Consumer identity management - 10 key areas

The explosion of mobile, social, cloud and big data is challenging all of us to come up with new customer-facing solutions.

We are seeing a revolution in the way organisations are planning to use identity and access management (IAM) technologies. IAM has been described as a business enabler, although until recently it has been largely used for enterprise systems access control, automated provisioning, and audit and compliance. In 2014, however, the explosion of mobile, social, cloud and big data is challenging all of us to come up with new customer-facing solutions.

I am going to share some findings that are a result of working with customers and technology partners over the last three years. I think of it as a parallel discipline to enterprise IAM, using many of the same technologies, for a different purpose: to engage, nurture and serve customers with the view to building business. The following 10 points are key areas of difference that we must consider.

1. Scale and scalability

Enterprise IAM systems are designed to register, authenticate and control systems access for employees. In large organisations this is counted in the tens of thousands in Australia and New Zealand, and up to the low hundreds of thousands globally. One of our vendor partners has a global customer with 700 million registered consumers. Google and Facebook have both already gone over the one-billion-user mark.

2. Directory services

Directories employed by enterprise identity systems have a rigid data structure and capture and store information about individuals, such as name, location and email address. They don’t need to store information such as product or privacy preferences, or all of the myriad items of information that may be useful to know about consumers. From an architecture standpoint, best practice is very clearly to establish a purpose-built repository that is optimised around consumer data, for at the heart of consumer identity management there is a lot of data. Some say it’s big data, CRM, MDM and identity management combined.

3. Identity aggregation

Many organisations already have a large volume of information about their customers that is related to different business contexts and stored in different databases and applications or with third-party affiliates. Very few of them, however, can link all that information back to produce a profile that can be used to inform interactions with uniquely identified individuals. The ability to locate, aggregate and make this information available in real time is a key function of a consumer identity system. Correlation and aggregation of identity-related data is the best approach, which needs to be a new functional block within the overall IAM architecture.

4. Earned identity support

A fundamental characteristic of enterprise IAM systems is the concept of captive identity. That is, identities are captive and subject to governed registration processes. The organisation doesn’t need to offer choices because it needs to manage the actions of its employees, and run a tight security ship.

Consumers are a different matter. Identities are earned, not captive. Consumers expect to register for services in ways they are familiar and comfortable with. They are reluctant to share information with an organisation unless an environment of trust is established and there’s something in it for them - the so-called ‘give to get’ scenario. If they don’t like the rules, they can always vote with their feet. The notion of earned identity is central to consumer identity management, which has great impact on the user experience and user interface design.

5. Performance and latency

The scale of consumer identity systems is not only a storage issue. They also need to exchange information with connected services - either online or via mobile and other devices - with minimal delays or latency. Site visitors and mobile apps need to be authenticated quickly, and preferences instantly retrieved, to inform interactions and give consumers an experience that will make them want to come back for more. Scaling these capabilities to millions of users with very low latency requires consideration at the architecture and technology level. Best practice is to isolate components from the enterprise security infrastructure to achieve performance, and not to impede the performance of the core security function.

6. Mobile access

Enterprise IAM systems are being extended to support mobile platforms for the purposes of mobile workforce enablement, BYOD, SaaS, online banking and so on, and there are some great solutions around for that. Consumer identity systems need to support whatever platforms and apps consumers wish to engage with from the get-go. These would typically be websites, web services, affiliate services, and mobiles and tablets running iOS or Android. We’re now even moving into an era when wearable devices must be easy to connect to whatever access and federation technologies the organisation uses for consumer identity. It won’t be long until 10,000 steps a day could earn you a discount from your health fund, for example.

Business and marketing are coming up with hundreds of use cases for mobile and the Internet of Things. The scale of consumer identity systems is not just about the number of people registered and the volume of information, which must be instantly accessed, it is also about the frequency of interactions. If consumers are running apps on their devices that are all set up to interact with your organisation, it could add up to multiple interactions per consumer per second across the entire user base. This is another architecture consideration where the functionality needs to be connected, yet isolated from the core security infrastructure.

7. Permission, preferences and privacy

The three Ps - permission, preferences and privacy - are functional requirements of a consumer identity management system based on earned identity. They allow consumers to be dealt with on their own terms, honouring their wishes and keeping their data secure. Consumers are invited to control what information they share, what it is used for and who it is shared with. This is very different to a captive identity system where access privileges are granted to users by the organisation.

8. User self-service

Consumer identity systems need decentralised management capabilities like user self-service to handle the numbers of users and volumes of information involved and to put consumers and citizens in control, and at ease. Consumer identity self-service allows people to manage their privacy and preferences. Enterprise IAM systems, on the other hand, are designed around captive identities and can be centrally controlled. While enterprise identity systems support elements of self-service, their primary objectives are improving workplace efficiency, security and compliance. As a result, they are unlikely to be sufficiently flexible and granular to meet consumers’ or citizens’ expectations.

9. Registration and authentication

The first task of any consumer identity solution is to register and authenticate users as easily and conveniently as possible. It needs to be able to support social sign-on, leveraging identities that consumers have built up with services like Facebook, Google, LinkedIn and myGov. Consumer identity systems need to support standards like OpenID and OAuth to facilitate social sign-on.

Importantly, they also need to build on any previous interactions and transactions the organisation has had with the consumer or citizen. People do not appreciate having to re-register for services. Ideally, a consumer identity system should be able to consolidate any existing identity systems or transaction artefacts an organisation has and provide a unified experience, something that security-centric enterprise IAM systems were never designed to do.

Central to this is support for step-up authentication so that the user can easily register and gain access to low-level resources, for example, and only be prompted for higher-level credentials when they need to access private information or higher value transactions.

10. Consumer engagement

And last but certainly not least, consumer identity systems must support continual extensions and improvements. To compete in the digital world, organisations must continue to engage with consumers at an identity level. A consumer identity system supports give-to-get offers based on changing conditions like location or an account balance trigger, for example. In this case, a changing identity attribute could initiate a context-aware business offer, enabled by attribute-based access control. There are literally unlimited applications to this use case. Continued, relevant customer engagement is the key to winning, which is why consumer identity data is being described as the new gold.

Ultimately, only organisations with deep, granular and continuously evolving consumer identity capabilities will be able to compete and win in the digital economy. Having advanced enterprise IAM in place is a distinct advantage. The key is to understand the difference in purpose between consumer and enterprise, and make your design decisions with those different use cases in mind.

Image credit: ©Pavel Losevsky/Dollar Photo Club