Customers increasingly use digital channels to interact with organizations. But these interactions raise new security concerns that must be addressed by IAM solutions, says David Gormley of CA Technologies.
The first challenge is the age-old question of security versus customer convenience. No organization wants to make it more difficult for customers to interact with them in the electronic channels.
But there is also a challenge to get new customer facing applications and services to market quickly with consistent, says Gormley, a director at CA Technologies.
"When we say this space is taking off, what it means to a lot of IT departments is that the business has demands for a much higher volume of applications," Gormley says. "There's a real challenge there to try to set up a coordinated or standardized system so that they can focus on the business aspects of the applications and then just latch on the appropriate security when necessary."
In an interview about using IAM to improve customer engagement, Gormley discusses:
Gormley is a CISSP with over 20 years of experience in the technology industry. He is currently a Director in the security business unit at CA Technologies. As a consultant at A.T. Kearney he worked on technology solutions and partnerships with Fortune 500 clients. Prior to that David worked at Forrester Research evaluating technology environments and consulting with partners on the adoption of emerging technologies. David has a BS in business and an MBA with a concentration in information technology.
Identity Related Security
TOM FIELD: Could you tell us about yourself and your role at CA Technologies?
DAVID GORMLEY: I've been in the technology space for about 20 years, [and have] worked as a consultant, an analyst, and at both hardware and software vendors. I'm currently a director in the security group at CA, where we provide solutions on identity, access and API management. In that role, I get to talk to a range of customers, prospects and analysts, as well as other vendors, about identity-related security. It's a pretty hot topic right now. Recently we've been seeing a lot more interest in customer-facing identity and access management use cases.
Market Conditions
FIELD: What market conditions are driving organizations to use IAM to improve customer engagement across multiple channels?
GORMLEY: There is a whole set of market conditions or trends that are playing into this. At the high level, it's really a simple reaction to the increased quantity and type of digital interactions that companies are having with their customers. One example I like to use is banks. In the past, 90 percent of their interaction was with customers who walked into the bank. Online banking has really taken off. The majority of interactions are online, and then mobile applications have been introduced and are quickly rising up with regard to the volume of activities that banking customers do on their mobile apps. It's just changed, the amount that companies interact with their customers digitally, and the variety of applications, whether they be web-based or mobile, that they provide has really expanded. That's what has driven the larger trend.
There are a couple of business- and security-specific trends that have played into this, and one is just how quickly customers have embraced new forms of digital interaction. I see market surveys all the time in different industries about how many people are doing self-service activities and different things online. [They aren't] calling the company directly or using older more traditional interaction formats. That is the business perspective; customers want more of this digital interaction, and also these interactions, when done digitally, are a lower cost model. It's a win-win for the business and their customers.
From a security perspective, the big push is for IAM. We've all heard about the recent Target breach, but there have been over 400 or 500 million passwords that have been stolen just in the last year or two. There is definitely a heightened awareness from the company perspective as well as from individual users about identity theft and breaches.
Facing Challenges
FIELD: What are some of the unique challenges that organizations face when they go down this path?
GORMLEY: One of the biggest might be balance. When we talk about companies leveraging IAM to improve customer engagement and provide security, it's those two and they at times are in conflict. Especially in the past, if you wanted to apply additional security, typically it meant inconveniencing your customers by making them sign in multiple times or do additional steps, etc. The biggest over-arching challenge is finding that balance between user convenience and security. When we talk about customer-facing applications, especially in a competitive environment where you could be winning and losing customers based on how innovative your services are, there's a lot of pressure from the business side to make things seamless. At the same time, the business knows the risks to their brand and even their revenue if there is a breach. Obviously, the security side of the house knows all of the different threats that are out there. There is a need when you're doing more of these remote digital interactions with your customers, and it starts to include more sensitive information or transactions that you need to provide security as well. That is the real challenge, finding that balance. One other one that we hear a lot about is companies struggling to keep up with the volume and velocity going on here. When we say that this space is taking off, what it means to a lot of IT departments is that the business has demands for a much higher volume of applications, whether they're web-apps, portals or native mobile apps. There are a lot more requests and it's difficult for them to provide the security, or it is definitely difficult if they are doing it on a one-off basis in each application. There is a real challenge there to try and set up a coordinated or standardized system so that they can easily focus on the business aspects of the application and just latch on the appropriate security when necessary.
CA Customers
FIELD: How do you find that some of CA Technologies' customers are tackling these very specific challenges we talked about?
GORMLEY: Well a lot of it has to do with where they are starting from. We work with a lot of large organizations, and they may already have a strong identity and access management system in place for employees, but they may be just creating a new customer portal or adding a lot of functionality to what they are going to provide their customers online. When that's the case, sometimes they look at this and say, "Do we want all of the identities in one directory, both employees and customers, or do we want to keep them separate?" One of the other options is: Where do we want to provide this functionality from?
The traditional IAM for employees was done on-premise for the most part. Now, CA and other companies offer cloud-based identity and access management services. Sometimes when you're looking at the scale of customers, you may only have 10,000 employees, but you may have 500,000 or a million customers whose identities you would want to track. When you start thinking about scale, sometimes there are advantages to doing that in a cloud-based system. It really varies on where people are starting from. If it is a smaller company, or somebody who doesn't have an established suite of IAM products, they may start with some things like authentication or single sign-on. This is even before [one becomes a] customer, when [they're] just a prospect and you want to make it as easy as possible to register or give you information about themselves. You may want to allow social sign-on to get that relationship started. As they become a customer, it would be logical to get your different modes of authentication and single sign-on in place to make that a secure and a convenient experience for your customers.
Bringing in Solutions
FIELD: What are some of the solutions CA Technologies brings into bear for its customers?
GORMLEY: We look at this across a variety of different use-cases. At the front end of the spectrum, it's almost more of a marketing activity, but you are looking to bring in identity information. We see a bunch of companies on who have made efforts to improve their presence on LinkedIn, Facebook or Twitter. They may have hundreds of thousands or millions of friends, but they don't have access to those identities for marketing campaigns or to convert them into customers. Social sign-on is a way to do that, and that's at the front end of the funnel.
We had an automotive company that we did some strategy discussions with which has applied a variety of different pieces of the solution, and they started at that front end because they were trying to get more people into the funnel. But as they developed a relationship with them, they put in place different forms of authentication. They put in place single sign-on, not only across a whole set of applications that they provided, but also linked out to insurance companies, movie companies that included their cars, review sites, etc. They moved from single sign-on [with] their applications to federating out to partner domains. For the customer, the experience was seamless.
When they started to look at mobile applications to allow customers to sign up for services, the way they built those was through API based web services. That is another area that, when you start to create these applications, API web service is the main way [to do that]. In that situation, you need good security and management there. We are dealing with people trying to tackle several of those issues at once, and with some who start with one piece and then grow it from there.
Business Benefits
FIELD: What are some tangible business benefits that organizations are seeing from deploying your solutions?
GORMLEY: Customer engagement is one of them. [For instance], the example I gave with the car company. The experience they had in the past was putting up this big registration form which took 10 minutes to fill out. When you've got a prospect who is just interested in seeing the latest video of the car or a new model, they really didn't [sign up]. They weren't getting good adoption. They were getting a lot of people going through the sign-up process, and what it left them with was friends, but not a way to contact them. [What helps is] a quicker registration or higher pull-through rate, which includes identity information. Then, they can market to them.
When I was talking about single sign-on across applications, companies measure how many people go to the partner sites. They say, "We're providing you this car, but if you want related insurance or add-on products," and they've got links there to partners. It's pretty easy for them to track how many people are going through and what business is being conducted through those partner relationships. If you have single sign-on, it's a much smoother experience. They are documenting improved adoption rate on the partner activities, and all that feeds back to revenue.
[The car company] saw a high success rate if they had more test drives, and so they had local marketing companies doing events. They made it seamless for customers based on their geographic area to sign up for things. They got a higher level of test drives, which correlated into a higher level of vehicle sales. It depends on the industry you're in, but on the financial services side, we've seen higher adoption of new services that banks make you make it simple for [the customer]. It is an over-arching rule that simplicity wins.
FIELD: Where do you see organizations might find some of those early quick wins?
GORMLEY: We do a lot of work with large companies. When we do an audit or an assessment of what they're doing, many times in a rush to get things online, companies don't even realize how many websites and portals have been set up online that customers, prospects and partners use. During the last 10 years, where everyone wanted to put things online and customers were engaging that way, there were a lot of side projects and silos out there. One of the quick wins is to do an assessment of that and get your authentication, your single sign-on or web access management space cleaned up. When any of these people were creating a portal or site, they didn't envision the deeper digital customer relationships that have developed now, where customers want or need to cross from application to application. When you go back and look at the customer experience, it's uncomfortable for them to go from one to the other if it's not set up so that there is coordinated authentication and single sign-on.
There are statistics on people moving to different vendors based on how convenient the online experience is, especially with the younger generation. The consumerization of IT, people want and know what a good interface is, and what a convenient experience is, and they expect that from their vendors. A good place to start would be at the front end with authentication, single sign-on. There are ways to do authentication that won't be a hassle to users; risk-based authentication checks factors in the background. You don't ask the customer to take additional steps. That would be a great place to start to improve the customer experience, as well as providing better security for the organization.