The Rise of User-Centric IAM: Merging Workforce & Customer Identity Management

In the fall of 2020, I created the ‘Identity Value Chain’ - the result of a self-imposed effort to change the way the market saw Identity Security. Identity has always been seen as a cost center – a necessary expense required to protect the business’s assets from a breach. I, however, saw and continue to see it differently. While the former remains true, Identity also serves as a capstone core requirement capable of driving the success and differentiation of a business in its market segment.

The Identity Value Chain created that connection. After a few years of sharing, feedback, and reflection, the value chain now looks like this:

Profits are the goal of any successful business –

 And profits are maximized by better Customer Relationship Management (CRM) –

Customer Relationship relies on optimized thorough Service Delivery and Operations Anywhere –

  Service Delivery and Operations Anywhere has been modernized by Digital Transformation (DT)–

And Digital Transformation is enabled by a framework of Zero Trust (ZT)

Zero Trust is secured by the Rule of Least Privilege (RoLP)

Which is enforced by Rule & Attribute Based Entitlement Based Policy (RBAC/ABAC) workflow and SoD Risk definition

All of this, of course, is defined, managed, and governed by Identity & Access Governance.

This value chain clearly defines the connection of identity security to one’s core business. And doing it right:

• Adopting best practices.

• Achieving executive buy-in.

• Enabling and including the entire enterprise.

• Sharing the responsibility and load of governance with them matters.

Many things make your business unique and valuable. The complexity of your identity program is not and should not be one.

Make sense, right? Easy enough.

But there has always been one problem I could not quite sort out. For years it served as a stick in my craw.

Identity Governance has always focused on managing the enterprise. But doesn’t Customer Relationship imply better service delivery to the consumer?

“The business is also a consumer,” you say. Ok. Fair. Why, then, do we segment and distinguish between them?

I believe the rules and methods we live by are arbitrary. “Nothing needs to be this way.” Most things are the way they are simply because we just made them up that way. - The result of an effort to create a sound output based on the inputs we had available to us at the time.

With that in mind, the value chain does not discern between B2C and B2B services. Services are, well, just services. Are they not the same thing? If so, the distinctions we make between them are pointless.

Within enterprise identity, we segment our user populations in many ways. Take, for example, user types; Human, Non-human, Employees, Contractors, Partners, Vendors, Students, Alumni, Service Accounts, Application accounts, Privileged Accounts, Bots & Robotic processes, Machine identities, and Certificates. You get the point.

But with all these distinctions and buckets, why is consumer explicitly excluded? Are they not just consuming services provided by the business like all the rest? I assert the answer is yes.

Let me provide two scenarios:

1. Let’s suppose I work for AWS as – Product Manager, Marketing Executive, or Partner Support Manager - up to you.

As an entrepreneurial-spirited type, I may have a side business. I may run my website, A site I host on the AWS platform - technology learned by reading books purchased on Amazon.com and delivered by Amazon Prime. Books read late into the night, ingesting caffeine through fair trade ‘Madagascar-grown’ coffee beans I bought at my local Whole Foods.

2. Or let’s suppose I work for CVS – Finance Manager, HR VP, IT helpdesk Admin, and you decide. My health insurance provider is Aetna, an owned and operated entity of CVS. MyDoctor’s visits occur outside of the CSV ecosystem (soon they won’t), but the prescriptions originating from those visits are ordered, filled, and picked up via my local CVS Pharmacy. Often during these visits, I’ll pick up some toothpaste, deodorant, and other sundry items from the local CVS brick-and-mortar store as I walk to the front to pay for my prescriptions. Sometimes, I’ll make it through the line with just these items. In most cases, however, my sweet tooth and lack of self-control will result in a bag of sour patch kids or milk duds entering my basket as well. If they are 3 for 3 dollars? Well, it’ll be 3. I believe this is called ‘the upsell.’

The point I am making here is that I am simply consuming services provided by an institution or enterprise in all of these cases. Consumer Services. Enterprise Services. As Security professionals, does the categorization of each truly matter regarding how we provide, control, and secure them? Does categorization matter regarding user experience, service delivery, and user value? I contest the answer is no.

Higher Education can serve as an example of what this looks like. There is no vertical with a more blurred line between the enterprise and the consumer than Higher Education. Anyone associate of a university may wear one or more hats: a student, a parent of a student, an alumni, an employee, a Professor or Professors Assistant, a researcher, an emeritus faculty, a football or academic camp attendee, a conference attendee, a user of the library facilities or local recreational gym facilities, or simply just a campus neighbor or concerned citizen who wants to be notified in case of a campus emergency. The distinctions are many and seemingly arbitrary in categorization or breadth. In the Higher Education use case, all users are managed by a single identity management repository. The hat or hats one may wear (personas, as we call them) are many.

Personas are the multi-personality disorder of the identity world. The possible combinations of personas in the High Ed use case number in the billions. And one’s chosen hat to wear at any given time is fluid. I contest that in terms of Identity and service consumption, none of this should matter. At any given time, a user is simply interacting with the university in one way or another; They are merely consuming services provided by the university.

Now, undoubtedly, scale matters. Managing millions or billions of consumers differs from managing a student and alums population of a few hundred thousand or less. And it is because of this that this is why this separation occurred in the first place. At the time, it made sense. These were the days of moat-based segmentation. Enterprise users were behind the firewall. Consumers were outside of it. Applications had user populations binarily on the inside or the outside.

But not anymore.

The enterprise’s need to support Operations Anywhere undoubtedly accelerated due to the Covid epidemic. (Many called it ‘work from home.’) Employers were caught off guard by a decade of change required in days or weeks to keep the operation afloat – a pandemic-based shift in how we all needed to work. But the point of Operations Anywhere is a much more extensive discussion. Resources needed for the supply chain of businesses, including human resources (Employees, Consultants, Partners, and Vendors), are now dispersed globally, allowing economic and security-based metrics to drive decision-making instead of technological ones. Thus, like the Great Wall of China, the firewall has been relegated to an interesting relic of the past – a technology of former great importance, still valid, but no longer fit for purpose.

This shift has now placed us in a world in which the enterprise user and the consumer interact with a business in essentially the same way, distributed, external to the network, on devices of any type, our own or someone else's, unknown and assumed to be dangerous.

The Zero Trust security model directly addresses this regarding in-session inspection and layered and dynamic gatekeeping and decision-making activities. And its application handles both the consumer and the enterprise user use cases.

So why doesn’t Identity? Why, when one asks about an identity product, do they inquire, ‘Is this enterprise identity or consumer identity?’; They shouldn’t! Occam’s Razor states that the simplest solution is typically the correct one. So let’s apply this to Identity.What, exactly, are we? Are consumers and enterprise users truly separate user populations requiring different user names, credentials, and records? Or are we all consumers of enterprise services, regardless of the target audience, persona, or function? The answer is the latter.

Architectural changes will be required in how we manage these populations: scale, performance, security, etc. We must also readdress how our applications interact with our users and the personas with which they engage us. But most importantly, we must open our minds to creative approaches to which we can now apply to a central repository of identity data, spanning the full breadth of corporate interaction – from consumer to the internal enterprise.

This convergence is the new frontier of Identity and the new problem that needs to be addressed and solved. If my Identity value chain is to be believed, this convergence and blurring of the lines of enterprise and consumer service consumption will serve as the catalyst driving identity security-related changes core to how businesses succeed in the future.