Stop Treating Your Customers Like Your Employees

Ian GlazerSenior Director, Identityiglazer@salesforce.com@iglazer

“Please continue to hold. Your call is very important to us and it

will be answered in the order it was received.”

Work?

Home?

“Your usage of this service constitutes

consent to our Terms of Service.

If you have any questions please

consult our Acceptable Use Policy.”

Work?

Home?

Disappointing,but not surprising

A Little History

Identity forEmployees

Many years of common practices

and patterns

Right Access

Right Access Right People

Right Access Right People Right Place

Right Access Right People Right Place Right Time

Identity forCustomers

Great Innovation

Lacking Common Practices &

Patterns

Right Experience

XP

Right PeopleRight Experience

XP

Right People Right PlaceRight Experience

XP

Right TimeRight People Right PlaceRight Experience

XP

Deliver theright experience

New Stakeholders

SalesMarketing

Alumni AffairsCommunity Dev.

But withoutcommon practices

and patterns…

“Please continue to hold…”

Disappointing,but not surprising

The Opportunity Before Us

External IdentityCustomer IdentityConsumer Identity

Growth opportunity for the

business

Growth opportunity for

identity professionals

The opportunity to delight

Complete Picture for a Richer Relationship

Complete Picture for a Richer Relationship

DelightedCustomers

Customer Identityis

IAM’s “Killer App”

You can’t get to the boardroom by

selling user provisioning

Customer Identityis our chance to

bebusiness enablers

We are not here

What iscustomer identity

management?

Identity World View Identity is at the core of every interaction

ConnectedCustomers

ConnectedEmployees

ConnectedPartners

ConnectedProducts

Business World View Customer is at the core of every interaction

DelightedCustomers

ConnectedEmployees

ConnectedPartners

ConnectedProducts

Customer identity makes

interactions possible

X-ChannelX-Business Function

X-Organization

Cross-Channel

YOURCONTENTHERE

Justchangethebackgroundlayer(right-click>arrange)

Don’t have an account?

Forgot your password?

Mobile Web API

Cross-Channel

Brick & MortarSales

SocialListening

CallCenter

Cross Business Function

DelightedCustomers

Sales Service

MarketingProduct

Cross Organization

X-ChannelX-Business Function

X-Organization

How is customer identity

different from employee identity?

DifferentEnds of the Spectrum

IAMTechniques

IAMTechniques

Employee-CentricIAM• Traditional• Organizationisowner&authority

• LotsofUserProvisioning

• WebAccessManagementplussomefederation

IAMTechniques

Employee-CentricIAM• Traditional• Organizationisowner&authority

• LotsofUserProvisioning

• WebAccessManagementplussomefederation

Customer-CentricIAM• Modern• Individualisowner;nosingleauthority

• ProfileManagement

• Federationandsocialsign-on

Employee-Centric Technologies Customer-centric

SystemofRecord

AttributeManagementandPropagation

IslandsofIdentity

SingleSign-On

MobileDeviceManagement

Consent

Employee-Centric Technologies Customer-centric

HR(s) SystemofRecord

UserProvisioningDirectorySynchronizationPushingAttributes

AttributeManagementandPropagation

MostlegacysystemsReducingtoActiveDirectory IslandsofIdentity

ProprietaryWAMforlegacyFederationfornewerapps&SaaS SingleSign-On

CommonMobileDeviceManagement

Impliedinemployer/employeerelationship Consent

Employee-Centric Technologies Customer-centric

HR(s) SystemofRecordInternal:CRMandLOBdatabasesExternal:SocialProviders,Banks,Universities,Governments,etc

UserProvisioningDirectorySynchronizationPushingAttributes

AttributeManagementandpropagation

ProfileManagementLookupattimeofuseandJITPullingattributes

MostlegacysystemsReducingtoActiveDirectory IslandsofIdentity Legacysystemsbutfederation-

readyappsincreasing

ProprietaryWAMforlegacyFederationfornewerapps&SaaS SingleSign-On Standards-basedfederation

Someproprietarysocialproviders

CommonMobileDeviceManagement

Uncommon,ifnotforbidden

Impliedinemployer/employeerelationship Consent Mustbegatheredandadheredto

consistently

Different Lifecycles

Join Move Leave

Traditional IAM Lifecycle

Relationship Value Progression

Anonymous

Pseudonymous

Known

HigherValueLowerValue

Anonymous

Join

Pseudonymous

Move

Known

Move

Access Path Progression

Web

Mobile

Thing

Developer

Web

Join

Mobile

Join/Move

Thing

Move

Developer

Move

Join.Move.Leave?

Long Relationships=

Privacy Implications

HR used to provide the privacy coverage Identity need

Internal-facing identity system are rarely subject to Privacy Impact Assessment

Customer identity requires:

• Data retention and protection

• Persistence and respect of privacy preferences

• Attribute release consent management

Previously ignored privacy challenges

Different TechiquesDifferent Lifecycles

Customer identityis larger than

employee identity

Customer Identity Components

IAMComponents

Customer Identity Components

Federation

UserProfileMgt

Assurance Proofing

Customer Identity Components

IAMComponents

IAM-likeComponents

Non-IAMComponents

Broker social login to content portals and other 3rd party properties

Ability add and protect attributes passed to other platforms

Ability to pass entitlements

OpenID Connect unlocks many doors

• But there’s plenty of proprietary too

Security Token Services

• SAML

• OAuth 2.0

• OpenID Connect

• Proprietary

Federation Social Provider Connectivity Protocol Brokering

Federation

• Automated – via a social provider or directory service

• Manual – Self-service sign-up

• Consistent branding control throughout

Self-service control over:

• Social providers can be used

• Apps can access data

• Attributes can be used

• Marketing preferences

• Manual - Mechanisms to ask the user for a little more data

• Automated – data verification and record enhancement

Registration Services Profile Management Profile Enhancement

User Profile Management

Techniques to raise identity assurance

2nd Factors:• Can work but user experience suffers

• Adaptive access control must play a roll here

• Ideally this is recognition’s territory

Plugins for different proofing providers• Often based on geography

Two modes:• Asynchronous for offline proofing

• Synchronous for user quizzes• But mind the user experience

Integration with internal proofing sources

Assurance and Proofing

Identity Assurance Identity Proofing

Service providers have to be better neighbors

Follow Finance model of FS-ISAC

Teams to help people get their accounts back

Part of expected customer service

Attribute release consent from the social provider isn’t sufficient

Service Provider should provide generic consent management layer

Shared Signals Account Take-Over Response Consent Management

IAM-like components Not core traditional IAM services

Meaningful integration designed to create 360° view of the customer

• Sales

• Service

• Marketing

• eCommerce

• Content Management

Conversion rates

Segmentation

Usage via Channel

Behavior analysis to fuel marketing, service, sales, and recognition

Encryption and Tokenization

“Who access what data and what were the values at that time?”

• Think DAM for customer data

Integration Analytics Information Protection

Non-IAM Components Peer services

More than justIAM components

How iscustomer identity

different from enterprise identity?

Technologies needed are

different

Customer Identity Components

IAMComponents

IAM-likeComponents

Non-IAMComponents

Lifecyclesare different

Anonymous

Pseudonymous

Known

Web

Mobile

Thing

Developer

Join Move/Change Leave

Techniquesare different

IAMTechniques

Employee-CentricIAM• Traditional• Organizationisowner&authority

• LotsofUserProvisioning

• WebAccessManagementplussomefederation

Customer-CentricIAM• Modern• Individualisowner;nosingleauthority

• ProfileManagement

• Federationandsocialsign-on

Privacy expectations are

different

Goalsare different

Right Access Right People Right Place Right Time

Employee-centric IAM Goals

Right Experience Right People Right Place Right Time

XPCustomer-centric IAM Goals

Stakeholdersare different

We are not here

SalesMarketing

Alumni AffairsCommunity Dev.

The opportunities are greater

The opportunity to delight

Stop usingEmployee-Centric

IAM for your customers

Stop treating your customers like

employees

Start delighting them

“Your time is important to me. Continue to enjoy the conference & thanks for your

attention.”

Thank you