E-book | Expanding the purview of Consumer focussed IAM

With the advent of the General Data Protection Regulation (GDPR) and its impact worldwide, a strict regulatory environment is shaping up. Businesses need a close look at Consumer/customer-facing IAM practices. The return on investment ROI on Identity Management capabilities must be viewed as one of the best practices in safeguarding user/consumer data theft.

Putting in place the safeguards associated with consumer/customer data are becoming crucial for business to operate. The most recent example is General Data Protection Regulation (GDPR) deadline – it somewhat conveys that the consumers have a say in information demanded by businesses. With technology boom, the traditional services delivery model has shifted to digital processes. With this, the role of a customer has also undergone a transformation from being just a physical entity to consumers interacting with a business remotely to gather insights & use an array of services. This necessitates cyber / internet-based identity management. This has mandated businesses to manage, govern and secure customers’ access to systems and data while ensuring an unflinching digital experience. This experience consists of techniques, processes and tools to manage users’ digital omnichannel interactions, and is packed with various aspects of identity and access management for consumers, widely known as Customer Identity and Access Management (CIAM). CIAM is a technological solution that provides a mechanism to store customer profile data, authentication services, along with helping to manage identities and secure data across all channels – digital and non-digital. CIAM platforms offered by various vendors include Saas, Paas, on-site deployment as well as cloud-based deployment according to the unique requirements of each firm. It acts as a catalyst to connect marketing, business, and security teams and forms an essential part of B2B interactions. When the purview is limited to the cloud, the concept of CIAM can be adopted with user management as a service module.

The market value of CIAM is expected to grow to US$ 18.3 billion markets by 2019, according to a Markets and Markets Identity and Access Management Report. Data production is estimated to be 44 times greater in 2020 as compared to 2009. In addition, experts estimate a 4,300 percent increase in annual data generation by 2020, according to a CSC report’s projection.

The benefits of identity management to achieve compliance have been stated time and again. The practice takes the shape of identity provisioning with B2C identity management capabilities. Businesses are increasingly seeking insights related to data created on digital platforms with web-based consumer engagement. These trends usher a new era of consumer-managed data and driven through a framework of personal identity and data management. All this will be addressed while addressing tools, technologies, responsibilities and requirements that customer insights (CI) will incorporate to build trusted relationships with users. Given the business dynamics in the digital arena, the times to come will see CIAM will act as a catalyst to connect marketing, business, and security teams, forming an essential part of B2B or B2C interactions. Compliance with the clauses of the General Data Protection Regulation is getting increasingly crucial.

Table of Contents

Section 1 Introduction to Consumer Identity and Access Management (CIAM)
Understanding Regulations to support the adoption of CIAM

Section 2 CIAM Lifecycle
Customer IAM – a crucial component for digital customer experience

Section 3 Solution, Integration and Components
Concept of CIAM Integration
Component of CIAM

1. Customer analytics to help in business growth
2. Big Data Management that goes beyond ‘Brick and Mortar’ templates
3. Streamlining Processes for Secured User Experience

Section 4 How Avancer can add value to your CIAM initiatives

Introduction to Consumer Identity and Access Management (CIAM)

Consumers’ digital interaction with the business is a source of insights for businesses, and it is but natural for businesses to capture consumer insights. Consumer-managed data, driven through a framework of personal identity and sensitive information needs to be safeguarded. Identity and Access Management (IAM) has its services focused on employee use cases, while outward-facing consumer-centric Identity Management (including identification, authentication and authorization of the customers, their devices and organizations) needs equal attention. It is getting crucial to set up checks and controls as the GDPR deadline approaches.

Consumer or Customer Identity and Access Management (CIAM) is a solution to facilitate storing, processing, monitoring, and managing customer profile data, authentication services, along with helping to manage identities and secure data across all channels – digital and non-digital. Given the business dynamics in the digital arena, CIAM Solutions act as a catalyst to connect marketing, business, and security teams, and forms an essential part of B2B interactions.

The regulatory paradigm around consumer-driven interactions has run parallelly with the expansion of digitization. Paving way for creating systems and processes for CIAM-enabled digital businesses, Payment Card Industry Data Security Standard (PCI DSS) recognizes the threats from the industry recognizes a standard for digital data transfer for outward-facing transactions. This is just one of the regulations for e-commerce transactions, and the future will see incremental revisions and newer regulations to cover threats in the payment landscape, user data to help businesses use and maintain standards as a business practice.

General Data Protection Regulation (GDPR) aims to do just that – enforcing businesses to take a step towards protecting consumer information by making use of monitoring technologies and integrating checkpoints. This mandates businesses to manage, govern and secure customers’ access to systems and data while ensuring an unflinching digital experience. European Union has enforced the GDPR regulation on all entities that capture user data, and defaulters will be penalized after the deadline of May 25, 2018. European data protection regulation is going to impact global practices with respect to handling consumer data. While most businesses are looking for placing temporary fixes, safeguarding consumer data in Europe will set a stage for data safeguards globally – pushing businesses to look at harmful user management practices.

CIAM recognizes that the consumer interaction with services from digital channels is mostly online. Thus, while developing IAM capabilities, the consumer must be the focal point along with user experience, security and scalability rather than technology, standards and products. The process facilitated via CIAM connects the backend system with the consumer community connecting with Enterprise IT System through their individual (or social account) login must be seamless and secure. Such functionality is becoming omnipresent and is essential for marketing, banking, e-commerce, online transactions, and so on. This needs a step forward in IAM practices for consumers.

Understanding Regulations to support adoption of CIAM

PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. PCI DSS is a set of security standards designed to ensure that all companies that accept the process, store or transmit credit card information maintain a secure environment.

The standard was agreed by major card brands as a common, consistent and secure process for minimum level of protection to safeguard card data and customers. The PCI DSS requirements for 2018 specifies a list of mandatory requirements of which 6 control objectives are:

• Build and maintain a high-security network
• Protection of cardholder information
• Maintenance of vulnerability management program
• Secure access control measures
• Restricting of physical access to cardholder data
• Regular monitoring & testing of networks and maintaining an information security policy

The requirements introduced in PCI DSS 3.2 are requirements, effective 1 February 2018. PCI DSS 3.2 includes clarifications to existing requirements, new or evolving requirements, and additional guidance. While the PCI DSS compliance checklist looks at the biggest payment security challenges facing organizations, the introduction of deadline-driven GDPR regulations across borders can impact businesses, and command high penalization costs. E-Commerce Security PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security.

• Secure network for CC processing
• Secure cardholder data
• Access control measures

Despite advances in the state of global compliance, hackers continue to pose a great threat. With no slowdown in sight, the effectiveness of the PCI Security policy and PCI DSS continues to be the most important topic. A need for PCI DSS self-assessment for businesses is stated. The purview of information possessed by business houses across consumer-facing businesses has reached a new benchmark with GDPR – Failure to comply will result in fines up to 4% of annual global revenue or Euro 20 million, whichever is greater. In addition to forming swift checks – any rival poaching data that create ‘data passports’ for consumers to collect personal data from multiple sources needs to be checked and deleted. That’s the strategic bit of it – at the technological level – it needs to clear look at processes, regulations and possible technical solutions. Although the cost of PCI DSS Compliance is considered huge, implementation of correct processes can make PCI DSS Compliance reasonable even for small businesses.

Read more by downloading E-book | Expanding the purview of Consumer-facing Identity and Access Management

Regulatory Environment around CIAM Solutions

Many regulations are in place that requires organizations to harness IAM technology, violations of regulatory compliance often result in harsh penalization. Regulatory requirements specific to e-commerce do not just discourage the practice of selling data. Going forward, most online practices and e-commerce regulations from 2018 onwards need to be futuristic. Some of the most important ones with their corresponding solutions are listed below for your ready reference:

Some of the other compliances that will require IAM technology include FDA 21 CFR Part 11; The Health Information Technology for Economic and Clinical Health Act (HITECH) Act; ISO 27001; Federal Information Security Management Act (FISMA); Freedom of Information Act (FOIA); Federal Information Processing Standards (FIPS 200); National Institute of Standards Technology Special Publication (NIST SP 800-53). Support of CIAM capabilities is required for achieving compliance for such regulations. For a large number of companies, CIAM integration is required – along with acumen in terms of business processes. CIAM products need system integration insights to help businesses achieve customized consumer-facing capabilities for secure customer identity management.

Section 2 CIAM Lifecycle

As the need to secure and provide privacy is of utmost importance while designing a CIAM product, the customer ecosystem forms a very important aspect of CIAM. It is a solution that provides authentication services, manages identities and stores customer profile data for businesses worldwide. CIAM is becoming a way of life as far as online transactions–financial or social–are concerned. It is a new direction for the technological boom to continue. IAM capabilities aligned data analytics help in reporting, gathering access information of users and help businesses in making strategic decisions – while keeping checks and balances in place. While consumers expect personalized services, the brands want to make inroads to learn, identify, store and utilize the consumer information to its maximum, for providing an impressionable consumer experience and gaining brand loyalty. Thus, shaping the platform’s ecosystem is nodal to integrate consumers, services and the market.

Customer IAM – a crucial component for digital customer experience

Companies require customer insights to create newer products and services that help them in increasing and sustaining brand loyalty. The market value of CIAM is expected to be US$ 18.3 billion markets in 2019, according to a Markets and Markets Identity and Access Management Report. In terms of monitoring consumers, traditionally the marketing team was expected to manage customer data, but with the expansion of a complex IT environment and multiple interaction points.

A broad view of CIAM Lifecycle can be recorded in the following points:

• The lifecycle of the CIAM mechanism is to record customers’ data.
• Customer’s registration (by way of filling forms etc.), authentication (by way of confirming via mail, OTP, etc.) along with their identity management and connection to internal as well as third-party applications
• Initiating business and consumers onboarding to utilize digital properties via social logins or traditional means

Consumers also expect to receive instant insights on their digital investments and customized services. Digital touchpoints are expected to minimize response time as poorly managed time adds to customer attrition rates.

Section 3 Solution, Integration and Components

The consumer-centric IAM becomes a key component of a real-time Security Intelligence strategy and must also be seen to strengthen fighting outward-facing threat- paradigm. IAM becomes a common denominator for determining appropriate access to resources, regardless of where they reside (cloud, on-premise) or its mode of access.

Read more by downloading E-book | Expanding the purview of Consumer-facing Identity and Access Management

Regulation	Industries	Requirements	IAM Solutions
Payment Card Industry Data Security Standard (PCI DSS)	All industries that process payment card transactions	Focus – E-Commerce Security PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security, including secure network, secure cardholder data, and proper access control measures	Access Management – Centralized authentication that ensures single id for each user, Password Management Identity Management: Provisioning and role policies to set access control
Sarbanes–Oxley Act of 2002 (SOX)	Finance Banking Insurance	Focus – Internal controls on financial reporting – Section 302: Companies must safeguard their data responsibly to ensure that financial reports are not based upon faulty, tampered, or data that may be highly inaccurate. – Section 404: Safeguards listed in 302 are verifiable by independent auditors	Access Management – Centralized authentication, Single Sign-On (SSO), Identity Management – Role-based policies for account provisioning, de-provisioning & approval process Privilege Identity/Access Management (PAM/PIM) – Enforce tighter security rules and role-based policies for privilege accounts IAM Auditing – Capture all user actions and system responses
Gramm-Leach-Bliley Act (GLB)	All financial institutions	Focus – Information Security The Gramm-Leach-Bliley Financial Modernization Act enacted in 1999 mandates all financial institutions to safeguard customer data from internal & external threats. Key requirements are to protect and maintain confidential information of customers and protection against any threats to customer information	Privilege Identity/Access Management (PAM/PIM) – Enforce tighter security rules and role-based policies for privileged accounts
Health Insurance Portability and Accountability Act (HIPAA)	Healthcare, Lifesciences	Focus – User Access Rights Health Insurance Portability and Accountability Act, HIPAA ensures-National standards to protect the privacy of personal health information. Federal privacy protections for individually identifiable health information. That it is easier for people to keep health insurance, protect the confidentiality and security of healthcare information.	Access Management – Federation, Mobile Solutions, SSO, Password Self Service Identity Management – Role-based policies for account provisioning and de-provisioning
Family Educational Rights and Privacy Act of 1974 (FERPA)	Education	Focus – Access Rights FERPA is a Federal law that – Governs access to educational records maintained by the educational institutions and ensures students’ rights to privacy – Applies to all elementary, secondary, and postsecondary institutions receiving federal funds	Access Management: Identities for teachers, students, parents and other communities to securely log in and maintain education records. Federation access for intercampus domains
North-American Electric Reliability Corporation (NERC)	Energy/Utility sector	Focus – Access Governance NERC mandates the core technical requirements for cyber security as outlined in NERC CIP Standards 002-009. It requires accountability through: – Authentication, access control, delegation, separation of duties – Continuous monitoring and reporting of electronic access to critical infrastructure.	Access Management – Centralized authentication, Single Sign-On (SSO) Identity Management – Role-based policies for account provisioning, de-provisioning Privilege Identity/Access Management (PAM/PIM) – Enforce tighter security rules and role-based policies for privileged accounts IAM Auditing – Capture all user actions and system responses
General Data Protection Regulation (GDPR)	All Consumer / Customer Data procurement-related industries	Focus – Data Security GDPR standardizes the processing and movement of EU citizens’ personal data	Consumer/Customer IAM capability Access Controls Audits