The Journey to CIAM Maturity: Envisioning the Future of Customer Identity

Understanding what lies in the future of customer identity is one of the biggest challenges we’re figuring out at Okta—and it’s one that defines a lot of the work we’re doing. Now, as we come to the final stage of the journey to CIAM maturity, it only makes sense to think about what’s next for customer identity and access management (CIAM).

The final stage of the CIAM maturity curve is what we aspire to for ourselves and our customers as we look toward future trends in the short and long term. We call this last stage “Continuous,” not only because authentication should be occurring dynamically throughout every session, but because the entire field is always evolving.

For market leaders, customer identity means more than just making sure customers can log in seamlessly—a continuous, forward-looking CIAM solution should encompass all aspects of the customer experience across every device and every activity. That’s the difference between CIAM that only concentrates on getting users through the gate, and one that assesses identity, context, and risk on an ongoing basis.

Continuous CIAM your customers don’t notice

Part of what makes customer identity a continuous concept is continuous authentication, which I’ve written about before. With continuous authentication, you can leverage standards such as WebAuthn to passively review the identity, context, and security posture of individuals and devices logged into your systems. In my previous post, I pointed to Slack as a well-known instance of an app that you log into once, and then it maintains your session almost indefinitely by regularly referencing corporate data and tools.

I want Continuous CIAM to take this even further. Beyond simply eliminating user friction and ensuring the right people have access to the right resources, organizations in the final stage of the maturity curve should be able to determine when and to whom customer data is exposed, based on the individual’s needs and request, context, and consent. In other words, the future of customer identity will surpass the definition of user access as we understand it today, facilitating seamless, continuous authentication and authorization at the data access layer while protecting privacy.

Such measures are already possible to a certain extent. Organizations with sophisticated CIAM solutions can set internal and third-party risk signals for categories such as network, location, device, and even type of transaction to calculate session risk scores on a regular basis or when triggered by specific events. This allows customers to only authenticate when appropriate, while also enabling organizations to enhance and automate security and identity orchestration workflows.

A solution spanning all parties and channels

A robust, intelligent customer identity solution must streamline and secure access to a company’s customer-facing resources—but none of our systems are independent anymore. Most modern organizations operate within vast networks of suppliers, partners, and vendors, and serve customers across multiple platforms and channels. And these all have to fit under the same umbrella, respecting and upholding the same considerations.

From the customer portal and the help desk, to the chatbot and secure payment tool, customers may encounter several different functions that fit together to form a single brand experience—and that complicates CIAM. At the end of the day, an omni-channel customer experience is only as secure as its weakest link.

That’s why continuous CIAM isn’t just about constantly authenticating users, it’s also about providing customer identity solutions that work across numerous channels to align with leading identity and security protocols, and store authentication data within a single solution. This is where a security information and event management (SIEM) platform can help by enabling organizations to aggregate and log this information from all third party tools.

Customer identity that can take on the world

Being continuous also means being up-to-date with all privacy and security regulations that affect users, and designing compliance directly into every system which touches the customer’s identity. This is a challenge for organizations that have built their own CIAM from the ground-up as it requires every architect, developer, and administrator to understand how to design, build, and maintain systems that are compliant with every customers’ geography. Developers have enough to worry about; they can’t be expected to become experts in global privacy policies and any regional nuances. 

The continuous CIAM of the near future is therefore going to not only understand the location context of each user, but the regulatory requirements of that location to intelligently determine the levels and types of data access that should be allowed. Ideally, this system allows you to integrate with best-in-class protocols and systems faster and easier while creating a genuinely evergreen solution.

An identity provider like Okta sets you on the path to continuous CIAM by building compliance into products and solutions—whether it’s government regulations like the CCPA and GDPR, industry safeguards like HIPAA, or financial guidelines like FAPI and SCA transaction signing. Robust controls such as risk-based authentication add another layer of assurance around who can access specific data.

So there you have it—Stage 4 of the CIAM maturity model might be focused on tomorrow, but organizations that are on top of their game can get started on this journey today. To find out more about all the stages of the CIAM maturity curve, and how you can efficiently and proactively evolve your approach, I encourage you to check out our full eBook, From Zero to Hero: The Path to CIAM Maturity.