White Paper: Internal vs. External Identity Access Management
Brought to you by
INTERNAL VS. EXTERNAL IAM:
Strategies to Develop an End-to-End
Customer Data Management
GIGYA.COM | 2
Long ago, companies recognized the importance of effectively managing employee identities, data and
permissions to help streamline company processes and protect valuable business assets.
Over the past 5-10 years, the rise of ecommerce, social networks, mobile and connected devices has
created the need for businesses to develop an external identity access management (IAM) strategy to
keep up with the flood of identity data being created as consumers connect across channels.
54 percent of companies have difficulty managing and integrating data from today’s
many varied sources, while 50 percent are concerned about consistent data quality
The Rise of External IAM
IAM vs CIAM
Unprepared for and unfamiliar with the challenges of external identity management, many businesses
have attempted to scale internal IAM solutions for external identity management purposes.
But successfully capturing, protecting and leveraging customer identity data requires a whole new set
of tools and technologies built for the customer identity access management (CIAM) era.
We’ve broken down the key differences between traditional IAM and cIAM and the steps you can take
to optimize your external strategy into 3 buckets:
Scalability & Security
Data Collection & Aggregation
Privacy & Compliance
100 x 100,000
External IAM software must be highly scalable with the ability to effectively store
and manage millions of consumer identities at once.
The #1 reason why businesses attempting to leverage internal IAM solutions for external purposes fail is
simple: sheer scale. While companies typically manage tens, hundreds, or at most thousands of employee
identities, the number of customer identities can range well into the billions.
GIGYA.COM | 6
When it comes to employee identity and data created within internal applications, ownership indisputably
belongs to the business. However, customer identities created across sites and applications ultimately
belong to consumers.
But while brands must gain permission to capture and collect consumer identity data, once a customer is
on a business’ property and her information is stored in its database, that business is responsible for
protecting her. This gives way to a whole other management issue: security.
GIGYA.COM | 7
11% of US adults admit to having abandoned an online purchase
because the site asked for too much information (Forrester).
Protecting identity from an internal standpoint is somewhat straightforward, as your business has the power to
enforce certain protocol to help safeguard business and employee information. But customers are consistently
creating new identities and reusing usernames and passwords across millions of unknown properties.
While requiring users to fill in CAPTCHA, select 3 security questions and verify the last 4 digits of their social
security numbers is one way to help guarantee security on your site, it’s certainly not the most practical.
Usability vs. Security
Businesses must put the proper framework in place to provide customers with a positive, seamless user
experience, while still maintaining security standards from both a data collection and storage perspective.
GIGYA.COM | 8
On average, Gigya Social Login clients increase registration
conversion rates by 32.3%, with clients like Forbes gaining
as much as a 90% increase.
Implementing social login across your web properties is one strategy for
bridging the gap between usability and security. Social login gives
consumers the ability to verify their identities with the click of a button using
their existing social media accounts, increasing registration conversion rates
by as much as 90%.
Social Login as a Solution
Social login also shifts the burden of identity protection, data security and sign-
in support to major networks like Facebook and Google. These social identity
providers boast state-of-the-art security systems with features like multi-factor
authentication, remote logout and unauthorized activity detection.
GIGYA.COM | 9
To improve company security and employee convenience, many
businesses leverage single sign-on (SSO), which allows
employees to move seamlessly across internal applications by
tying all activity to a single, known username and password. As
web-based services and applications multiply, SSO is gaining
momentum across customer-facing properties as well.
Internal federation is typically delivered as an on-premise solution
for internal enterprise applications using SAML standard. In
contrast, external IAM solutions must bundle together internal and
external applications and properties, which often requires a
variation of SSO standards including OAuth, OpenID and SAML.
When it comes to CIAM, it’s important to adopt software that gives
you the flexibility to choose the SSO standard that meets your
business’ user experience and security needs.
GIGYA.COM | 11
As a general rule, company
and employee data is treated
as a liability, with internal IAM
solutions primarily seeking to
secure this information. While
external identity must also be
protected, consumer data has
quickly become every
business’ biggest asset - and
there is a LOT of it.
Over 2.5 exabytes of data are
created every single day
(HBR), and more than 90% of
this “big data” is unstructured
Identity Data = Pure Gold
TODAY’S DATA GOLDMINE
GIGYA.COM | 12
Internal data is traditionally structured and
controlled, with your business defining the
necessary fixed fields and models. But with
such a huge volume of data and number of
sources, capturing and storing external,
unstructured data in an accurate and
organized manner can be a nightmare.
What happens when a new social network
arrives on the scene? Or customers begin
sharing new types of content? Unstructured
data sources and points like these require
major database updates that cost your
business serious development time and
Big Data, Bigger Challenge
WHERE DOES BIG DATA COME FROM?
GIGYA.COM | 13
Businesses cite the inability to automate
structured and unstructured data quickly
and effectively among their biggest
challenges, with 60% noting that big data
projects typically take at least 18 months to
complete (Kapow Software).
CIAM calls for a dynamic database with the
ability to effectively normalize data from
disparate sources in real-time. This database
must have the power to reconcile both
structured and unstructured data without the
need to preconfigure database fields.
GIGYA.COM | 14
With data pouring in across digital, mobile and social channels, it can often get caught in disparate silos
across the organization. This, of course, results in a completely disjointed and disorganized view of your
customer base and individual consumer identities.
A recent Aberdeen study found that 4 in 10 companies say that data remains “siloed” and inaccessible for
analysis. Ultimately, less than ¼ of the information that companies control is even available for extracting
Data Here, There, and Everywhere
GIGYA.COM | 15
While capturing customer identity via solutions like social
login is the first step to unifying individual customer actions
and behaviors across channels, this data is virtually
useless if it is not aggregated into a single repository of
Ensure that your master database has the ability to directly
integrate and bidirectionally synch with existing business
systems and third-party marketing platforms.
This means selecting a solution equipped to handle and
automatically index any type of data thrown your way,
including social, transactional, behavioral, and much more.
Break Down Data Silos
GIGYA.COM | 16
Establishing a “single repository of truth” is the foundation of an effective CIAM strategy. Of equal importance
is ensuring that this repository is structured in a way that empowers business leaders across the organization
to take action on the goldmine of data housed inside.
Data In, Data Out
93% of executives believe their organization is losing an average of 14% of annual
revenue without the ability to act on the customer data they collect (Oracle).
GIGYA.COM | 17
Improve business agility with a database that seamlessly connects to a corresponding web-based dashboard,
and gives business leaders an actionable view of end-user data based on roles and permissions.
This allows non-technical decision makers to run complex queries based on any number of indexed attributes,
build custom audience segments with no code required, and save and export key reports.
By providing those on the frontlines of your business with the ability to extract and harness the economic value
of customer identity, you save valuable IT time and resources while improving the timeliness and efficacy of
Turning Data into Action
While internal data privacy is managed centrally and based primarily on policies put into place by the
business itself, external data privacy is much messier.
When it comes to managing customer identities and data, your business must adhere to the privacy
policies created by countless lawmakers and third-party identity providers. This list of regulations is
exhaustive and constantly evolving, with current policies including:
Electronic Communications Policy Act
European Union Directive
Fair Credit Reporting Act
Federal Trade Commission Act
Payment Card Industry Data Security Standard
Keeping Up with Compliance
Gartner predicts that by the end of 2015, 50% of new
retail customer identities will be based on consumers’
social network profiles, compared to just 5% in 2013.
Social login is quickly becoming the preferred method of
authentication for customers, which means a big
challenge for IT execs trying to keep up with ever-
changing social network data privacy policies.
As you begin to incorporate registration systems and
social login across your external facing sites and apps,
make sure that you choose a provider that can take on
the burden of managing these privacy updates. Look for
solutions that provide automatic, real-time API updates to
reflect policy and account changes, such as auto-
deletion of non-basic account information when
application permissions are revoked.
GIGYA.COM | 21
As we mentioned earlier, CIAM also raises the issue of data ownership. Internal identities are created by the
business, and when an employee creates data during work hours, on a business-owned device or within a
company application, this data belongs to that business.
However, as a customer moves across the Internet on an owned device leveraging services and applications
for personal use, this data belongs to her, and any business looking to access said data should do so in a
transparent and permission-based manner.
DID YOU KNOW?
71% of consumers state that they are very concerned about online companies
selling or sharing information about them without their permission (Consumer
GIGYA.COM | 22
Be sure that your business’ data collection process is completely transparent. No matter the method you
choose, let customers know upfront that you are looking to access their identities and specific data points.
The Power of Permission
Provide your customers the option to
authorize or opt-out of these requests,
and give them the power to view and
update privacy settings at any time via
straightforward user management
Building your CIAM process on
transparent data collection practices
ensures that your business is upholding
the highest standards of data governance
and leveraging only the highest quality