Knowledge

21 questions to ask your CIAM vendor

Choosing a Customer Identity and Access Management (CIAM) system is not something you do on an impulse. CIAM is a crosscutting component in your application architecture. Over the years, CIAM has grown in importance and moved from being a technological component to an enabler and driver of business strategy. All the more reason to choose your CIAM vendor wisely. To ensure you make the right choice, use the following questions to find out what CIAM vendor best meets your specific requirement.

Do I have to make a choice between security and customer experience?

While a good security stance is important, if you are dealing with consumers, your applications also need to be as user-friendly as possible. So you should not compromise customer experience over security. Can your vendor offer both at the same time? In other words, can your vendor hide the complexity of their security solution for the end-user?

How do you handle access to sensitive documents or large financial transactions?

Customers will sometimes log into your application just to consult information. At that moment, you will ask them a minimum of credentials. But once they want to gain access to more sensitive information, or make payments, your security should be capable of asking for extra credentials. Ask your prospective vendors if they offer adaptive authentication that does not make life too difficult on your users. With adaptive authentication, based on the circumstances of when and where a user is trying to access a resource, the minimum required authentication method is presented to the user.  Ask also if they support step-up authentication, for instance when the payment of larger sums of money requires extra checks.

Can you protect my applications with just one technology?

We know organizations are tired of having to weave together point solutions that only solve one challenge. This is time-consuming and keeping all applications and their connections updated is a burden on your staff.  For your CIAM, you will save time and effort if you work with a vendor that offers a solution based on one technology that can protect all your applications. Does your prospective vendor offer the right level of protection for all your apps, regardless if they are on-premise, web-based or mobile?

Do you support a broad range of Identity Providers?

Demand for Single Sign-on and Federated Identity Management is rising. Consumers want to bring their own identity and demand ease of use authenticating to applications with social identities, government-driven or other identities. Ask the CIAM vendors you are talking to how they support working with different Identity Providers and external repositories. Do these connections come out-of-the-box? Or do they require manual work?

Do you support European and other government-driven identities?

Governments are stepping up their efforts of providing all citizens with digital identities, for instance eID and itsme in Belgium, eHerkenning and iDIN in the Netherlands, etc. As more citizens are effectively using these government-driven identities, CIAM systems need to be able to connect with each and every identity that is used in Europe and abroad. Check with your vendor if they connect with these Identity Providers out of the box. Or does integration require manual work from your security staff? And will they work with all your applications? With SSO to increase user convenience and lower the usage cost?

Do you support passwordless authentication?

Consumers are getting tired of memorizing username/password combinations or PINs, especially for applications they do not use frequently. With the breakthrough of biometrics solutions such as fingerprints and facial recognition, passwordless authentication is gaining ground. Does your CIAM vendor cater to the need for ease of use and support passwordless authentication? Do they add additional security such as adaptive authentication or strong authentication mechanisms?  

What extra capabilities do you offer on top of basics such as identification, authentication and authorization?

Identification, authentication and authorization are the basics of access management. Any CIAM will offer you these capabilities. As you design your security strategy and access and authentication policies, you will discover that you may also require multi-factor authentication, adaptive authentication, API security, access orchestration, federated identity management and risk-based access management. Does your vendor offer these capabilities? Even if you don’t need all of these right now, you may need them in the future, so make sure you are not limited in what you want to do in the future.

How easy is it for administrators to set up new policies?

Productivity and efficiency are important to any organization, and a user-friendly interface will not only make your security officers productive, it will make them happy too. In comparing CIAM vendors, insist on getting a real-life demo on how easy it is to set up new access policies, how convenient it is to implement a customer journey. Is the interface your security officers will be using intuitive and user-friendly?

Can you deal with hybrid architectures – running partially on-premise, partially in the cloud?

Moving to the cloud is not a big bang operation. Organizations are moving to the cloud, but at their own pace. This creates a hybrid situation, with some applications in the cloud and others still on-premise. As you move more applications to the cloud, your CIAM solution should be able to deal with such a hybrid architecture. Ask your CIAM vendor how they deal with these complex situations, and if they allow you to make the journey to the cloud on your terms.

Can consumers bring their own means of authentication?

Social media are playing a huge part in consumers’ lives. In 2020, people spent on average 2 hours and 24 minutes on social media per day. Increasingly, they are using their social logins to authenticate to other services and to access websites. To guarantee customer experience, CIAM vendors need to support this ‘Bring your own authentication’ (BYOAuth) requirement. Does your prospective vendor have the necessary connectivity to use Facebook, Google or LinkedIn as an Identity Provider?

Can you help us be GDRP-compliant?

Consumers attach a great deal of importance to protecting their privacy and remaining the master of their data. A CIAM system needs to allow users to have their data recorded and tracked in line with GDPR and offer support for end-users in order to give or revoke their consent for sharing personal data to all applications. Depending on the industry you work in, you may also want to ask your CIAM vendor about technical support for anti-money laundering (AML) and Know your Customers (KYC).

Can I customize your solution?

As the saying goes, one size does not fit all, one size fits none. Your organization is unique and this should be reflected in the setup of your CIAM system. You will want to customize the system to fit your specific needs. While all CIAM systems will allow you to customize their solution, it’s always best to check how labor-intensive these customizations are. Much depends on an intuitive and user-friendly interface.

Can you offer an end-to-end solution?

Gone are the days when an IT department bought pieces of the puzzle that they needed to fit together themselves. Enterprises are reducing the number of vendors they partner with and opt to work with a reduced number of strategic partners that can act as a one-stop-shop for a specific area. In CIAM too, you should not purchase point solutions that require many man days to integrate. So ask your potential vendors how broad their offering is and if their solutions come well integrated.

Do you support Open Banking?

If you are working in the financial service industry, you will know that Open Banking has a huge impact on the way you work with third parties, including your competitors. The EU’s PSD2 regulation forces competitors to share data. Together with the digital innovations that financial services are implementing, this increases the demand for security, especially API security. Does your CIAM vendor understand the specific requirements of PSD2 and the local implementations of Open Banking? Do they provide you with the tools to benefit from the big data opportunities that Open Banking offers?

Does your solution scale along with my business growth?

Growth is one of the imperatives of any organization. Growth in revenue, growth in margin, growth in the number of users of your customer-facing applications. When making a choice of CIAM vendors, you should make sure that they can support you in the future. Check with your CIAM vendors how scalable their solution is. Can it support millions of authentications a day? Can their CIAM system start small and grow with the business? Is their pricing structure aligned with that growth? These are key questions to ask.

Does your CIAM help me bring applications to the market faster?

The rat race is on! You are winning in your market with the quality of your services and solutions, but also by being the first to the market with innovations. As your customer-facing applications all require access management, your CIAM system should not be a bottleneck. Check with your vendor how easy it is to add new applications to the CIAM core. Does the solution come with industry templates? Are new policies easy to set up? Is the user interface easy to use?

How easy do you make it to build a digital ecosystem?

Banking, insurance, travel, HR services…. In many markets, the leaders are building ecosystems of services, adding third-party solutions to their portfolio to become a one-stop-shop to their customers. By developing ecosystems, they offer greater convenience to users. Do you intend to build digital ecosystems? Then check with your CIAM vendor how easy it is to add new third-party services safely. API security will play a key role here, so do check what your CIAM vendor offers when it comes to securing APIs.

Can you still help me as my digital transformation progresses?

Although every organization is undergoing a digital transformation, every industry and every individual company is at a different stage in that transformation. Every stage in the maturity of your digital transformation requires a different take on CIAM. If you are making services available online and on mobile, your CIAM needs will be different than when you are building digital ecosystems or exploring new business models on top of those ecosystems. Therefore, it is important to know if your CIAM vendor can support you throughout your ascent on the digital maturity ladder.

Do customers play a role in building your roadmap?

Through working with CIAM, you may come up with innovative ideas or functionalities that are specific to your organization. While you can develop these functionalities yourself, it may be a better idea to ask your vendor to include these functionalities in the software itself. So check with your CIAM vendor how open they are to user feedback and suggestions and how you can influence their roadmap.

Can you help me with the implementation, and with aftercare?

Security in general and CIAM in particular, are evolving fast. New technologies, new applications, new identity providers,… make solutions more complex to implement. Even if you have dedicated staff, are you sure they should be implementing CIAM on their own? Or do you require help from your vendor or a specialized partner that is closely aligned to your CIAM vendor? Ask your potential vendors if they can assist in implementing your solution and whether they have professional services and a managed service offering to support you throughout the entire lifecycle of your CIAM implementation.

Will your current customers testify on how you work with them?

Before you engage with any vendor, you will want to know what other customers are saying about that vendor. If they are happy with the solution and services of their CIAM vendor, chances are that you will be successful too with that vendor. Check the site of your candidate CIAM vendors for reference stories, and the willingness of their customers to testify to press about their work with that vendor. Are these customers open to a reference call?

Do you want to discuss these questions further? Or would you like to know our answers to these questions? Contact us and we will explore these questions and answers together.