customer-focused organizations must take a strategic
TRANSCRIPT
A Forrester Consulting
Thought Leadership Paper
Commissioned By ForgeRock
June 2014
Customer-FocusedOrganizations Must TakeA Strategic Approach To“Identity RelationshipManagement”
Table Of Contents
Executive Summary ...........................................................................................1
In The Age Of The Customer, Firms Are Straining Against A View Of IAMAs A Tactical IT Concern...................................................................................2
IRM Priorities Put Increasing Pressure On IAM Projects ............................. 3
Support Identity Relationship Management By Getting Strategic AboutBoth Security And Enablement For Customers.............................................6
Key Recommendations .....................................................................................7
Appendix A: Methodology ................................................................................8
Appendix B: Supplemental Material ................................................................ 8
Appendix C: Endnotes.......................................................................................8
ABOUT FORRESTER CONSULTINGForrester Consulting provides independent and objective research-basedconsulting to help leaders succeed in their organizations. Ranging in scope from ashort strategy session to custom projects, Forrester’s Consulting services connectyou directly with research analysts who apply expert insight to your specificbusiness challenges. For more information, visit forrester.com/consulting.
© 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited.Information is based on best available resources. Opinions reflect judgment at the time and are subject tochange. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impactare trademarks of Forrester Research, Inc. All other trademarks are the property of their respectivecompanies. For additional information, go to www.forrester.com. [1-N6V4CU/1-Q0DY3U]
1
Executive Summary
In the modern age, customers are in control of when, where,and how they consume information. In this environment,customer-focused companies strive to make their contentavailable to an ever-growing number of connected usersand devices on a much larger scale than ever before, and togather as much data and insight from these interactions aspossible. To achieve this securely, companies need identityand access management (IAM) platforms that areadaptable, scalable, responsive, and high velocity — nottypical characteristics of employee-facing IAM, but all tootypical of other systems of engagement. This species ofsolution is worthy of a unique name: identity relationshipmanagement (IRM).
In April 2014, ForgeRock commissioned ForresterConsulting to evaluate companies’ IAM practices andrequirements when it comes to customer-facing scenariosversus employee-facing ones. Forrester tested the assertionthat companies can obtain significant value by implementingIRM solutions that treat customer identities, and theiridentity data, as mission-critical for the top line of thebusiness.
In conducting online surveys of 111 B2C and B2B2Cexecutives with responsibility for IAM, Forrester found thatnew business and technical demands require a strategicfocus for which existing IAM infrastructure may not besufficient, and that there is a significant opportunity to utilizeIRM-supportive technologies in support of customer-facingIT initiatives.
KEY FINDINGS
Forrester’s study yielded four key findings:
› The demand for external-facing IAM is widespread.Eighty-five percent of companies are planning IAMprojects where customers are the users, and 81% areplanning IAM projects where partners are the users. Inorder to adequately serve these new populations,companies need to account for the specific needs ofthese implementations.
› Traditional IAM architecture is not prepared forcustomer engagement. The scale of IAM customeridentities is several orders of magnitude larger thansystems solely supporting employees and partners.Customer-focused organizations seek to facilitateengagement on the customer’s terms, which also meanssupporting a large number of mobile devices — furtherincreasing the scale and inherent risk of IRMdeployments. This demands a much more robust system,and many IT decision-makers doubt that their currentinfrastructures have what it takes.
› IRM success is evaluated differently from IAMsuccess. Traditional IAM was primarily measured on twometrics: security and budget. This has led to monolithicsystems that are built with very specific functions.Organizations still care about these metrics for IRM, butwe see other metrics around gathering customerintelligence and driving revenue with every customerinteraction gaining in importance.
› IRM platforms must be agile, modular, coordinated,and scalable to adapt to customer needs. Our surveyshowed that the top strategic IAM priorities in the comingyear related to unifying customer access to cloud-basedservices and consolidating disparate identity systems forcustomers. And our interviewees stressed the importanceof agility in identity platforms so that they can deliver on a“digital transformation” of the business that responds tocustomers’ changing needs and contexts.
Customer-facing “identity relationshipmanagement” (IRM) differs from traditional IAMby unlocking business opportunities anddriving top-line revenue.
2
In The Age Of The Customer, FirmsAre Straining Against A View Of IAMAs A Tactical IT Concern
In the age of the customer, the most successful enterprisesare reinventing themselves to systematically understandand serve increasingly powerful and demanding customers.These customer-focused firms are taking advantage of theplethora of customer data available to them by using it tounderstand and customize their engagements withcustomers, who increasingly have control over the flow ofinformation in front of them and may only pay attention tothat which is most relevant and provides them with the mostvalue.
Customers are embracing and leveraging digitallyconnected products and services to meet their needs in avariety of industries, for example: 1) frequent travelers usingwebsites and apps from travel specialists, hotel and airlineoperators, and modern car services whose actions are allcoordinated; 2) energy companies opening up their smartmeter data to third-party app ecosystems for customers’benefit; and 3) retailers and courier services teaming up tooffer lightning-fast delivery of eCommerce purchases. Ofcourse, technology lies behind every one of these customertouchpoints (see Figure 1).1
Identity and access management (IAM) platforms — whichcontrol account life cycles and manage customer data andpreferences at every touchpoint as well as across them —may significantly aid in this customer-focused reinvention.However, management of customer identities and accessjust isn’t the same as employee IAM — and manyorganizations are dubious that systems focusing on classicsystem-of-record goals, such as automating IAM forcompliance, IT administration efficiency, and security givesufficient strategic opportunities to shape customerengagement. Customer-facing IAM deserves to beconsidered in a different light, that of “identity relationshipmanagement” (IRM), because:
› It must operate at special scale. It would be anunderstatement to say that evolving from managingemployee and partner identities to managing customeridentities requires drastically increasing the scale andcomplexity of the operation. Respondents reported amedian of only 101 to 1,000 partner identities and 1,001to 10,000 employee identities — but 500,001 to 5,000,000consumer identities (see Figure 2). Customer populationssuch as these aren’t merely four orders of magnitude
greater than employee populations; crucially, theyrepresent an audience that is not captive to theenterprise’s internal-facing needs for security andoperational efficiency and can go elsewhere to get theirneeds met.
FIGURE 2The Scale Of Customer Identities Is MassiveCompared To Employee And Partner Identities
Base: 111 B2C and B2B2Csecurity and risk decision-makers(medians shown for each population)Source: A commissioned study conducted by Forrester Consulting onbehalf of ForgeRock, April 2014
500,001 to5,000,000
Consumer
1,001 to10,000
101 to1,000
EmployeePartner
FIGURE 1Behind Every Customer Touchpoint There Is ATechnology Story
Source: “Winning The Customer Experience Game,” Forrester Research,Inc., May 8, 2013
ExperiencetouchpointsJourney
Get support
Use
Buy
Pho
neIn
pers
onD
igita
l
Evaluate
Discover
Sys
tem
sof
enga
gem
ent
Mid
dlew
are
Sys
tem
sof
reco
rd
Supportingtechnology stack
3
› Firms express considerable doubt about existing IAMsolutions’ preparedness. Many companies are dubiousthat their existing IAM infrastructure is ready to supportthe scale, responsiveness, and business enablement thatIRM requires. Our study showed that nearly half — 45%— of companies are planning to build or buy partially orcompletely new infrastructure for their next IRM project.Furthermore, a full 66% of respondents told us that theyfeel their existing IAM technology solutions are somethingless than “very” prepared for external deployment, with30% saying the internal-facing solutions are “not very” or“not at all” prepared (see Figure 3). We found additionalvalidation that firms investing in IRM are looking to newtechnologies when we asked about how they werebudgeting for these projects. A strong majority, 88% ofrespondents, indicated that their budget for building outIRM projects requiring external-facing, customer andpartner identity and access management, includesinvestment in new IAM software.
IRM Priorities Put IncreasingPressure On IAM Projects
We see a clear divide in enterprise priorities for IAM versusIRM projects. While the former is a classic IT cost center,the latter has deep connections to corporate profit centers.For firms that have both IAM and IRM projects, thesestrategic priorities often conflict with each other asbusinesses strive to increase revenue and customerengagement while also mitigating risk.
› IRM success metrics increasingly reflect businessenablement needs. Our study signals a shift from afocus on internal drivers to a focus on business andrevenue growth drivers. It showed that 83% of firms areasked to measure the revenue impact of their customer-facing IT projects (see Figure 4). When we asked securityand risk professionals how they expect their IAM-relatedmetrics to change in the next three years, the traditional“input metric” of simply coming in on time and withinbudget is expected to decline by 7 percentage points, forexample, while “output metrics” that capture true businessvalue, such as driving revenue and customer intelligenceare expected to increase in importance by 7 and 5percentage points, respectively (see Figure 5). Frauddetection and prevention — which also translates tobrand protection and driving revenue — is also expectedto become a more important metric for determiningsuccess of IAM projects. Regulatory compliance, on theother hand, which is more heavily associated withemployee IAM projects, is expected to decline from itscurrent position as the second most importantdeterminant of success to the fourth most important.Further, in indicating strategic priorities for IAM projects,respondents nominated “Driving business value andrevenue by extending IAM to customers” as the toppriority, right now as well as looking more than a year intothe future (see Figure 6).
› IRM requires the right architecture to answer theneeds of the business. To truly cater to customer needs,IRM platforms must be agile, modular, coordinated, andscalable enough to adapt to demands without requiringmajor overhauls. Our survey showed that the top twostrategic IAM priorities in the coming year are “Using IAMto enable and unify customer access to cloud-basedservices” (41%) and “Consolidating disparate customerIAM systems” (39%). Interviewees stressed theimportance of an agile solution that can be tailored to theircustomers’ changing needs. The chief architect of amedia/advertising company told us, “We’re undergoing adigital transformation. I didn’t think IAM was going to beso important for this, but now I realize it’s valuable tocreate a targeted architecture and not have to buildspecialized applications each time. The users will be ableto access the same platform, and their access will becontrolled by authorization. It’s really an enabler incompletely transforming the way we do things. Peopleexpect 24x7 access.” IRM functionality must often bedeveloped and deployed very quickly to respond to suchneeds; UK respondents told us that fully 100% of their
FIGURE 3Organizations Show Uncertainty That TraditionalIAM Solutions Can Support External Deployment
Base: 111 B2C and B2B2C security and risk decision-makersSource: A commissioned study conducted by Forrester Consulting onbehalf of ForgeRock, April 2014
“Considering the IAM technology solutions you useinternally now, how prepared are these solutions for
use in external deployment scenarios?”Not at allpreparedNot at allprepared
8% 22% 36% 34%
Veryprepared
Column %
Not veryprepared
Somewhatprepared
4
customer-facing IAM projects are completed in less than ayear.
› Enabling customer mobility is apriority for customer-focused companies. Customers are experiencing amobile mind shift: the expectation that they can get whatthey want in their immediate context and moments ofneed.2 We already know how the mobile challenge playsout for employees; a VP of a cloud services firm told us,“About a year and a half ago, we put the entire sales teamon mobile devices. They don’t even get provisionedlaptops [anymore].” But supporting mobile devices oncustomer-facing systems contributes to the IRM challengedue to the sheer number and variety of these devices.One interviewee working in higher education told us,“Mobile is a really difficult thing to control in ourenvironment. Thirteen thousand students probably have15,000 different devices — probably more like 30 —90,000 different devices. So I don’t do anything to attemptto control their mobile experience, other than making thesystem available to them.” Our study showed “ManagingIAM for multiple types of network-connected devicesowned by customers” as the third most important currentpriority (at 43%).
› At the same time, customer access and mobility bringheightened risk. And we’re not just talking aboutregulatory risk, which is the lowest bar a company canstrive for; the challenge is to extend the business’ reach toall kinds of people, applications, and devices, while alsobeing held accountable for breaches. The head of IAM fora global investment banking house stressed, “We want togo beyond compliance. This is wonderful but doesn’treally address risk. What we’re doing now is to addressrisk. The value-add of the technologies is not just torecertify every user in the world; we want to get toresponding to the business.” While regulatory complianceis currently the second-ranked driver of IAM projectmetrics, it drops to the fourth-ranked driver in three years.Fraud detection, on the other hand — often motivated bycustomer brand protection concerns as well as hard valueprotection concerns — moves up the metrics scale fromthird to second in importance. Mobility is another risk thatcauses concern; 88% of US firms and 62% of UK firmsconsider it either “somewhat” or “very” concerning.
FIGURE 4Firms Measure Revenue Impact Of IRM
Base: 111 B2C and B2B2C security and risk decision-makersSource: A commissioned study conducted by Forrester Consulting onbehalf of ForgeRock, April 2014
“Have you been asked to measure therevenue impact of your customer-facing
IT projects?”
Yes83%
No9%
Don’t know8%
FIGURE 5-1Metrics That Drive Business Are Of IncreasingImportance For IAM Deployments
Base: 111 B2C and B2B2C security and risk decision-makersSource: A commissioned study conducted by Forrester Consulting onbehalf of ForgeRock, April 2014
“How will success metrics that govern yourIAM-related projects increase or decrease over
the next three years?”
-7%
-1%
5%
7%
8%
On time and on budget
Regulatory compliance
Drive customer intelligence
Drive increased revenue
Fraud detection/prevention rates
Three years from now versus today
5
FIGURE 5-2Metrics That Drive Business Are Of Increasing Importance For IAM Deployments
Base: 111 B2C and B2B2C security and risk decision-makersSource: A commissioned study conducted by Forrester Consulting on behalf of ForgeRock, April 2014
“What types of success metrics govern yourIAM-related projects today?”
“What types of success metrics do you anticipatewill govern your IAM-related projects three years
from now?”
4) Drive increased revenue
2) Regulatory compliance(e.g., PCI, HIPAA, EU Data
Protection Directive, etc.)
1) On time and on budget
5) Drive customer intelligence
4) Regulatory compliance(e.g., PCI, HIPAA, EU Data
Protection Directive, etc.)
3) Drive increased revenue
2) Fraud detection/prevention rates
1) On time and on budget
5) Drive customer intelligence
3) Fraud detection/prevention rates
FIGURE 6IAM Platforms Must Support A Number Of Strategic Imperatives
Base: 111 B2C and B2B2C security and risk decision-makersSource: A commissioned study conducted by Forrester Consulting on behalf of ForgeRock, April 2014
“Please indicate which of the following are, or will be, strategic IAM priorities for your company”
Will be a priority in more than a year Will be a priority in the next year Is a current priority
Managing IAM for multiple types of network-connected devicesowned by employees 21% 35% 33%
Using IAM to control and enable employee access tocloud/SaaS services 24% 37% 33%
Mitigating operational expenses and security risk by extendingIAM to employees 25% 32% 40%
Consolidating disparate employee IAM systems 22% 36% 40%
Ensuring IAM systems scale to handle anticipated customer growth 20% 27% 46%
Managing IAM for multiple types of network-connected devicesowned by customers 21% 31% 43%
Using IAM to enable and unify customer access tocloud-based services 19% 41% 36%
Consolidating disparate customer IAM systems 25% 39% 32%
Driving business value and revenue by extending IAM tocustomers 28% 21% 48%
IRM
IAM
6
Support Identity RelationshipManagement By Getting StrategicAbout Both Security AndEnablement For Customers
We’ve seen that the common name “IAM” belies thedifferences between employee-facing and customer-facingidentity and access management requirements. In order toadequately serve customer populations, companies need toaccount for the specific needs of these implementations:
› Scaling users in agile fashion, not just roles andentitlements: In employee IAM, most firms struggle tomanage explosions of roles, groups, entitlements, andpolicies for a relatively small number of employees, whilein IRM, they must meet availability and performancerequirements across millions of individual users. Thisrequires a highly dynamic system that is massivelyscalable and can respond quickly to various user events.The IAM lead for a global IT services firm told us, “Youtend to find where you’re focusing more on authenticationfor external users; the effort tends to be more focusedaround the technology and the deployment, whereaswhen you start internally, there’s a lot more focus onmethod and process and business change, about 80%business change and 20% technical. For external-facingsystems, it tends to be 80% technology andimplementation and 20% process.” Put another way, theIRM requirement isn’t focused role-based access control,app onboarding to web access management systems, orapproval workflows; it’s focused on scale and asuccessful 360-degree view of the customer.
› Enabling users in agile fashion, not just controllingthem: In employee IAM, most firms need to detectseparation of duties violations for compliance reasons,while in IRM they need to respect preference settings andtrack actions across multiple applications, channels, anddevices. The media/advertising company architectsketched what this looks like in his business: “A businesscustomer can also wear a consumer hat. . . . The platformwill know if the user is a merchant. . . . The user will beable to jump right from the ad itself, and be able toupgrade directly. It’s the cross-use of the platform with thedifferent identities that we’re trying to implement.” We cansee the rise of business interest in identity matters whenwe look at the responsibilities marketers take on in IAM-related projects. Using the classic “RASCI” (responsible,accountable, supportive, consulted, informed) model to
partition project roles in IAM-related projects, our studyfound that marketers take on a “responsible” role toexecute on projects successfully 29% of the time, an“accountable” role to answer to executives’ requirements32% of the time, and a “supportive” role to assist inproject completion 23% of the time.
› Responding to mobile risk in agile fashion, not justdisallowing entire categories of access: Managing therisk implications of mobility to customers calls for muchdifferent tactics than those used to manage employeemobile devices and associated risk. For example,employee bring-your-own-device (BYOD) policiesfrequently demand that users install software that canwipe data off lost phones remotely, and disallow accessby certain high-risk device platforms. When supportingcustomers’ need for mobility, however, these policiessimply are not an option. Our interviewee representing ahigher-education institution put it starkly: “I can’t takeNigeria off the network like I’d like to. I’m 100% sure Ihave someone doing research there; they’re all over theworld, all the time.” Fraud and mobile risk managementsimply needs to become more nuanced and adaptive inthese circumstances, as opposed to simply managing riskby restricting devices and access.
7
Key Recommendations
Forrester’s in-depth surveys and interviews with technology management executives yielded several importantobservations about consumer-oriented identity and access management:
› To become truly consumer-focused, evolve your project planning from “consumer IAM” to “IRM.” If youapply processes and technology solutions that are geared toward traditional IAM imperatives and cost-centerthinking, you’re in danger of: 1) duplicating systemic biases toward employee-focused identity repositories andemployee-centered compliance mandates; 2) deploying solution features that have nothing to do with consumers,such as access request approval workflows; and 3) not keeping your eye on the prize of delivering consumerrelationship enhancement through every interaction with your services. Seek out solutions and processes thatdeliver on the success metrics for the top line of your business.
› Prepare your consumer identity platform for opportunities and challenges on the mobile channel. Mobilemoments aren’t just about passively waiting for the customer to access an app; push notifications and otherstyles of engagement are key to the experience. This means “login sessions” no longer have the dominant rolethey once did in signaling and controlling a user interaction. In turn, this means you must look after the security ofa whole host of interactions with your back-end systems, such as access-controlled API calls and registration ofmultiple devices and mobile applications linked to a single account, that weren’t on anyone’s radar even fiveyears ago. Further, you must gracefully accept — and leverage for context-driven security policy — the variabilityin consumers’ mobile platform choices.
› To pair customer intelligence with security intelligence, rely on identity system agility. Business ownersdon’t have time to wait for changes to sclerotic IAM systems when they sniff out a new app, interaction, orpersonalization opportunity. And you can’t take a chance that fraudsters will find loopholes in your multichannel-enabled consumer identity system. So ensure that you are capturing interactions and data in a streamlined,coordinated fashion and delivering insights to all the teams that need them, from marketers to information securityand risk pros.
8
Appendix A: Methodology
In this study, Forrester conducted an online survey of 111 B2C and B2B2C organizations in financial services/insurance,consumer product manufacturing, retail, electronics, healthcare, and transportation/logistics industries to evaluate theiridentity and access management practices. Survey participants included security and risk decision-makers with directresponsibility for IAM deployments. Forrester further conducted six qualitative interviews of respondents fitting this sameprofile for further insights. Respondents were offered a small incentive as a thank-you for time spent on the study. The studybegan in March 2014 and was completed in April 2014.
Appendix B: Supplemental Material
RELATED FORRESTER RESEARCH
“Forrester’s Customer IAM Security Maturity Model,” Forrester Research, Inc., May 22, 2014
“Assess Your Customers’ Personal Identity And Data Management Attributes,” Forrester Research, Inc., April 29, 2014
“Mobile Moments Transform Customer Experience,” Forrester Research, Inc., January 24, 2014
“IT’s Role In Winning Customer Experience,” Forrester Research, Inc., August 5, 2013
Appendix C: Endnotes
1 It may be intuitively obvious that every customer experience is, in some way, supported by technology. Technology sitsbehind almost every touchpoint along each customer journey. Even word-of-mouth referrals are being replaced by digitaltechnologies like social media. As a result of new digital experiences, technologies deep down in the stack can have asignificant impact on customer experience. Technology can make a customer transaction painfully slow or remarkably fastSource: “IT’s Role In Winning Customer Experience,” Forrester Research, Inc., August 5, 2013.2 Mobile creates an opportunity to transform your customer’s perception of your company and your brand. Success hererequires taking advantage of the brief but crucial instants in which that customer needs service, information, or just aboutanything. We call all these opportunities “mobile moments.” Because people carry their mobile devices with them at all times,mobile moments are the frontline of customer experience. That’s why every customer experience improvement effort,starting now, must include mobile. Source: “Mobile Moments Transform Customer Experience,” Forrester Research, Inc.,January 24, 2014.