This point of view article was originally published on Express Computer, authored by Biju Mathews, Vice President – Industry Solutions Group, Mphasis. Express Computer is one of India’s most respected IT media brands, covering enterprise technology in all its flavours, including processors, storage, networking, wireless, business applications, cloud computing, analytics, green initiatives and anything that can help companies make the most of their ICT investments.
At the heart of a good IAM program resides the elixir of any digital transformation objective—seamless customer experience. Identity and access management (IAM) is not just a function of enterprise security, but also a strategic business initiative that impacts customer experience, revenues and costs. It is the discipline of managing access to enterprise resources, with risk as one of its primary focus areas.
User demand is evolving IAM from a compliance-based program into an effective business-enabling program. It enables new services to be made available on digital channels, with services such as biometric identity proofing. It has metamorphosed from a mere employee-related program to scale the entire technology landscape, across customers, partners, partner services, devices and the Internet of Things.
A robust identity management program should address security concerns and enable digital transformation. It must ensure customers have seamless experiences while interacting with an enterprise’s digital assets, provide security infrastructure that allows API-based partner service integration, address security and privacy requirements with customer experience at its center, and remain developer-friendly. It should include -
Implementation plan with customer outcomes
First and foremost, implementation plans should not just be IAM product centric; it should consider customer outcomes. Such a plan, with no correlation to the impact on the customer journey, needs to be seriously reconsidered. A case in point—see below a high-level plan that is IAM product centric, without any mention of customer outcomes.
1. Access management—Q1 plan: Install SSO & MFA solution
2. Q2 plan: Extend solution to App1
3. Q3 plan: Extend solution to App2
In such cases, I would recommend creating a service blueprint, which gives a view of customer interaction, with digital and physical assets and underlying processes.
Security that enables API monetization
Let us consider a scenario where an e-commerce website requires a user to place orders on an app, and mandates that the users track order deliveries on a separate app provided by a logistics provider. This is not at all end-user friendly..
If an enterprise is a logistics API provider in the financial services space, it needs to have a reliable IAM solution. This means that this provider will need to trust the API consumer to which the user has got authenticated.
In this scenario, the logistics API provider will use the user identity provided by the consumer. Hence, having an identity ecosystem built as a relying party to a third-party identity provider, and having the option of being an identity provider to a third party, is critical.
Staying on the topic of APIs, access control of service-to-service is an area that needs attention. Initially, there could be very few services, but it will increase with time. Therefore, it is important to have a comprehensive strategy to manage access control between services.
OAuth2 and OpenID Connect (OIDC) keeps the services/application solutions secure with seamless customer experience.
Effective consent and subject right request management
Consent management and subject right request (SRR) can be complicated topics.
When it comes to consent from an end-user experience perspective, it shouldn’t be about displaying long, verbose legalities provided by lawyers, which the user has to accept or deny, or worse, just accept (without questions asked). Consent management could be turned around as a mechanism to increase customer loyalty, by educating customers about consent. Enterprises can take the next step by creating a rewarding opportunity for ‘consenting’ users through redeemable loyalty points. Syncing a customer 360 solution with a consent management system on time will be of great value—for security and personalization.
Concerning SRR, designing a system that can accept requests from multiple channels without disenfranchising any segment of users, ensuring requests are acknowledged and providing visibility of fulfillment, will go a long way in building customer trust in a brand.
Flexible customer authentication and authorization service
Applications, such as smart TVs and kiosks in stores and airports, that run on internet-connected devices are becoming rampant. These devices struggle to handle complex user inputs such as credentials, and many don’t even run browsers. Having an identity management program to address such uses cases should be factored in. OAuth2.0 device flow tries to address this need. Passwords (as much as we hate them) will continue for some time until WebAuthn becomes mainstream. Having an authentication service that supports multi-factor authentication (MFA) and graceful degradation, and recovery to address customer situations such as losing smartphones, should be considered.
Having a fine-grained authorization solution externalized from the application code to gain customer consent, and logging of access to sensitive data will be imperative to meet privacy requirements set out by GDPR, CCPA, and the likes.
A great IAM solution that is not developer-friendly could be detrimental to an enterprise’s transformation speed. Having authentication, access management and identity management as a service, with SDKs and reference implementation for developers will be vital to driving developer productivity. However, if each application project discovers and works towards plugging into these services independently, it will be harmful to digital transformation speed.
Over time, the customer identity management landscape in any organization could have organically grown with various departments holding ownership of different segments within the entire IAM journey. Acknowledging this framework and reevaluating internal ownerships is important, given the objective of seamless customer experience. In many circumstances, teams across product, security, and digital marketing tend to use different outcomes and metrics. Arriving at a common set of outcomes and metrics through collaboration ensures that IAM programs accelerate towards security and privacy objectives, keeping the core digital transformation objective in mind—seamless customer experience.