Enterprise identity management has been primarily focused on serving the correct access to employees and contractors.
But as the industry has been perfecting how to serve employees, consumer identity has presented itself as a growth opportunity for businesses and identity professionals alike.
Unfortunately, the industry has tried to apply employee-centric techniques for consumer and citizen identity scenarios.
In this talk Ian highlight the difference between employee- and customer-centric identity, propose techniques that identity professionals need to employ to delight customers, and promises not to kill off any standards or industries.
Ian Glazer, Senior Director for Identity, Salesforce
48. Identity World View
Identity is at the core of every interaction
Connected
Customers
Connected
Employees
Connected
Partners
Connected
Products
User Name
Password
Login
49. Business World View
Customer is at the core of every interaction
Delighted
Customers
Connected
Employees
Connected
Partners
Connected
Products
User Name
Password
Login
52. Cross-Channel
YOUR CONTENT HERE
Just change the background layer
(right-click > arrange)
Don’t have an
account?
Forgot your
password?
Mobile Web API
61. IAM
Techniques
Employee-
Centric IAM
• Traditional
• Organization is
owner & authority
• Lots of User
Provisioning
• Web Access
Management plus
some federation
Customer-
Centric IAM
• Modern
• Individual is owner;
no single authority
• Profile
Management
• Federation and
social sign-on
63. Employee-Centric Technologies Customer-centric
HR(s) System of Record
User Provisioning
Directory Synchronization
Pushing Attributes
Attribute Management and
Propagation
Most legacy systems
Reducing to Active Directory
Islands of Identity
Proprietary WAM for legacy
Federation for newer apps & SaaS Single Sign-On
Common
Mobile Device
Management
Implied in employer/employee
relationship Consent
64. Employee-Centric Technologies Customer-centric
HR(s) System of Record
Internal: CRM and LOB databases
External: Social Providers, Banks,
Universities, Governments, etc
User Provisioning
Directory Synchronization
Pushing Attributes
Attribute Management and
propagation
Profile Management
Lookup at time of use and JIT
Pulling attributes
Most legacy systems
Reducing to Active Directory
Islands of Identity
Legacy systems but federation-
ready apps increasing
Proprietary WAM for legacy
Federation for newer apps & SaaS Single Sign-On
Standards-based federation
Some proprietary social providers
Common
Mobile Device
Management
Uncommon, if not forbidden
Implied in employer/employee
relationship Consent
Must be gathered and adhered to
consistently
76. HR used to provide the privacy coverage Identity need
Internal-facing identity system are rarely subject to Privacy Impact Assessment
Customer identity requires:
• Data retention and protection
• Persistence and respect of privacy preferences
• Attribute release consent management
Previously ignored privacy challenges
82. Broker social login to content
portals and other 3rd party
properties
Ability add and protect attributes
passed to other platforms
Ability to pass entitlements
OpenID Connect unlocks many
doors
• But there’s plenty of
proprietary too
Security Token Services
• SAML
• OAuth 2.0
• OpenID Connect
• Proprietary
Federation
Social Provider
Connectivity
Protocol Brokering
Federation
83. • Automated – via a social
provider or directory service
• Manual – Self-service sign-up
• Consistent branding control
throughout
Self-service control over:
• Social providers can be used
• Apps can access data
• Attributes can be used
• Marketing preferences
• Manual - Mechanisms to ask
the user for a little more data
• Automated – data verification
and record enhancement
Registration Services Profile Management Profile Enhancement
User Profile Management
84. Techniques to raise identity assurance
2nd Factors:
• Can work but user experience suffers
• Adaptive access control must play a roll here
• Ideally this is recognition’s territory
Plugins for different proofing providers
• Often based on geography
Two modes:
• Asynchronous for offline proofing
• Synchronous for user quizzes
• But mind the user experience
Integration with internal proofing sources
Assurance and Proofing
Identity Assurance Identity Proofing
85. Service providers have to be
better neighbors
Follow Finance model of FS-ISAC
Teams to help people get their
accounts back
Part of expected customer service
Attribute release consent from the
social provider isn’t sufficient
Service Provider should provide
generic consent management
layer
Shared Signals
Account Take-Over
Response
Consent Management
IAM-like components
Not core traditional IAM services
86. Meaningful integration designed
to create 360° view of the
customer
• Sales
• Service
• Marketing
• eCommerce
• Content Management
Conversion rates
Segmentation
Usage via Channel
Behavior analysis to fuel
marketing, service, sales, and
recognition
Encryption and Tokenization
“Who access what data and what
were the values at that time?”
• Think DAM for customer data
Integration Analytics Information Protection
Non-IAM Components
Peer services
94. IAM
Techniques
Employee-
Centric IAM
• Traditional
• Organization is
owner & authority
• Lots of User
Provisioning
• Web Access
Management plus
some federation
Customer-
Centric IAM
• Modern
• Individual is owner;
no single authority
• Profile
Management
• Federation and
social sign-on
When it comes to identity services for customers, consumers, citizens our industry doesn’t have the same maturity. There is a great deal of innovation in this area to be sure. In pursuit of external identity this industry has created notions of user-centric identity and personal data stores – all great achievements. But there is not a lot in the way of common patterns or practices. To serve our citizens and our customers we need to deliver the right experience to the right person at the right time and in the right place.
And we have to serve an entirely new set of stakeholders within the business. We have to deliver an experience to a connected fridge or an iBeacon as well as an app.
And we have to do so on behalf of sales, marketing, or alumni affairs.
In the absence of best practices, as an industry, we have defaulted to using what we know works for employees on our customers. “Please continue to hold…” And this is a little sad, but not surprising.
External identity management, customer identity management, consumer identity management – call it what you will. It is a growth opportunity for the business as well as identity professionals. It is an opportunity to deliver services to our citizens like we have never done so before. It is an opportunity to delight the most important thing that every organization in every industry has – it’s customers. And it is an opportunity we cannot, must not squander.
External identity is IAM’s killer app. After years of search we have found it! External identity is the “email” of IAM. It transforms us identity professionals into business enablers and that is tremendously exciting.
However, IAM isn’t the star of the external identity show. Much in the same way that TCP/IP isn’t the star of the Web, IAM isn’t the start of this new opportunity. IAM can help support it but IAM isn’t the entire solution.
It is an opportunity to delight the most important thing that every organization in every industry has – it’s customers. And it is an opportunity we cannot, must not squander.
Every part of the business gets an accurate current picture of the customer
Baby-steps towards recognition
The first one to form a relationship will win
If you don’t, your competitor will
External identity is IAM’s killer app. After years of search we have found it! It’s our “email.”
However, IAM isn’t the star of the external identity show. Much in the same way that TCP/IP isn’t the star of the Web, IAM isn’t the start of this new opportunity. IAM can help support it but IAM isn’t the entire solution.
From an identity professional’s view of the world, identity is the center of every interaction. But from the business’ point of view the customer is the center of every interaction. In order to serve that customer best we need a complete picture of them. This picture needs to be cross-channel, cross-business function, and cross-organization.
We might be tempted to think of cross-channel as web, mobile, and API, but it is more than that. In a non-IT-centric setting, cross-channel includes things such as brick and mortar sales and points of presence, social listening, and call centers.
In order to fully address the business, each business function must be able to share a complete picture of the customer. This means that sales, service, product, marketing, everyone has to be on the same page as to who is the customer and how do we delight them.
And we need to share that picture across multiple organizations. Our partners extend our brand and extend our services. Sharing, with customer’s permission, the picture of the customer across organizational boundaries improves service. Consider when a service professional comes to your house to repair your hot water heater. They already know what model heater you have. They are up to date on how to repair it. They also know the service history of the unit. This can only happen when the water heater’s manufacturer and the service company work in concert to delight the customer
But from the business’ point of view the customer is the center of every interaction. In order to serve that customer best we need a complete picture of them. This picture needs to be cross-channel, cross-business function, and cross-organization.
We might be tempted to think of cross-channel as web, mobile, and API, but it is more than that. In a non-IT-centric setting, cross-channel includes things such as brick and mortar sales and points of presence, social listening, and call centers.
We might be tempted to think of cross-channel as web, mobile, and API, but it is more than that. In a non-IT-centric setting, cross-channel includes things such as brick and mortar sales and points of presence, social listening, and call centers.
Consistent view across multiple touch points
Consistent experience across multiple parts of the organization
Salesforce as system of record for “customer”
Reduced identity integration
In order to fully address the business, each business function must be able to share a complete picture of the customer. This means that sales, service, product, marketing, everyone has to be on the same page as to who is the customer and how do we delight them.
And we need to share that picture across multiple organizations. Our partners extend our brand and extend our services. Sharing, with customer’s permission, the picture of the customer across organizational boundaries improves service. Consider when a service professional comes to your house to repair your hot water heater. They already know what model heater you have. They are up to date on how to repair it. They also know the service history of the unit. This can only happen when the water heater’s manufacturer and the service company work in concert to delight the customer
There is a wide spectrum of approaches to identity management. On one end of the spectrum you have employee-centric identity. It is traditional. The enterprise owns the identities in this world and furthermore the enterprise is authoritative for those identities. There’s a lot of user provisioning as well as web access management, which an increasing amount of federation. At the other end of the spectrum is customer identity. It requires a modern approach to identity management. In this setting, the individual owns their identity and there is no singular authority for that identity. We observe profile management instead of user provisioning. There is a lot of federation and social sign-on as well.
Put simply, the techniques and tricks we have used to serve our employees are not the same ones that are needed for customer identity.
THIS IS A TABLE TO BE RENDERED IN THE SLIDE. Looking a bit deeper at enterprise-centric identity we see that the system of record is HR. Often this really means multiple HR systems of record but you get the idea. In terms of attribute management and propagation, user provisioning and directory synchronization of various forms is employed. We tend to find islands of identity in our legacy systems but we are getting down to one large identity continent – AD. In terms of SSO, often proprietary WAM-based approaches are used with an increasing amount of federation thrown in, especially for access to modern apps and SaaS. Mobile device management is common and consent is inherent implied in the relationship between employer and employee.
Customer-centric identity is different. We find that the systems of record are CRM and major line-of-business databases. And those are just the internal systems of record. There are also the external systems of record that include social providers, banks, universities, governments and the like. Attribute propagation is handled by user profile management and lookup at the time of use. We still see islands of identity, especially in legacy applications, but thankfully fewer as apps are built federation-ready. In terms of SSO, we see identity standards-based federation and with a bit of proprietary from the social providers. Mobile device management is uncommon if not forbidden. And lastly, consent must be gathered from the user and adhered to consistently.
But it isn’t just the different in technology and approaches that makes customer identity different from employee identity. We see different lifecycles as well. Where Join, Move, Leave has served employee-centric identity well. But in customer identity we observe different lifecycles: transaction value progression and access path progression.
As the relationship grows more valuable the need for stronger identity grows. To be clear a valuable relationship isn’t necessarily one in which money is changing hands. My relationship to my local government is extremely valuable. My relationship to my university is extremely valuable. What we tend to find is that people move from being an anonymous user on a web site or app to a pseudonymous user, relying on social providers as a way to log in. Eventually the organization turns those pseudonymous users into ones that have been proofed and vetted. Mapping this to JML is hard. We observe that the anonymous stage maps well to the Join event. The transformation to pseudonymous maps to the Move (change) lifecycle event, and so too with the transformation from pseudonymous to proofed.
We also recognize that the same person will access enterprise services across multiple channels from the web, to apps, to connected devices, and even directly via APIs. It used to be that people “Joined” to an organization via a web site, but increasing that “Join” event happens with an app. A person working with connected devices or “Things” or even APIs maps well to the “Move” event.
Although we can map from these two progressions to Join, Move, Leave, the map is poor and incomplete. Neither progression has a step that maps to “Leave.”
No “Leave”? Do relationships ever really end? My relationship with my university begins as a prospect, turns into a student, but it certainly doesn’t end when I graduate. I posit that in most cases external identity relationships are never completely severed, they just change. And this means that external identity brings with it a set of previously ignored privacy requirements. For employee-centric identity, HR used to provide the privacy coverage identity teams needed. Rarely was an internal-facing identity system subject to the Privacy Impact Assessment. But that won’t work in an external identity scenario. Customer identity requires data retention and protection policies and services. It requires persistent and respected privacy preferences. It requires attribute consent management. These are not things employee identity has commonly dealt with.
There is a wide spectrum of approaches to identity management. On one end of the spectrum you have employee-centric identity. It is traditional. The enterprise owns the identities in this world and furthermore the enterprise is authoritative for those identities. There’s a lot of user provisioning as well as web access management, which an increasing amount of federation. At the other end of the spectrum is customer identity. It requires a modern approach to identity management. In this setting, the individual owns their identity and there is no singular authority for that identity. We observe profile management instead of user provisioning. There is a lot of federation and social sign-on as well.
There is a wide spectrum of approaches to identity management. On one end of the spectrum you have employee-centric identity. It is traditional. The enterprise owns the identities in this world and furthermore the enterprise is authoritative for those identities. There’s a lot of user provisioning as well as web access management, which an increasing amount of federation.
At the other end of the spectrum is customer identity. It requires a modern approach to identity management. In this setting, the individual owns their identity and there is no singular authority for that identity. We observe profile management instead of user provisioning. There is a lot of federation and social sign-on as well.
Put simply, the techniques and tricks we have used to serve our employees are not the same ones that are needed for customer identity.
Put simply, the techniques and tricks we have used to serve our employees are not the same ones that are needed for customer identity.
Looking a bit deeper at enterprise-centric identity we see that the system of record is HR. Often this really means multiple HR systems of record but you get the idea. In terms of attribute management and propagation, user provisioning and directory synchronization of various forms is employed. We tend to find islands of identity in our legacy systems but we are getting down to one large identity continent – AD. In terms of SSO, often proprietary WAM-based approaches are used with an increasing amount of federation thrown in, especially for access to modern apps and SaaS. Mobile device management is common and consent is inherent implied in the relationship between employer and employee.
Customer-centric identity is different. We find that the systems of record are CRM and major line-of-business databases. And those are just the internal systems of record. There are also the external systems of record that include social providers, banks, universities, governments and the like. Attribute propagation is handled by user profile management and lookup at the time of use. We still see islands of identity, especially in legacy applications, but thankfully fewer as apps are built federation-ready. In terms of SSO, we see identity standards-based federation and with a bit of proprietary from the social providers. Mobile device management is uncommon if not forbidden. And lastly, consent must be gathered from the user and adhered to consistently.
But it isn’t just the different in technology and approaches that makes customer identity different from employee identity. We see different lifecycles as well. Where Join, Move, Leave has served employee-centric identity well. But in customer identity we observe different lifecycles: transaction value progression and access path progression.
As the relationship grows more valuable the need for stronger identity grows. To be clear a valuable relationship isn’t necessarily one in which money is changing hands. My relationship to my local government is extremely valuable. My relationship to my university is extremely valuable. What we tend to find is that people move from being an anonymous user on a web site or app to a pseudonymous user, relying on social providers as a way to log in. Eventually the organization turns those pseudonymous users into ones that have been proofed and vetted. Mapping this to JML is hard. We observe that the anonymous stage maps well to the Join event. The transformation to pseudonymous maps to the Move (change) lifecycle event, and so too with the transformation from pseudonymous to proofed.
As the relationship grows more valuable the need for stronger identity grows. To be clear a valuable relationship isn’t necessarily one in which money is changing hands. My relationship to my local government is extremely valuable. My relationship to my university is extremely valuable. What we tend to find is that people move from being an anonymous user on a web site or app to a pseudonymous user, relying on social providers as a way to log in. Eventually the organization turns those pseudonymous users into ones that have been proofed and vetted. Mapping this to JML is hard. We observe that the anonymous stage maps well to the Join event. The transformation to pseudonymous maps to the Move (change) lifecycle event, and so too with the transformation from pseudonymous to proofed.
We also recognize that the same person will access enterprise services across multiple channels from the web, to apps, to connected devices, and even directly via APIs. It used to be that people “Joined” to an organization via a web site, but increasing that “Join” event happens with an app. A person working with connected devices or “Things” or even APIs maps well to the “Move” event.
We also recognize that the same person will access enterprise services across multiple channels from the web, to apps, to connected devices, and even directly via APIs. It used to be that people “Joined” to an organization via a web site, but increasing that “Join” event happens with an app. A person working with connected devices or “Things” or even APIs maps well to the “Move” event.
Although we can map from these two progressions to Join, Move, Leave, the map is poor and incomplete. Neither progression has a step that maps to “Leave.”
No “Leave”? Do relationships ever really end? My relationship with my university begins as a prospect, turns into a student, but it certainly doesn’t end when I graduate. I posit that in most cases external identity relationships are never completely severed, they just change. And this means that external identity brings with it a set of previously ignored privacy requirements. For employee-centric identity, HR used to provide the privacy coverage identity teams needed. Rarely was an internal-facing identity system subject to the Privacy Impact Assessment. But that won’t work in an external identity scenario. Customer identity requires data retention and protection policies and services. It requires persistent and respected privacy preferences. It requires attribute consent management. These are not things employee identity has commonly dealt with.
? My relationship with my university begins as a prospect, turns into a student, but it certainly doesn’t end when I graduate. I posit that in most cases external identity relationships are never completely severed, they just change.
For employee-centric identity, HR used to provide the privacy coverage identity teams needed. Rarely was an internal-facing identity system subject to the Privacy Impact Assessment. But that won’t work in an external identity scenario. Customer identity requires data retention and protection policies and services. It requires persistent and respected privacy preferences. It requires attribute consent management. These are not things employee identity has commonly dealt with.
But it isn’t just the different in technology and approaches that makes customer identity different from employee identity. We see different lifecycles as well. Where Join, Move, Leave has served employee-centric identity well. But in customer identity we observe different lifecycles: transaction value progression and access path progression.
There are more stakeholders. Subsequently, there are more requirements. There are more opportunities. From a component perspective, customer identity requires more than traditional enterprise identity. To be sure, there are some familiar components: federation, profile management, and assurance and proofing. There are some IAM-ish components as well: shared signals, consent management, and account take-over response. And then there are some non-IAM components: integration into business automation systems, analytics, and information protection.
There are more stakeholders. Subsequently, there are more requirements. There are more opportunities. From a component perspective, customer identity requires more than traditional enterprise identity. To be sure, there are some familiar components: federation, profile management, and assurance and proofing. There are some IAM-ish components as well: shared signals, consent management, and account take-over response. And then there are some non-IAM components: integration into business automation systems, analytics, and information protection.
There are more stakeholders. Subsequently, there are more requirements. There are more opportunities. From a component perspective, customer identity requires more than traditional enterprise identity. To be sure, there are some familiar components: federation, profile management, and assurance and proofing. There are some IAM-ish components as well: shared signals, consent management, and account take-over response. And then there are some non-IAM components: integration into business automation systems, analytics, and information protection.
But it isn’t just the different in technology and approaches that makes customer identity different from employee identity. We see different lifecycles as well. Where Join, Move, Leave has served employee-centric identity well. But in customer identity we observe different lifecycles: transaction value progression and access path progression.
The technology needed is different.
Instead of user provisioning and WAM, external identity requires social sign-on and profile management. Furthermore external identity requires more than just IAM technologies, but also things such as integration into marketing and sales automation systems, as well as complete information protection services
The lifecycles are different.
Where Join, Move, Leave served us well for employee-centric identity management, those lifecycles events don’t work external identity. External identity presents the relationship value and access channel progressions. Furthermore, the relationships we form with our customers do not end. There is no Leave.
The privacy expectations are different.
The fact that there is no “Leave” means that, as a service provider, be it public or private sector, we have different privacy and information protection duties. There is no HR in the realm of external identity; it thus falls to identity teams and their peers to address privacy requirements.
The goals are different.
Whereas with enterprise identity management we sought to delivery the right access to the right people at the right time in the right place, external management requires the delivery of the right experience to the right person as the right time in the right place.
Lastly, the opportunity is greater.
For the business, regardless of its mission, the opportunity is to deliver services more easily, more cost effectively, and at a higher quality using external identity. Selfishly, as an identity professional, our opportunity is that external identity transforms identity management, our profession, into a business enabler instead of its traditional role as a cost center.
This is the time to act. It is time to expand our notion of identity and the tools needed to deliver.
Stop treating your customers like employees. Start delighting them.
“Your time is important to me. Continue to enjoy the conference and thanks for your attention.”
Instead of user provisioning and WAM, external identity requires social sign-on and profile management. Furthermore external identity requires more than just IAM technologies, but also things such as integration into marketing and sales automation systems, as well as complete information protection services
There are more stakeholders. Subsequently, there are more requirements. There are more opportunities. From a component perspective, customer identity requires more than traditional enterprise identity. To be sure, there are some familiar components: federation, profile management, and assurance and proofing. There are some IAM-ish components as well: shared signals, consent management, and account take-over response. And then there are some non-IAM components: integration into business automation systems, analytics, and information protection.
As the relationship grows more valuable the need for stronger identity grows. To be clear a valuable relationship isn’t necessarily one in which money is changing hands. My relationship to my local government is extremely valuable. My relationship to my university is extremely valuable. What we tend to find is that people move from being an anonymous user on a web site or app to a pseudonymous user, relying on social providers as a way to log in. Eventually the organization turns those pseudonymous users into ones that have been proofed and vetted. Mapping this to JML is hard. We observe that the anonymous stage maps well to the Join event. The transformation to pseudonymous maps to the Move (change) lifecycle event, and so too with the transformation from pseudonymous to proofed.
At the other end of the spectrum is customer identity. It requires a modern approach to identity management. In this setting, the individual owns their identity and there is no singular authority for that identity. We observe profile management instead of user provisioning. There is a lot of federation and social sign-on as well.
Put simply, the techniques and tricks we have used to serve our employees are not the same ones that are needed for customer identity.
The fact that there is no “Leave” means that, as a service provider, be it public or private sector, we have different privacy and information protection duties. There is no HR in the realm of external identity; it thus falls to identity teams and their peers to address privacy requirements.
No “Leave”? Do relationships ever really end? My relationship with my university begins as a prospect, turns into a student, but it certainly doesn’t end when I graduate. I posit that in most cases external identity relationships are never completely severed, they just change. And this means that external identity brings with it a set of previously ignored privacy requirements. For employee-centric identity, HR used to provide the privacy coverage identity teams needed. Rarely was an internal-facing identity system subject to the Privacy Impact Assessment. But that won’t work in an external identity scenario. Customer identity requires data retention and protection policies and services. It requires persistent and respected privacy preferences. It requires attribute consent management. These are not things employee identity has commonly dealt with.
Whereas with enterprise identity management we sought to delivery the right access to the right people at the right time in the right place, external management requires the delivery of the right experience to the right person as the right time in the right place.
For the business, regardless of its mission, the opportunity is to deliver services more easily, more cost effectively, and at a higher quality using external identity. Selfishly, as an identity professional, our opportunity is that external identity transforms identity management, our profession, into a business enabler instead of its traditional role as a cost center.
However, IAM isn’t the star of the external identity show. Much in the same way that TCP/IP isn’t the star of the Web, IAM isn’t the start of this new opportunity. IAM can help support it but IAM isn’t the entire solution.
For the business, regardless of its mission, the opportunity is to deliver services more easily, more cost effectively, and at a higher quality using external identity. Selfishly, as an identity professional, our opportunity is that external identity transforms identity management, our profession, into a business enabler instead of its traditional role as a cost center.
It is an opportunity to delight the most important thing that every organization in every industry has – it’s customers. And it is an opportunity we cannot, must not squander.