Hello everyone. Good morning. Good afternoon. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole, and today I want to talk about the results from a recent leadership compass I did on CIAM. So welcome. So a little bit of logistics info first. Everyone's muted centrally, so there's no need to mute or unmute yourself. We're going to do a couple of polls right before I start the results section, and then we'll look at the results after that. You can submit questions in the CVent control panel at any time, and I'll take those at the end.
And lastly, this is being recorded, so the slides and the recording should be available in a few days. So I'm going to start off by talking about, you know, do an overview. What are the challenges in CIAM? What are some of the trends that we see, the new features that were visible this time around in the research? Then I'll talk about our leadership compass methodology and the process, and then show some results and do the poll question results and Q&A. So first up, what do we say the C in CIAM stands for?
Well, I've often said consumer, but you know, a lot of people now call it customer IAM, and then there's also citizen IAM, and you can see there are lots of different use cases, and they're somewhat different between how you interpret the C in CIAM.
You know, retail, banking, e-commerce, media, other kinds of, you know, purely consumer-facing businesses, it would be considered consumer IAM, but we've seen a big rise in the number of use cases and adoption of CIAM for B2B IAM or B2B CIAM use cases, and that would involve, you know, cases where you've got members of a supply chain, maybe you're doing logistics, and it's a little bit different in terms of what the use cases and features are that you need to be able to satisfy those.
And then on the citizen side, you know, even at the local and state level, not just federal level, government agencies need to be able to offer identity management solutions so that citizens can log in and pay taxes or, you know, request licenses of different kinds, so CIAM is pretty much all-encompassing these days. So, what are the goals when an organization sets out to get a CIAM? Maybe you're replacing something that you've already got.
Maybe you're using a workforce or an enterprise identity management system, and you've got customer information in it, or you've tried to extend it and use it for consumer-facing applications, and maybe that's not working so well for you. Maybe you need to offer self-registration, because it's difficult to create accounts for hundreds and hundreds or thousands of consumers or customers. You probably need to be able to host their consumer or customer profile, including different kinds of data types beyond what might be available in, like, traditional LDAP directories.
Ultimately, I mean, it's a lot of work, but it's a lot of work. Ultimately, I mean, especially on the consumer side, you want to convert those unknown users to known customers. Increasingly, we see more privacy regulations around the world, so you need to be able to collect consent to comply with different regulations. You probably want to collect data, you know, for better marketing analytics, targeted marketing with an ultimate goal of increasing your revenue if you're a for-profit company.
Regardless of what the end users are, you probably want to offer better or stronger authentication that's actually easier to use, provides, you know, better security, and have good account recovery mechanisms in cases of fraud. And lastly, you know, another feature might be better identity analytics for security.
So, these are just some of the different goals that we're aware of that organizations who are searching for CIM are looking for. So, maybe you do have a CIM or an IAM solution that you've repurposed for a consumer, customer, or citizen use cases. What are some of the obstacles that we're encountering? We often hear that it's been difficult to deploy, you know, early gen CIM was likely, you know, on-premises based. A lot of organizations want to move to the cloud for more flexibility, better scalability, lots of different reasons.
Some of the older generation CIM solutions, you know, were kind of monolithic. They did not have good API exposure, so it could be difficult to connect them to other parts of your IT or security infrastructure. Connecting to legacy or line of business applications, that was also quite difficult in days gone by.
Nowadays, the CIM solutions that are out there often have pre-built connectors that make it easy to connect to a wide range of different kinds of applications, SaaS applications, as well as on-prem applications. Identity and marketing analytics were tied to the CIM. It was hard to get it out.
Again, that API exposure can be very helpful. And, you know, in the early gen CIM solutions that kind of operated as a silo, not necessarily connected to enterprise, workforce, IAM, or even other parts of your IT infrastructure. I mentioned scalability already. Many of them really only offered password-based authentication, which I think we all know is unfortunate because it's insecure and not exactly user-friendly, especially when you forget your password.
Again, with the multiple privacy regulations around the world, and, you know, they're not all the same, so being able to comply with them can be difficult. It has to be constructed within that application. And then lastly here, licensing or subscription costs.
If you're running an on-prem solution, maybe you're in retail and you have, you know, maybe a couple of high traffic events a year, and you have to build up enough skill to deal with those high traffic events, that can be rather costly compared to, you know, using a cloud-based solution where you pay for as much as you need and you can scale for those peak events. I mentioned fraud. Cybercrime obviously has been on the rise. We talk about two major types of fraud that we see that CIM systems can help you deal with. The first is account takeover fraud, exactly what it sounds like.
You see several different methods that are used, you know, breach passwords that are found on the dark web, credential stuffing attacks, you know, where they will find breach passwords and hope that users have reused them. And then finally, the users have reused those passwords at other sites, so they blast those out with bots to lots of other sites to see if they can get in. Brute force password attacks, they still happen all the time. And account takeover, why would they do it?
Well, they're trying to get something to transfer value out of that account. And it's not just a bank account or a credit card account, it's anything of value, whether it be, you know, loyalty programs, frequent flyer miles, anything that can be converted into money more or less as a target. On the other side, we see AO fraud, which stands for account opening fraud. This is where, you know, they'll take PII from individuals that they might get from school, work, or medical records.
And they can use this for major financial crimes, you know, like taking out a mortgage or a line of credit or, you know, creating mule accounts to move money from crypto into the real world. The two main mitigations we mention here are MFA or RBA, multi-factor authentication, risk-based authentication to help prevent ATO fraud. And then on account opening fraud prevention, identity proofing is really, really helpful. So what's new? What's new in CIM?
The need for identity verification has, you know, greatly expanded from, you know, just doing anti-money laundering and know-your-customer initiatives for financial organizations. You know, many other industries now see a need for at least some level of increased identity assurance at registration time, and sometimes periodically beyond that. I mentioned fraud.
You know, it's getting worse. Fraudsters are highly innovative. And for CIM, organizations need to be able to, if it doesn't have some built-in fraud prevention capabilities, and a few of these vendors do that we'll mention here in a few minutes, then having integrations with what we call fraud reduction intelligence platforms is very important. Privacy regulatory compliance. There's more laws in different places. They're not all exactly the same. Being able to have a CIM solution that you can tailor to help you with compliance in different jurisdictions is very, very helpful.
Passwordless authentication. Obviously, we want to move away from passwords because of all the reasons that we know. Passwordless is becoming more of a trend, and the varieties and support for that is increasing in CIM solutions, fortunately. Integration interoperability or driving an API-first approach. This used to be, you know, highly innovative. Only a few CIM vendors do it, but now we find that this trend has really caught on, and we're seeing, you know, more and more vendors support this. IoT device identities and consumer account linking.
I mean, I think we all have devices of one kind or another that, you know, have their own device identity, and we want to be able to manage that in conjunction with our online identities. So, having the ability to do that in a user-friendly way is a great feature. And I mentioned the B2B and B2B-C kinds of use cases. I'll go into that in a bit more detail in a minute. Some of the integrations that we see that CIM solution providers are doing these days are to customer data platforms. Just a quick overview on what a CDP is.
They integrate data from not only your CIM system, but your customer relationship management software, maybe email, social media to give a, you know, a real unified view of a customer. They can resolve identities. Maybe there's incomplete identity information amongst all those different sources. You can use this as a way to pull it all together. Then you can segment that data by demographics or preferences or behaviors, again, for marketing purposes. Do personalization recommendations. Integrate with CPM, consent and privacy management solutions, which is on the next slide.
And then facilitate what they call multi-channel customer activations, you know, how to get customers to engage with a brand via web, mobile, IoT, even social media ad platforms. Consent and privacy management, these are, you know, third party outside of the CIM solution. These can be really useful for, you know, big companies or organizations that work across a variety of different, you know, regions around the world. They are subject to multiple privacy regulations. You're collecting data from a lot of different sources.
They can do things like provide you with templates for privacy policies in terms of service, data subject to access request portals, which are necessary for EU GDPR compliance, preference management. They can also help you do PII inventories and map data flows and course managed cookies, and then help with audits. And these are things that we see CIM solutions are starting to provide not only APIs, but, you know, some package connectors for some of the leading third party consent and privacy management solutions. Then we have chatbot and payment service integrations.
You know, with the rise of AI and the popularity of AI and especially LLM solutions, many companies want some chatbot like features directly in the CIM, maybe to help with access requests or things like that. One of the goals there is to lower support costs. This can be a way of doing it. Some of the vendors that we surveyed offer some connections to AI powered chatbot services today. And I predict that there's going to be more and more integrations across all the vendors in the space for AI chatbots.
Same with payment services, you know, retail, e-commerce site operators are going to want CIM to be able to easily link to payment service providers. A few of the CIM solutions that we looked at in this report offer this.
You know, there are a variety of different payment service providers that are out there. They have, a few of them have integrations with some of the leading ones today. And we think this will only expand in the future. B2B CIM or maybe B2B IAM, depending on how you want to look at it.
Again, these use cases are growing in importance and adoption around the world. The key features that we see for supporting this are things like identity proofing. And this goes a little bit above and beyond what we see for, let's say, consumer-based remote onboarding apps, where you take a selfie and, you know, match it with an authoritative document. This also needs things like integrations with HR systems so that you can do background checks or sanction screening or politically exposed person screening.
I've been advocating for compromised credential checks in CIM solutions for quite a long time. Now we see this is actually becoming even more important for B2B CIM scenarios, because you don't want to let a compromised credential in, you know, from somewhere down in the supply chain.
And again, you know, for this section, let's think about, you know, a complex supply chain scenario where you've got, let's say, a primary contractor and maybe, you know, tens or hundreds of other companies that make up your supply chain. And then expanding out from that, you've got, you know, other members of the supply chain that work with those hundreds of companies that, you know, are your direct customer as the prime. You need to be able to offer communications channels that you can tailor for a specific organization.
Maybe you only want to talk to two or three companies that are in your supply chain. You need to be able to easily tailor that for your audience and maybe even drill down on the specific attributes there. You probably need to be able to offer specific terms of service for every application that you open up to the supply chain, or maybe, again, specific members of the supply chain, not just on a per application basis.
And given that complexity, it would be very, very difficult to manage all the thousands or tens of thousands of users in the extended supply chain without something like a hierarchical delegated administration model. You know, if you've got, say, a hundred members of your direct supply chain out there, it would most likely be easier and better for security if you could delegate administration to responsible individuals in each of those member companies or member organizations.
Let them decide who should get access because they are in a better position to be able to say not only who should get access, but are they still there? You can get rid of, you know, deprovisioned accounts that are no longer needed. Then there's the notion of time limited accounts. This would be, you know, maybe you want to create an account for a day, a week, or a month, but it should go away after a specific time period.
Self-service portals, you know, specifically for doing access requests, even this is something that, you know, would be greatly simplified by having a self-service portal to handle access requests or resets or things like that. You would need a centralized administrative console for, you know, the prime customer, the prime member of the supply chain, as well as self-service portals for all the other members. You likely need to provide granular authentication policies. Maybe you have different policies for different types of organizations in your supply chain.
And then you'll most certainly want to be able to have per entity reports. So to see, you know, where your risks are, who in the supply chain, you know, is doing a better job at security posture management. So there are lots of very distinct features around B2B CIM that are definitely different than what we see in just, you know, traditional consumer IAM or even workforce IAM. A few trends to talk about, you know, there's lots of MFA options out there. We've been talking about this for many years. Unfortunately, you know, statistics show the passwords are still very widely used.
This is not good for security. It's not good for ease of use.
You know, a lot of these CIM solutions out there offer, you know, FIDO, FIDO2 passkeys, WebAuthn, and these are things that, you know, organizations should really be taking advantage of. We do see increased offering and use of those remote onboarding apps I mentioned earlier for, you know, not only the B2B CIM use cases, but also for just consumer use cases. There's not as much acceptance of decentralized identity outside of just a few regions.
But, you know, IoT device identity, I said that's growing. We expect that to continue to grow. And really, you know, customer organizations are not fully exploiting all the good capabilities that we see in CIM solutions today. And that's not good for their consumers, but it's also not good for them because they're missing out on revenue and customers.
So, let's stop and take a couple of poll questions and see what you think about this so far. So, our first question is, which of the following are the main motivations that your organization has for either implementing CIM in the first place or doing an upgrade? And we've kind of talked about all of these, but I'm really curious, what is it from the audience perspective that's most important?
So, we've got A, improving the customer consumer experience, B, improving security, C, enhancing your marketing, doing that targeted marketing, personalization, recommendations, or D, just increasing revenue. So, we'll give you a minute to do that, and then I'll launch into the next one. The second one, so what's the biggest obstacle? Let's say you know that you need a new CIM solution, but you know you can't for whatever reason. Is it lack of budget? Can't get business and IT to agree on the goals?
Do you have a lot of legacy applications that you'd need to connect to CIM, but you're afraid that that would be difficult or even impossible? Have you experienced difficulty in trying to scale your existing CIM solution and might be a little hesitant to look at another? Or do you feel like there's not enough customizability or not enough API integration?
Okay, we'll come back to the results of that in just a few minutes. So, like I said, we did a leadership compass on the topic recently, so let's talk about the process. Our process is we try to find all the vendors that are in a given space like CIM, get briefings, talk to their customers, look at demos, and then of course we ask many, many, many detailed technical questions. We get that information back, we analyze it, we write the draft, we rate the companies, show the different dot positions.
We send that out for fact check in case anything's changed since the time we talked to the company and the fact check goes out, and once we agree on all the changes, we publish it. We have nine standard categories that we rate against in every leadership compass. The first category is security. This is about internal product security, not about how much security does this bring to the customer, but is it well designed? Does it require MFA for admins? Does it have attribute-based access controls built into the solution itself?
Functionality, does it have all the features that we think it should have? Deployment, can it be deployed on prem if somebody wants to? Is it SAS only? Is it hybrid?
I mean, if it is SAS, how many regions does the SAS provider support? And then really, how easy is it to deploy? Interoperability, this is where standards are important. For something like CIM, does it support SAML, OIDC, OAuth? Can you get logs out via syslog? Things like that.
Usability, this is not just about what it is like for the consumer or the customer, but also what's the admin experience like? Is it easy to use? Is it an intuitive interface? Does the interface need to be redesigned? That sort of thing. Then we also look at innovation. Is it leading edge or kind of playing catch-up in the market?
Market, how many customers are using it? How many identities? Are they targeting specific industries? Are they only active in North America or Europe? To be a real market leader, you should be global or at least encompass several continents.
Ecosystem, this is about sales and support and third-party support, and how active are they globally? And then lastly, financial strength. We look at companies anywhere from startups to late-stage startups, privately owned, public companies. This is trying to get an indication of their overall financial health.
So, we then come up, after the rating, we have four categories of leadership. There's product, which is the product functionality, security, interoperability, deployment, usability, market leadership, which is, again, looking at numbers of customers, financial strength, ecosystem, innovation, how leading edge is it? And then those all roll up into overall leadership.
So, let's take a look at some of the results. Here are the vendors that participated this time. This field continues to grow.
This is, I believe, the largest number of vendors that we've had in this report over the last eight years or so of doing it. It's very interesting that it seems that in between every iteration of the report, we find new companies that are getting into this business.
So, I think that's a really good indicator that CIM is still growing as a field. So, we'll give you a look at the overall leaders in CIM. You can see overall leaders are primarily your large IAM stack vendors, identities of service vendors, as well as some pretty well established CIM specialists.
And again, the overall leadership view here is an amalgamation of product, market, and innovation. In addition to charts like that, you'll find SPDR charts, which rank each vendor on up to eight different categories. Here you can see onboarding, identity assurance, authentication, administration, consent management, IoT device management, identity analytics, and marketing integration are the categories that I called out here.
So, first question was, what are the main motivations? And pretty overwhelmingly there, almost 50%. It's about improving the customer-consumer experience, followed second by improving security. That's excellent. That's kind of what we would expect. Thank you for taking that. The next one here is, what's your biggest obstacle in deploying or upgrading CIM?
Wow, that's very interesting. 70% say it's not having alignment on goals. I would have thought budget would have been there.
Well, yes, thanks for doing that. So, let's take a look and see if we have any questions. Questions. There have been some mergers in the field. How has this affected the market?
You know, that is very interesting. Thinking back to the slide there, yes, Ping and ForgeRock, SecureAuth, CloudIdentity, and TALIS and OneWelcome have all merged in the last couple of years.
And, you know, that has really, I think, demonstrates the competitive nature of this market. There are, as I said, always new entrants coming into it. And I think these companies are getting together. They're probably, in some cases, buying features from those that they are merging with, or they may be trying to expand their customer base, where the market is still highly competitive. The market is still highly competitive. And I don't think that there's been any decrease in innovation because of that. Let's see.
The next question is, given the shift to cloud, do you still include on-prem products in your report? Yes, we do.
You know, and I try to call that out, be explicit about exactly what's supported and where, in addition to, you know, talking about whether or not it's a single cloud vendor or maybe multi-cloud, because multi-cloud is kind of an important approach that we see. But yes, there are some organizations that still, for either, you know, what they perceive as security reasons or regulatory reasons, want to still deploy on-premises. And there are solutions that are listed in the report that do have on-premise options.
So yeah, I would encourage you to check that out. You can see the link to the reports themselves, including some of the older versions or some of the other fields that we've talked about here, like customer data platforms and fraud reduction intel platforms. Definitely encourage you to check those out. So I don't see any other questions in the queue right now, but I would like to thank everyone for attending today. And as always, feel free to reach out to me if you have any questions.
Thank you, and have a good rest of your day.