Listen to Identropy's Jim McDonald and Jeff Steadman on their podcast at "Identity at the Center".

Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.

On this episode Jim and Jeff talk about some of the biggest challenges organizations (and vendors) face when implementing a Consumer/Customer Identity & Access Management (CIAM) program and technology.

Brought to you by

Want to join the conversation? Leave us a message here: or email us at .

We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!

LISTEN HERE or read the full transcript below.

 *Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.

 Podcast #30 Full Transcript:

Identity At The Center #30 - Biggest Challenges of CIAM

Jeff: Welcome to the Identity at the Center podcast. This is episode #30. This is the premiere podcast that talks about identity and access management. premiere in my own mind, at least I'm here with Jim. How you doing Jim?

Jim: Good. I thought you're talking about Adobe Premiere. And then I was going to agree. But yeah, I think we cornered the market on identity at the center podcast. Would you say?

Jeff: At least from what I know. I don't know how many podcasts are out there that are specifically focused on IAM, I’m sure there are. But until I hear it differently, I'm just going to call us the premier!

Jim: There you go.

Jeff: Ignorance is bliss.

Jim: Too much ignorance here, though.

Jeff: Well, we'll let people decide that on their own. So I have to address the elephant in the room. That is that Katie's chiefs beat my Niners. I know we're recording kind of like a week late, so we're kind of a week behind the times. But it was disappointing to watch the Niners lose. Especially considering what I thought was very bad play calling in the fourth quarter. But I guess if I'm gonna lose, I don't necessarily mind losing to Mahomes and Reid. What you think of the game?

Jim: I thought it was a drinking game. I thought the halftime show was phenomenal. And I feel that I really need to finish up on the back publicly for chronic calling. Dave Mahomes. Comeback in the Engineer comeback. Yeah. I think that the play calling on the same side certainly helped matters. But I mean, you gotta give it to Mahomes and Reid I guess, to an extent.

But like that guy is just a magician.

If you're gonna lose to somebody, at least it's not like losing to Tom Brady because you did his show many times where in the last 2 minutes of the game, if you give him the ball, you almost expect to lose.

Jeff: And I don't think Mahomes is polarizing, though, as Brady. So I don't know. I think he's  a more likable character across the NFL versus, if you're in Boston boss, then you love Brady. If you're not in Boston, then it's 50/50 whether you love or hate him. So I think Mahomes is kind of the face of the league now, but, it's you didn't have a particular great game. I don't think he. I don't think he deserved the MVP. I think it was should've gone to the running back. But whatever. That’s the past.

Jim: That just the pass Jeff, is actually the current Super Bowl champion is the chiefs and the runner up. This is the Niners.

Jeff: Yeah, but it's over. Season's over. Who knows? People could be listening to this and they could be listened to five years from now. What the heck are you talking about here? Right, exactly. So what do you wanna to talk about today?

Jim: I would like to talk about the biggest challenges in customer IAM or CIAM.

Jeff:  So we can call it CM too, Is that right?


Jeff: IAM, CM, SIM kind of like security that mattering, but I've heard CIAM and I heard CM . I don't know. I care for each one, either one. I think it's just customer or consumer IAM.

Jim: I think the people who are in the know, like the confused people who are not in the know by coming up with fancy things to call things. And it's I mean, basically what we're talking about here is IAM a focus on external user populations. That can be customers. They could be partners. They could be, the public to students, things like that. Any kind of population which is externalising Falsone Kupers CIAM or CIM space. And kind of what I want to talk about in terms of the biggest challenges is I think when we talk about CIAM, the mind goes to authentication, where I think a lot of the solutions I say, yes, we help address this space. Our focus on just the AM part of IAM Access Management.

But you know, it's identity and access management or identity management and access management. I've been saying those like my whole career because I've really been focused on external IAM or CIAM. And so we talk about the identity part. It's kind of that's the tricky stuff. That's the part that is hard to find solutions for. So if you were thinking, OK, well, what do you mean what is the identity management CIAM? It's things like registration, administration I.D. and delegating administration.

So delegating administration is very common in B2B use cases. A lot of times. So if I had I set up a shop and I was doing, paper processing, I may have a customer like Bank of America and from Bank of America who are using my paper processing services. I may set up one or two people as the administrator and the rest of the folks I work there who would go to my Web site or Web sites are would have their accounts managed by those couple of administrators at Bank of America rather than me having essentially managers I.D. set up new I.D. when they get new employees, things like that.

I dread Bank of America do it themselves. And when you get into, kind of some of those scenarios, they can get very complex in terms of, One company that my paper processing company might have a very different way that they want to do it than another organization wants to handle kind of a very similar type of use case.

Jeff: Yeah, like the operation side. I think I don't know if necessary organizations are typically set up to be in a position where they can set something up as a delegate, at least not for all applications. I think like active directory writers tools, they can get by it by default if you want to make someone in AD account. You typically have to have some sort of administrative rights within your domain then, or if you give that necessarily directly to a customer or a partner to create your own accounts. And that I'm just using that as example because I can think of, other applications where, you may not want to give up those rights. And then how would you support something like that? You could maybe use something like an IAM tool to provide those granular permissions to be able to only operate on accounts that are associated with your work and things like that. I think that speaks to the challenge that customer or consumer IAM brings it can be a many to one or a one to many relationship that is challenging to try and software sometime.

Jim: right. Well, you think about a very large organization, a large global organization where you've got hundreds of thousands of employees, maybe some kind of retail operation or food services that's not franchise. Now, you might want to delegate the administration to the stores or even if you're talking about a large global corporation where you have I.T. staffs or departments that want to manage your own AP accounts, you can't very well just say, all right, you need a list of active directory use using computers and figure out how to do it. There you have to make it some kind of web based application. Now, I think on the internal side, you could say what are the solutions out there? We're going to fit into whatever is available that solves our use case. When you're talking about your customer, so you have to have something that is user friendly and kind of matches with how you want to conduct business. And so that's where I think that the challenge becomes even greater on the external side is that you really can just homogenize things and, just dump it out there on the Internet.

So, you know, I wanted to give a couple of examples of some of the things I've run into where it's like, why is this so different from place to place or why,  it really comes down to why aren't there products that kind of can solve this or why can I just go out there and grab a product and do you delegating administration or, all of that? Well, I mean, let me put it this way. So a lot of our clients that we work with on these problems will search lived here. All my use cases. And, we're we end up as like there's not a profit that I'm aware of that does all these things right. So you're going to add that some level of customer development.

One of the examples was an organization that did something they called authorization codes. So they did testing for students and they could sign up for these tests and take this test for free if you had a code.

And so they didn't even know who the students were yet. Right. These are people who had not signed up for the tests or anything like that. But through their university, they would get their codes. So this organization would create a batch of, say, 50 codes. They would be provided to a professor or somebody, some administrator at the university. And that person would dish out the codes to people who were supposed to get them. Now, those students would then go on to this organization's website if they already had a profile. They were log in and provide this authorization code. They did not have a log in. They have to register and then provide the authorization code. And actually the authorization kind of think was, oh, a token within a URL. So basically, if they clicked that link, it would bring them to a Web page. It would identify that they had no authorization code, it would be buried within the URL and then log in or go through a registration.

But that was like very specific to kind of that use case scenario. And to me was like, that's you, genius way to go ahead and solve that. But, I don't think it's been a high score for the larger population of the CIM customers also worked for an organization that had a large dealer network and they just had a hierarchy structure within their dealer network that. You can have a very large dealership, say, on the West Coast, they had a parent organization and then they had regional organizations and they had local stores and they had to be able to set up administration, any of those levels in other parts of the country. They might just have a single store or a group of three or four stores with one parent organization.

And that's like, OK, well, that's great that you guys and the administration like that. But is that the way most companies do it?

The answer is no. And so that's where it becomes challenging. And you need to kind of have a development framework to be able to work within then some of it. There are some solutions out there that can be built around. So I've worked with  ForgeRock's open identity manager. At one point it did have some workflow capabilities and some ability that it could kind of model that type of solution, but it wasn't without its costs. There was a lot of customization that needed to be done in order to get that type of scenario to work. And so I think a lot of our clients are hoping that they can just go out and get a cloud based solution kind of model. Their use cases in that cloud based solution is just going to work. And, compared to something like human resources or some kind of internal or, accounting or CRM, where they're willing to kind of adapt their business processes into what's available identity management is customer identity management isn't really as far along. OK, so that was kind of that about some exempt of what makes it difficult. Anything that you can think of.

Jeff: Not offhand at least, I mean, I think you covered everything that I can think of. I'll just add I can think to the enrollment in the registration part, that's typically the area where most customers drop out. If you make it too hard to use the product or service that you're trying to get people into. So anything that's done to increase that or make that easier, I should say, is typically a big benefit to the organization. I think that's why you see a lot of organizations using things like social organs.

Right. LinkedIn, Google, Facebook, even, you know, Apple's got their own version of it. Now we make it easy for the individual to register and take away some of that burden as well from an account management standpoint. Even some of security, if you look at it from how Google manages their own a customer's credit perspective and allow that that trust to exist.

Jim: Right. Right. Yeah. Registration as a use case. They usually is a little bit less complex. Some more relations have some checkpoints along the way that make it a little more complex, make it a little more custom. But registration is something you usually can leverage of the package that you're selecting. And if you need to integrate it with more complex workflows, you can be done through APIs.

But a lot of times what organizations end up doing is, you know, keeping their home grown or home built identity management solution if they have one, because it's like there's no product that can easily replace what they've already built over the course of many years in terms of those custom workflows.

Jeff: Do you think there's a specific area of access management technologies in the CIM space that they don't do well? I can think of something like delegate administration not being handled really well in technologies today without some degree of customization. Do you agree with that or do you think there's something else? You think that products like OKTA, Ping and Microsoft's COVA sense, right? All these other kind of CIM technologies don't do well at.

Jim: You mean from an access management side that they don't do well or.

Jeff: Yeah, I think that. Or from the authentication or registration or even just administration of accounts from a central or a delegated perspective.

Jim: Yeah. I mean I think he hit it right on the money, though, that the delegated ministers and probably the hardest thing to solve and it's the thing that the fewest of those vendors you mentioned and there are other vendors as well, I mean, SAP, gig, it was a very popular solution for CIAM. And I think, you know, it doesn't do a very good job when it comes to delegate administration. But,  in terms of CIAM as often called either customer or consumer IAM.

And so consumer implies more focus on kind of a retail environment, there's a smaller set of identity management workflows and registration.

There's some kind of basic profile management, things like that.

But that the bulk of the use cases around authentication. Bulk of the complexity. And I think if you're in that space and you know, you don't have a lot of complexity, it's not as difficult to kind of fit into a product and live outside framework. That's when you get into seriously complex, especially B2B type customer B2B customer use cases.

That's where it can get really harried and really custom. The AM side, you know, Access Management. And so Authentication Authorization, that's a spaces, evolving very rapidly.

The integration landscape, I think in the past decade has really changed a lot. So I like I said, this has kind of been my area focus since I got it into IAM 15, 16 years ago. And at the time we had a lot of legacy web applications that were custom built. We're looking for a way to integrate them into an access management solution. And the primary ways that was being done was either through web server or filter. So you to sell some software on your web server where you set up a reverse proxy. And both of those systems kind of mimic the way a log and screen would operate within your environment and would use host headers within the application. So essentially would authenticate a person, give them a cookie, redirect them back to the application that they were trying to get to.

And within that redirect, they would have to create a host center for the application, just like their existing log in screen would do. So you'd have very minimal re-engineering of the application. Now, the third integration opportunity was to use the API of the of the access management system, but those only if you read either starting a new application or you're willing to re-engineer. Nowadays, almost all of the application, all the access management tools are encouraging strongly people to use open standards like SAML OpenID Connect and Rakoff too. And there still is some legacy support out there because I think one of the things is that fear to try to replace like an old series site, monder environment, you would have hundreds of applications that are integrated using site monder agents. And so it's a tough sale to go in to an environment and say, we want YouTube to rip out your old site manager product, and you're going out to re-engineer 10 or 50 applications to do that, you're have to make some enable all those applications. That's a lot of work. And some organizations are making that move because they realize that they need, too, depending on a proprietary agent is going to continue to hamstring them. But another option is to basically the option is that they would then have to re-engineer those applications. Again, that's a lot of work. So some organizations or some products are having, basically having backward support and having filters and having reverse proxies. But obviously, that's for that legacy use case.

Jeff: I draw a line in the sand to their right? OK. Going forward, we're going to use. And we'll continue to support maybe the older stuff and let things die naturally, that might be a easier to take change. I've seen that as well.

Jim: I take as a practitioner, as a program manager must move on to do. I think a firm product side, if they can sell their product, they're going to encourage best practices. But I'm not going to demand that the customer comply with that. Obviously. Right.

They have the capability to support back where they're not going to force the customer down that track.

But the longer that they continue to depend on proprietary agents and things like that and just continuing that problem.

Jeff: Yeah. I just like to see organizations again having that split. OK. Well, we know we have Sidewinder and using your example and we're gonna have to keep that for another five years because it doesn't make sense to rewrite an application that might be converting to another platform anyway. So it just kind of let those apps die on the vine. And then at some point, OK, we're done with the old way and any new apps that have come up during those five years of transition, they've pushed to the new method anyway. So they kind of grow out of it, so to speak.

Jim: Right. Right. I think that's exactly why people looking like a portfolio say 250 applications that are running on proprietary aging and they're thinking like, okay, I might be willing to rewrite or re-engineer a few of them, but I don't see replacing.

But, let's just say they were written on Lotus Domino and they're sitting around and they are just barely continuing to exist.

But we don't want to rewrite them because we got a quote into Ribery, 100 of them was going to be 3 million bucks. We'd rather just run them until we don't need them anymore.

Jeff: Right.

Jim: So a couple of things.

One is that so I talked about this shift toward open standards and I mentioned

OpenID Connect and OAuth and I also mentioned SAML and, so what I'm seeing more and more is that SAML is being relegated to new more on the internal side. So if you're connected to SaaS applications and that is the methodology we support.

Sure. SAML's a good choice. But if you're if you have more control, if you have a choice between SAML or OpenID Connect you should choose Opelika.

You can that much just because the more moderate standard was designed to killing's kind of some of the gap said that SAML left around. And so that we're seeing a shift there.

Also, I think we've talked about this a few times on the on the podcast, which was that the new paradigm is that it's MFA everywhere. Everything should have MFA, especially if you're facing application, relying on password only.

This is tough for some user populations where you don't have the level of engagement or level of, I guess, level of engagement, part of the right term, too, for somebody on the path of using MFA. I personally every time given an option to use MFA I take it, almost all inclusively because I just feel like,  I don't want to rely on passwords, but I guess most people probably look is more of a hassle than a benefit.

So you're seeing that that shift is taking place, but you're also seeing that,  in certain parts of this sector, the MFA capabilities are beginning much stronger in terms of at least as an option. So there are vendors who specialize in MFA, especially around using biometrics, using MFA for mobile applications.

What are some of the using a lot of these demonstrations to Jeff? So what are some of the MFA options you've seen lately that you think are worth talking about?

Jeff: Well, I think it's been a while before things change over. I think people are pretty ingrained with SMS, even though it's not the best way. It's still better than nothing, the push notification and then the apps that are out there, I'm looking at my phone and I have four different push notification apps for different services that I use MFA on. And there's some that can kind of consolidate some of those things. So you've got things which can support multiple applications. LastPass has their own take on it. I think Google's supports multiple services as well. So I think it sometimes is a little bit of a messy place, but in my mind it's the easiest for my use case. I want to log into something and I'm on my IOS and Mac OS devices. I can get the prompt and easily approve it from my Apple Watch and kind of move forward from there. There's also other ones to take a bunch of things like typing cadence. And thinking of a company called typing DNA I think is one where the way you type is your biometric signature, which I think is very interesting. Now you have to develop that signature and you know, I think it needs still some tuning to make sure that it meets the needs.

But, it could be another way to approach it. Then you've got the obvious ones like fingerprint and voice and retina or facial recognition, those sorts of things. So I think it's interesting how MFA is going to continue to evolve. I think people have kind of settled on that. Your phone is your second thing and you need to authenticate to that phone to do something. We'll see how that works in the future. I mean, you also get physical devices, smart cards and UB keys and, you know, different types of usb type security keys, which I think are great and they're definitely secure. But boy, are they a pain to manage logistically. If you're if you're an organization, you'd still have nightmares about distributing RSA keys back in the day to the organization and then getting lost in dog 8D. I ran over it. I mean, all of that if things can happen that then trying to work through that. So I'm not necessarily as much of a fan of physical keys unless there is a way to distribute the logistics part of it.

And's actually just read the other day that I think UB keys now has a service that organizations can take advantage of. Where they will handle the logistics and fulfillment of keys, which might be interesting. I don't know what it costs are for you if it makes sense for organizations, but certainly solves some of the pain around and operations team having to manage, boxes full of RSA keys, for example, and putting them on the server and all the junk that goes with it.

Jim: Yes, used to be like a computer that could partner up with Microsoft and or Google. That seems like it would be just a matter of, hey, we're using is this major identity provider. They provide that as service. Let's include that at least for privilege accounts.

Jeff: Yeah, I think UB Keys done a pretty good job of kind of pushing the security key forward.

I kind of saw that. I have one and I don't use it as much because I have my phone and everything's kind of shit to that. So it's for me that's more convenient.

But they certainly have opened up their services quite a bit. And I think Google partners with them on their Google Authenticator, but don't quote me on that.

Jim: Right. So the last thing I want is just mentioned on the AM side is, you know, I think that at least supplies aren't working with they want to start by looking at cloud based solutions. You know what that means? We've kind of debated over and over, but in the AM space, it's much more of a multitenant approach than what you see on, say, IGA. Most I think AM solutions are multi-tenant and I think that really, where that space is going is around a higher availability, a higher leverage of A.I. and machine learning to kind of detect compromise or fraudulent type of transaction, so compromised accounts or potentially an account that is acting out of the norm where maybe it should be required to do a step of challenge or potentially just being disabled and have to have somebody to monitor or from the company, go back in there, re-enable that account.

And that, I think is that's pretty much game changing. And I think, viewer to implement some kind of on premise AM solution at this point, that's potentially what you are giving up is the ability to, have those clouds scale AI solutions, a year or two down the road. I think that they're starting to surface at some level. But the scenario that I think most of the vendors are looking at is like this is how we can potentially differentiate at a security level.

Jeff: Yes, I definitely agree. You sound like you're going to establish your own AIM and machine learning in house processes.

Jim: Exactly. Exactly. kind of some things that are on the horizon that we want to wrap up here. But I think organizations are shifting. So the cloud in deleveraging cloud infrastructure. So like AWS or Microsoft, Azure, many organizations are using DevOp tools for automation, and I think a lot of IAM practitioners are kind of being left behind because, from an infrastructure standpoint, we're seeing a much higher utilization of Docker and deployment of containers rather than traditional servers. They're using robots to deploy software and there's identities in all these schools that are being used to authenticate as they go through the process. How are those identities being managed? And, it's a new frontier for a lot of practitioners, first of you just have to know how these tools operate. And as I've been a big advocate of in the past, get on YouTube, understand how Docker works, understand how chef and pop work especially. Those are the tools that are used in your organization or not. Look for specific tools that your organization is working with, but understand the DevOps space.

And then I think the other thing is this is something I harp on a lot, which is that if you're looking at CIAM solutions today, I think what you need to do is think of in terms of selecting a platform and we want to have a platform that we can grow into. So maybe our first phase is going to be to replace the legacy SSA system and really start looking at some MFA policy management, password management.

Have the basic blocking and tackling stuff. But what I would strongly encourage is think beyond the next year or two and start thinking about where you want to be. Enable what is the plot? When you're looking at different platforms, what are the ones that you say these guys are ahead of the curve, usually ones where they're going to push me into bigger and better opportunities. And so I really think that when you're looking at platforms or when you're looking at solutions, thinking about it as as it's kind of a platform that you can grow into.

Jeff: Yeah, and sometimes you need to have conversations with business to know where the where is the organization going so you can plan for that as well.

So it behooves you to make friends on the business side so that you can plan accordingly at the same time on the business side. Make sure that you're working with your IAM folks to keep them updated on where things are going strategically so that they can be ready for you.

Jim: Right. I don't think it is also those your challenge you. You should put to vendor. Where are you guys? This company going?

How much you invest in your R&D? What's the next wave of technology that's going to be available? I'm not just looking for what's your roadmap for the next six to twelve months, but finishing physically? Where are you taking the company? And I think being able to evaluate these responses is going to be a big part.

Also, as a reading analyst papers and understanding, Where do the analysts see these various centers in terms of how much are they investing in their platforms?

Jeff: Yes, I definitely agree with that. Anything else that you want to talk about from CIAM or CM space?

Jim: That was a mouthful. So I think we've had a pretty good and I think,  even as you were talking about, I was thinking we should break a few of these topics off and make them a standalone podcast at some point. what you talked about with UB key is also thinking about the Fido alliance and, just maybe some opportunities to bring some folks from outside of just maybe you can talk about things they're are working on, projects they're working on to solve some of these topics.

Jeff: Yeah, I agree. That's a wonderful world of IAM right. There's always something that we could talk about. And because things change just because it's the way it is today. Right. Twenty, twenty, twenty, twenty one might be a totally different story. So it's the gift that keeps on giving.

Jim: Yeah just one though,. anyone listen to this podcast and still listening. You've got some ideas on topics she'd like to hear us talk about or try to get some guests, contact us on and there's some kind of widget there that you can leave us feedback.

Jeff: There's also the email address, which is . That's another avenue, too. But yeah, there's definitely a variety of ways you can get a hold of us and give us your feedback. So I think that that's a good spot to leave it. I want to thank everyone for listening and we'll talk to you on the next one.





Jim McDonald & Jeff Steadman

Jim McDonald & Jeff Steadman

Jim McDonald is a professional with over 15 years leading teams through business-critical technology initiatives. Technical Strategist, Leader and Champion of Change with history of crossing organizational boundaries, cultivating strategic alliances and building consensus and alignment among diverse constituents to leverage IT as strategic asset and deliver solutions that rejuvenate and advance global business’ financial performance. Also as part of our advisory practice and with over fifteen years in the identity and access management space behind him, Jeff Steadman helps develop realistic IAM strategies and provide vendor agnostic recommendations to move the needle on IAM maturity for organizations large and small.