tying up your administrators’ time. But possibly the most valuable benefit is a streamlined deployment process that supports agile strategies by drastically reducing the development costs associated with custom integrations. A comparison between on-premise and cloud provider use cases can be stark, with many “do-it-yourself” deployments stretching on for more than a year, versus time-to-market in as little as two weeks with a competent cloud-based cIAM provider. Factor in the cost of licensing, new hardware and additional IT resources for coding and administration, and “do-it-yourself” starts looking more like “do-yourself-in”.

WHY CLOUD?Cloud computing offers real advantages for enterprise cIAM deployments, some of which include:

• On-demand scaling

• Reduced CAPEX

• Streamlined deployment and administration

• Quick and easy access to new software releases without installs

• Cloud-evolved, Identity-based security measures that focus on securing API interactions

5

Will it Break my System?At the center of your enterprise is a huge investment in ERP, data centers and other key business systems. Augmenting those systems means that you must assess both new risks and rewards. It’s understandable that many IT professionals avoid making drastic changes to their systems. After all, large-scale business systems have custom integrations with internal applications and strong security measures built into the deepest levels of their architecture in order to protect precious data assets. What’s more, billions are spent every year to make sure that data is always available. In the case of customer identity management, however, there may be significant advantages to offloading the burden of safely managing first-party data to a specialist cloud provider with a dynamic schema database designed to deal with both structured and unstructured data.

For one, cloud technology offers superior performance for connecting multiple APIs in a multi-tenant environment. Extreme operational flexibility is another compelling factor, as is built-in software integration that allows even very large organizations to be more agile and flexible. Finally, with a cloud-based cIAM solution, customer and internal data assets remain discrete, so a breach at any point is less likely to significantly impact operations.

cIAM

Content Management (CMS)

Customer Relationship Management (CRM)

Data Management (DMP)

Extract, Transform and Load (ETL)

Identity Verification

Marketing Automation

On-Site Application Enhancements

Recommendation Engine

ECommerceEmail Service (ESP)

CLOUD-BASED cIAM CAN DELIVER OUT-OF-THE-BOX INTEGRATION WITH THESE TYPES OF TECHNOLOGIES:

6

Security Always MattersAny assessment of a new identity management solution must include a careful look at security. There are some key differences between the approaches used by on-premise versus cloud providers.

The State of Cloud SecurityCloud and on-premise solutions face the same types of attacks and breaches. According to a 2014 Alert Logic Cloud Security Report, overall attacks remain much more likely to occur in on-premise environments than in the cloud. However, the frequency and volume of breaches such as vulnerability scans and application, malware and botnet attacks are indeed on the rise in cloud-based environments. This is likely due to wider adoption of cloud-based over on-premise solutions in recent years, as well as the migration of “higher value” data into private and public clouds.

In response, cloud providers increasingly strive to build strong security measures into their core architectures. Still, industry adoption of best-practice approaches is currently sporadic. For instance, the SOC2 Type II standard for data center hosting specifies that data be encrypted in-flight and at-rest in a cloud-hosted environment, and transmitted only via secure channels. At this point, in-flight encryption is ubiquitous but at-rest encryption is far from universally employed, something to consider carefully—especially when comparing cIAM solutions.

A Better Way to Protect IdentitiesBoth traditional IAM and cIAM rely on controlling users’ access to resources. However, as cloud adoption increases and mobile access explodes to include wearables and other connected “things”, more processes are tapped through API calls. Identity-based, API-focused approaches to security are increasingly proving to be the best fit for systems incorporating technology that enables one-to-one customer experiences. Cloud-based cIAM platforms at their core rely on this type of security to safeguard data as opposed to strategies such as firewalls, which tend to control access for whole classes of users.

Identity management solutions that were born in the cloud use identity-based security policies that have evolved with cloud technology. API-based protocols used by social networks and other identity providers have a largely open-source background, which has allowed them to adapt to changing processes and threats in a relatively agile fashion. As it stands, when working with self-provisioned identities, best-practices indicate that each transaction should carry within it the attributes required to authenticate and authorize users.

7

Safe in UseSince leveraged customer data will typically be acted on at many endpoints, it is important that a cIAM solution has strong authentication, authorization and auditing policies in place. Some of the authorization and authentication protocols that have been widely adopted to ensure safe API transactions include OAuth 2.0, OpenID Connect, and SAML. The OAuth 2.0 protocol token-exchange procedure—employed at present by many social networks—excels at authorizing transactions end-to-end. However in a cIAM context, OAuth must also incorporate a method to authenticate identity data so that permissions can be determined, hence the wide adoption of the OpenID Connect authentication protocol that is typically employed on top of OAuth. The SAML standard, by contrast, attaches an XML assertion document containing detailed profile data to each transaction, binding social and other unstructured profile data with internal data attributes via a trusted connection. Most importantly, the standard must be in place at both ends in order for transactions to be approved.

Safe at RestEncrypting certain first-party data fields is crucial in a cIAM environment. In order to ensure safety for at-rest data, usernames, emails, friends’ names and emails, as well as any other personally identifiable information (PII) should always remain encrypted when stored and transmitted. It’s also important that strong roles and permissions policies are in place so that administrators can maintain tight control over user access, and robust audit logging is vital for tracking errors and bugs in the system.

Finally, risk-based authentication, also known as adaptive access or adaptive authentication, is quickly becoming the standard for self-service profile and password management. This method minimizes friction for users by evaluating risk on each login instance and triggering a two-factor authentication only when necessary. For example, if a user attempts a login to a service provider from an unrecognized device, he or she might be prompted to verify their identity via an email or text message in order to

THREE CONCEPTS THAT UNDERPIN FORRESTER’S “ZERO TRUST” DATA SECURITY MODEL

S&R Pros Must:• Verify and secure all resources regardless of location.

• Limit and strictly enforce access control across all user populations, devices/channels, and hosting models.

• Log and inspect all traffic, both internal and external.

“The Future Of Data Security: A Zero Trust Approach” by John Kindervag, Heidi Shey, and Kelley Mak, Forrester Research, June 5, 2014

8

gain access. As the IoT grows in scale and complexity, this methodology will become increasingly important for practically all digital transactions.

What About Privacy Compliance?GfK’s recent survey of 1,000 U.S. citizens found that 88 percent of respondents are at least “a little” concerned about the privacy of their personal data. Going further, 49 percent of respondents said that they were “very much” concerned about data privacy, and 59 percent said that their concern had risen over the past year. Make no mistake, those percentages will continue to rise as consumers assume more responsibility for their own digital identities. Privacy matters more than ever, and should definitely be prioritized when choosing customer identity management solutions. One benefit offered by some cIAM platform providers is auto-compliance. Working with data that is user-provisioned means you must stay in compliance with all social network privacy policies (which change often), as well as with governmental regulations that apply to any service that interacts with that data. Maintaining this level of compliance on an ongoing basis is a risky and time consuming task for an IT organization, and another argument for choosing a service-based cIAM platform over DIY.

Conclusion & Takeaways• Many revenue-driving technologies rely on customer identity management

functionality that is outside of the scope of legacy IAM.

• A cloud-based cIAM platform offers a streamlined deployment that shortens time-to-market.

• Cloud cIAM scales easily and enables faster and easier integration with tech that helps you to monetize your customer data.

• API-based security ensures more secure transactions end-to-end.

MOST IMPORTANT FACTORS FOR CONSUMERS CHOOSING WHO TO DO BUSINESS WITH:

Data Security

Product Quality

Customer Service Experience

40% 80%

88%

86%

82%

© 2015 Gigya, Inc. | 2513 Charleston Road #200, Mountain View, CA 94043 | T : (650) 353.7230 | www.gigya.com

Gigya, the Gigya logo, and Customer Identity Management Platform are either registered trademarks or trademarks of Gigya Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners. Gigya does not own any end user data or maintain any other rights to this data, other than utilizing it to make Gigya’s services available to our clients and their end users. Gigya acts as an agent or back-end vendor of its client’s website or mobile application, to which the end user of our client granted permissions (if applicable). Gigya facilitates the collection, transfer and storage of end user data solely on behalf of its clients and at its clients’ direction. For more information, please see Gigya’s Privacy Policy, available at http://www.gigya.com/privacy-policy/.

Rev: Gigya_White_Paper_cIAM_In_The_Cloud_062015

The Leader in Customer Identity Management

About Gigya

Gigya’s Customer Identity Management Platform helps companies build better customer relationships by turning unknown site visitors into known, loyal and engaged customers. With Gigya’s technology, businesses increase registrations and identify customers across devices, consolidate data into rich customer profiles, and provide better service, products and experiences by integrating data into marketing and service applications.

Gigya’s platform was designed from the ground up for social identities, mobile devices, consumer privacy and modern marketing. Gigya provides developers with the APIs they need to easily build and maintain secure and scalable registration, authentication, profile management, data analytics and third-party integrations.

More than 700 of the world’s leading businesses such as Fox, Forbes, and Verizon rely on Gigya to build identity-driven relationships and to provide scalable, secure Customer Identity Management.

For more details about Gigya, visit www.gigya.com or call us at 650.353.7230.