Not only do disparate systems create an un-unified, inaccurate view of customers, they make risk assessments more difficult, increasing the likelihood of regulatory non-compliance. Additionally, the vast majority of these systems cannot secure ‘things’ nor their data — opening the door for breaches and hacks. Traditional Identity and Access Management Grounded in customer use cases, it is only within the past five years that the six global trends solidified. Within that time, most organizations have made large investments in traditional, employee-centered identity and access management (IAM) systems. As such, to address the new trends as they’ve appeared, many organizations have tried modifying their IAM systems. However, traditional IAM systems are built to support employee identities; they are not built to secure millions and billions of ‘customers’ and ‘things’ — nor the data they amass. Attempting to adapt existing IAM systems that do not have the flexibility, extensibility or scalability required is a common pitfall of organizations… – ComputerWeekly Traditional IAM uses static rules to make decisions. It was not designed to address the six global trends, such as to easily provide omnichannel experiences, secure ‘things’ and their data, create personalized experiences based on consumer context, enable users to control privacy, consent, and erasure over their data, or support regulations such as GDPR, Open Banking, and PSD2. As such, they are implemented as a single, allencompassing identity and access management solution across an organization for all use cases — employees, customers, devices, and ‘things’. Supporting the Six Trends’ Customer Use Cases In terms of the customer use cases defined by the six trends, the most advanced digital identity platforms must enable organizations to: »» Personalize customer experiences, build relationships and deliver omnichannel experiences »» Secure and connect billions of customer and IoT identities and data »» Authenticate and authorize billions of logins and transactions daily »» Facilitate security, analytics, privacy, and control »» Support and adhere to regulations (GDPR, HIPAA, Open Banking, PSD2) »» Integrate with other systems, such as marketing automation systems »» Easily scale to meet demands and requirements »» Identify and protect against fraudulent or malicious activities With their all-encompassing, purpose-built capabilities, digital identity management platforms serve as the backbone of the secure, seamless, personalized, and privacy-minded digital ecosystem that customers demand. Rather than sewing multiple systems together and modifying traditional IAM to address the six global trends and prepare for the future, organizations must deploy an all-encompassing and purpose-built digital identity management solution. The Way Forward: Digital Identity Platforms for Customer Identity and Access Management Unlike traditional IAM, and even traditional customer identity and access management (CIAM) systems, which are built only for specific use cases, digital identity management platforms are designed to secure and manage identities and data of every kind (employees, customers, devices, and ‘things’). https://www.computerweekly.com/news/450429018/Consumer-identity-management-will-benefit-business Copyright © 2018 ForgeRock, All Rights Reserved. 3 Seven Basic Components for Customer Identity and Access Management Behind the scenes, digital identity management platforms are now the enablers of both business and everyday life. Yet, platforms vary in their components and capabilities. The following are the seven basic components of digital identity management platforms needed to begin to address the six global trends. To help evaluate providers for each component, RFP questions are also provided. For ForgeRock answers to the questions, stay tuned for the Comparing Digital Identity Providers for Customer Identity and Access Management Workbook. RFP questions by the healthcare, automotive and new mobility, retail, telecommunications, and financial services industries will be available in separate workbooks. Basic Component Description Federated SSO Based on trusted relationships between organizations, federated single sign-on (SSO) gives users secure access to those organizations’ web properties and applications using a single account, hence single sign-on. Federated SSO uses open standards such as OAuth, WS-Federation, WS-Trust, OpenID Connect and SAML to pass authentication tokens between the organizations’ identity providers. Social Registration and Authentication As a form of single sign-on (SSO), social registration and authentication allows users to register and authenticate quickly and easily using their existing information from a social networking service, such as Google or Facebook. Multi-Factor Authentication Multi-factor authentication (MFA) is a method of validating a users identity through multiple authentication mechanisms. Authentication mechanisms include something the user knows, something the user has, and something the user is. For example, access is only granted after a user enters their password (what the user knows) and a numeric code sent by text to their phone (something the user has). Authorization As part of access control within a digital identity solution, authorization is the function of determining if a user has permission to access a specified resource(s), such as a website(s), record(s), document(s), and so on. Self-Service ‘Self-service’ refers to allowing users to manage their accounts on their own rather than relying on an organization’s support staff. Examples of self-service include managing login preferences, password management, updating contact information, requesting support, and so on. Self-service not only reduces support costs, it also improves user experience and customer engagement. Copyright © 2018 ForgeRock, All Rights Reserved. Questions for Digital Identity and CIAM Providers Does the provider offer federated single sign-on based on open standards such as OAuth, WS-Federation, WS-Trust, OIDC and SAML? Does the provider offer social registration and authentication? Which social networking services are included in their offering? Does the provider offer multi-factor authentication? What authentication mechanisms do they offer? What types of authorization methods and access controls are offered by the provider? Does the provider offer self-service? What self-service capabilities does the provider support? 4