(By Biju Mathew)
At the heart of a good IAM program resides the elixir of any digital transformation objective—seamless customer experience. Identity and access management (IAM) is not just a function of enterprise security; but also a strategic business initiative that impacts customer experience, revenues, and costs.
It is the discipline of managing access to enterprise resources with risk as one of its primary focus areas. User demand is evolving IAM from a compliance-based program into an effective business-enabling program. It enables new services to be made available on digital channels, with services such as, biometric identity proofing. It has metamorphosed from a mere employee-related program to scale the entire technology landscape across customers, partners, partner services, devices, and the Internet of Things.
A robust identity management program should address security concerns and enable digital transformation. It must ensure customers have seamless experiences while interacting with an enterprise’s digital assets, provide security infrastructure that allows API-based partner service integration, address security and privacy requirements with customer experience at its center, and remain developer-friendly.
A robust IAM program that propels digital transformation initiatives should include the following key aspects.
Implementation plan with customer outcomes
First and foremost, implementation plans should not just be IAM product centric, but should consider customer outcomes. Such a plan, with no correlation to the impact on the customer journey needs to be seriously reconsidered. A case in point—see below a high-level plan that is just IAM Product centric, without any mention of customer outcomes.
- Access management—Q1 plan: Install SSO & MFA solution
- Q2 plan: Extend solution to App1
- Q3 plan: Extend solution to App2
In such cases, I would recommend creating a service blueprint, which will give a view of customer interaction with digital and physical assets and underlying processes.
Security that enables API monetization
Let us consider a scenario where an e-commerce website requires a user to place orders on an app and mandates that the users track order deliveries on a separate app provided by a logistics provider! That would be almost unacceptable from an end-user perspective.
If an enterprise is a logistics API provider in the financial services space, it will need to have an IAM solution that enables it to be a relying party. This means that this provider will need to trust the API consumer to which the user would have got authenticated.
In this scenario, the logistics API provider will use the user identity provided by the consumer. Hence, having an identity ecosystem built as a relying party to a third-party identity provider, and having the option of being an identity provider to a third party is critical.
Staying on the topic of APIs, access control of service-to-service is an area that needs attention. Initially, there could be very few services. However, over time this could increase; hence, having a comprehensive strategy managing access control between services is critical.
OAuth2 and OpenID Connect (OIDC) keeps the services/application solutions secure with seamless customer experience.
Effective consent and subject right request management
Consent management and subject right request (SRR) can be complicated topics.
When it comes to consent from an end-user experience perspective, it shouldn’t be about displaying long, verbose legalities provided by lawyers, which the user has to accept or deny, or worse, just accept (without questions asked). Consent management could be turned around as a mechanism to increase customer loyalty by educating customers about consent. Enterprises can take the next step by creating a rewarding opportunity for ‘consenting’ users through redeemable loyalty points. Syncing a customer-360 solution with a consent management system on time will be of great value—for security and personalization.
Concerning SRR, designing a system that can accept requests from multiple channels without disenfranchising any segment of users, ensuring requests are acknowledged, and providing visibility of fulfillment will go a long way in building customer trust in a brand.
Flexible customer authentication and authorization service
Applications, such as smart TVs and kiosks in stores/airports that run on internet-connected devices are becoming rampant. These devices struggle to handle complex user inputs such as credentials, and many don’t even run browsers. Having an identity management program to address such uses cases should be factored in. OAuth2.0 device flow tries to address this need. Passwords (as much as we hate them) will continue for some time until WebAuthn becomes mainstream. Having an authentication service that supports multi-factor authentication (MFA) and graceful degradation and recovery to address customer situations such as losing smartphones should be considered.
Having a fine-grained authorization solution externalized from the application code to gain customer consent and logging of access to sensitive data will be imperative to meet privacy requirements set out by GDPR, CCPA, and the likes.
A great IAM solution that is not developer-friendly could be detrimental to an enterprise’s transformation speed. Having authentication, access management, and identity management as a service with SDKs and reference implementation for developers will be vital to driving developer productivity. However, if each application project discovers and works towards plugging into these services independently, it will be detrimental to digital transformation speed.
Finally, over time, the customer identity management landscape in any organization could have organically grown with various departments holding ownership of different segments within the entire IAM journey. Acknowledging this framework and reevaluating internal ownerships is important, given the objective of seamless customer experience. In many circumstances, teams across product, security, and digital marketing tend to use different outcomes and metrics. Arriving at a common set of outcomes and metrics through collaboration will ensure that IAM programs accelerate towards security and privacy objectives, keeping the core digital transformation objective in mind—seamless customer experience.
(VP Industry Solutions Group, Mphasis)