Interview: Jason Keenaghan On Protecting Consumer Privacy With Better Customer Identity And Access Management

Customer Identity and Access Management solutions (CIAM) are designed to help organizations securely manage their external customer identities and provide secure, seamless access to online services. These solutions are quickly surpassing internally developed customer identity processes, with Gartner predicting that 72% of organizations in 2023 will roll out a CIAM solution, compared with 40% in 2020. 

“If you look at the pandemic, and the impact that has had, it drove a lot of businesses across many different industries to double down and start focusing on their digital interactions, with their customers, with their business partners, and with their employees as well,” explains Jason Keenaghan, Director of Product Management for IAM at Thales.

Thales is a market leader in the identity and access management space, known for their SafeNet Trusted Access enterprise authentication solutions. Last year, Thales acquired OneWelcome, a leading European CIAM solution, which is now offered as the Thales OneWelcome Identity Platform.

Three years on from the pandemic, organizations are now putting more strategic focus on customer identity, standardizing processes, consolidating tools, and moving away from bespoke solutions created in house, to dedicated third-party solutions, Keenaghan explains. 

“One example is a large telecom and media [organization] I was talking to yesterday. They were saying that up until now, they were focusing on their internal IAM. So, focusing on things like Zero Trust, identity governance, privileged access management, and multi-factor authentication.”

“And now that they’ve solved all of that, they’re realizing that identities for external users have gone unprotected. This company has three different business units, and they now want to unify those experiences and bring them closer together. They need to put customer IAM in place to help them do that.”

Customer Identity Challenges – Regulatory And Security

There are two major challenges facing organizations when it comes to securing their customer’s identities: privacy regulations and security risks.

In the last five-to-ten years, there has been a major legislative push for consumer privacy regulations globally – GDPR in Europe, LGPD in Brazil, and a range of state-enforced privacy regulations in the US, such as California’s Consumer Privacy Act (CCPA). All of these regulations have differences, making it a challenge for organizations to ensure they are compliant with all of the different legal requirements they may be subject to. 

Not only do organizations need to know the differences between privacy regulations, they need to be able to demonstrate that customers have consented to the data being collected about them and be able to prove they are using the collected data for the purposes that customers have consented to, Keenaghan explains. 

On the security side, there continues to be growth in cyber-attacks and identity theft, Keenaghan says. “Organizations are really custodians for their customer data and information. They are focused on security for their own purposes – they don’t want to get breached. But ultimately, you want to build trust for your customers as well. You have to make sure you’re putting the right tools in place to help protect them, not just yourself as a business.”

That means looking at every step of the customer journey, he explains, from the initial onboarding to every day active use of your digital services. Only then can you be sure that you’re establishing the right amount of trust to authenticate a user.

“This requires many different types of tools coming together. It’s not only the Customer Identity And Access Management solution, but integrating that with identity verification, risk-based authentication, [and] identity proofing, so that you’re building a cohesive solution that adds security, but doesn’t add friction into that process,” Keenaghan says.

The Three Fundamentals Of CIAM 

One of the key differences between securing employee access to internal systems and securing customer access is that customer identities are “much more dynamic,” Keenaghan explains. On the workforce side, decisions are made by IT teams, who can manage and control the entire authentication process. While there are challenges and changes over time, the fundamental business requirements for employee access don’t change.

“When you get into the customer IAM side, you’re now talking about how your business makes money. Decisions aren’t coming from IT; they’re coming from your line of business. So, you need a platform that is more flexible [and] more dynamic to be able to support those changing [business] decisions.” To that end, Thales has identified three key attributes that are fundamental for a successful CIAM strategy: orchestration, authorization, and sovereignty. 

The first pillar, orchestration, is fundamental because, ultimately, the goal of a CIAM solution is to automatically manage the flow of user interaction with your digital services, Keenaghan explains. This includes how they create accounts, log-in, authenticate, and access different features or functions available. The way this flow works is integral to the user experience of your service, and, ultimately, the success of your business service. 

“You want to eliminate churn on your customers. You don’t want drop offs. You want to ensure you are removing as much friction as possible.” This may require a lot of testing and fine-tuning to the orchestration process, particularly where different technologies have different users, or if you’re delivering a more personalized authentication process. This also needs to be done in a straight-forward, low-cost way, without the need for complex coding by development teams as this is much more expensive and takes far longer. 

The second key pillar is the authorization process itself. This includes both the initial authentication when logging in – proving the user is who they claim to be – and then authorizing which services users are able to access when they are signed in. “Once the person is signed in and they’re interacting, now you need to understand, what services they are paying for, what is the context, what are the risks involved?” Keenaghan explains. The best CIAM solutions will ask these questions and make these authorization decisions dynamically, in-real time. 

The third and final pillar, sovereignty, goes back to the different data privacy regulations that organizations are subject to. CIAM solutions must ensure that data collection processes are fully compliant with different legislation, whether it be at a local, regional, or multi-national level.

This includes legislation around data residency, making sure that data doesn’t leave national borders if that is legally mandated. Sovereignty is also important for the individual, Keenaghan explains; organizations must be able to manage consent over the use of their data and update their preferences over time. “The CIAM tool has to be able to provide and address these three areas: orchestration, authorization and sovereignty,” Keenaghan summarizes.

Toward Combined Customer And Workforce Identity Management

As adoption of customer identity and access management solutions continues to rise, Keenaghan predicts there’s likely to be a unification of workforce and consumer identity management practices.

“The world of workforce and consumer IAM are going to start to merge over time. Today, they’re managed differently…but, ultimately, the whole lifecycle of managing workforce identities for employees is going to start to look more like how we manage customer identities.” 

“We’ve already seen a lot of the consumer world making its way into business already. The experiences that we expect as employees has now changed based on how we interact in our social lives. We want those same types of experiences. We’re starting to see that now with how organizations interact with business partners.” 

“In the past, they used to onboard them to their Microsoft AD environment just as they would employees. But now, they want to be able to keep them separate and want to be able to onboard users and business partners in a digital fashion that is starting to look a lot more like how they deal with customers.  We’re seeing gig workers, temporary employees or seasonal workers get treated a little bit more like customers in how those identities get managed.” 

“As we start to adopt self-sovereign identity, or decentralized identity solutions (where users are more in control of their data and their information) we’ll bring that into the workforce. So, I see these worlds of workforce and consumer IAM really starting to come together and really starting to merge.”  

Learn more about the Thales OneWelcome Cloud Identity Platform.