Welcome to our webinar. Today we're gonna talk about c Im and the tie-in with our new tool, KC Open Select. I'm John Talbert, director of Cybersecurity Research here at Coopering and Cole. And welcome. So some logistics info. Everyone's muted centrally, there's no need to mute or unmute yourself. We're gonna do a couple of polls, a little pass midway through on this and hope everyone will participate. I'll take questions. There's a questions blank in the C event control panel. Feel free to enter those and I'll talk to those at the end. And then the recording and slides you see here today will be available in a few days.
So first up I'll give an overview of c i m, including some of the trends and what we've seen in our LA latest research. We'll look at the evaluation criteria used for doing leadership compasses and now open select as well. And we'll talk about the methodology, the categories that we rate, and then give you a preview of what open select looks like. So first up, what does the C and c Im stand for? We often hear it called customer. Im sometimes we call it consumer iam. Really, it's, it's all all of those plus citizen. So on the consumer side, we see use cases, you know, as you might expect around online banking, retail, e-commerce, media, subscription accounts, things like that. But we also see, you know, business to business customer kinds of relationships for, you know, different members of a supply chain logistics. So businesses are using c a m quite extensively these days too. But then there's also governments interacting with citizens using c I M solutions, you know, maybe to register and pay their taxes online or to apply for, or renew different kinds of licenses online. So all these different kinds of use cases fit into the broad spectrum of consumer, customer, citizen, c i m.
So when organizations are looking for c I M solutions, they have a number of different reasons. They might be, you know, trying to find something. Maybe they wanna replace an existing c i M solution that, you know, isn't really doing everything that they needed to do. They need to be able to offer new and different forms of self-registration for, let's say, consumers to, to register. They need to be able to host the consumer profiles or customer profiles, you know, which can need to contain more kinds of information than you might commonly be able to put into a regular IAM LDAP kind of database. Ultimately, the goals usually are to convert unknown users to known users and, and be able to collect consent for regulatory compliance. We'll talk more about regulatory compliance, especially privacy regulations, but you know, there have been more privacy regulations enacted in various places around the world, and it can make it difficult to, for an organization that operates in multiple jurisdictions to comply with those. But fortunately, a lot of c i m solutions have those kinds of options built into 'em today.
So, you know, in order to turn an unknown user into a known user, that means collecting information about them with consent, of course, where applicable. But, you know, organizations wouldn't do this to be able to get marketing analytics and tie it into their marketing automation systems. Ultimately in, in the cases of consumer facing organizations or B2B relationships to increase revenue on the security side, many organizations find they need to offer better and stronger authentication for a variety of different reasons, different security risks. We need better account recovery mechanisms. Often that's, that's a motivation because if you're just doing passwords and password resets, that can be n not only expensive in terms of organizational costs, but if a user can't recover their account because it's infrequently used, then it's potentially a lost business. So account recovery is very key for most organizations that are looking for c I m.
And then closely related to that identity analytics for the purposes of security, again, kind of making sure it's the right user. So when we talk to organizations that have implemented or looking to implement or up update their cm, some of the things that we hear about are, are, are the problems that they have encountered? And those are things like not enough a p i exposure. Most organizations want to integrate their c i m with a, a variety of other systems, maybe their workforce IM or line of business applications. And, you know, earlier generation products did not make that as easy as they do today. Most are, you know, much better at allowing customers to either have prebuilt connectors or, or really good a p i connectivity such that they can make those connections themselves.
Historically there was, you know, lack of support for legacy applications. Identity and marketing analytics were built into the CM system. Most organizations today wanna be able to get that information out of it to prevent c i m from becoming a silo. Early gen products were typically, you know, on-premises hosted, which, you know, can be more difficult to scale because you've gotta buy hardware, you've gotta have people to run it. So, you know, cloud-based solutions have really taken off over the last five or 10 years, and we see, you know, a lot of preference for cloud delivered c i m solutions to address the scalability problems.
A few other things that early Gen CM solutions did not do as well at, and that was, you know, offering stronger kinds of authentication. It was mostly just password, you know, insufficient consent collection, consent notice, difficult for users to be able to manage their consents, you know, revoke them. But, you know, since G P R and other subsequent regulations have come along, most of the C I M vendors have built this kind of functionality and to make it easier for organizations to do that, and it makes it e easier for them than to comply with those different kinds of regulations. There's also been a bit of innovation in licensing subscription cost models with more C I M vendors moving to, you know, pretty straightforward monthly active user kind of cost structure.
As you know, there has been an awful lot of cyber crime and a lot of fraud. It has been increasing, unfortunately, a lot of innovation in cyber crime, which is sad to say, but the two major kinds of fraud that we see, consumer and customer facing sites dealing with our A T O or account takeover fraud and AO or account opening fraud, a t o, you know, just what it sounds like having your account taken over. The methods used can be things like, you know, breached passwords, looking at password dumps on the dark web credential, stuffing attacks, bot perpetrated, just brute force password guessing still works in, in some cases. Unfortunately, these are used for, you know, draining victims accounts of money or, or any other value that that may be stored there. On the account opening side, it's often the used to create mule accounts or, you know, accounts where e even, you know, larger amounts of money can be moved, opening up lines of credit, for example.
And the hackers do this by getting p i i about a victim, you know, maybe from school work and health records and, and then building an account that looks like a real person and then using it to apply for, you know, a a line of credit. For example, the major mitigations here for account takeover, multifactor authentication, risk-based authentication greatly help reduce the incidents of account takeover fraud, especially in conjunction with fraud reduction intelligence platforms. And on the AO or account opening side, some of the best mitigations around identity proofing increase, increasing the identity assurance level so that the right person really makes the account and the the others are denied.
So some of the new things we've seen in the last couple of years as, as you might expect, you know, digital transformation was really driven hard during the pandemic. You know, all businesses, even the ones that didn't have strong online components, had to have them in order to, to stay in business and compete. As I mentioned, fraud is just skyrocketing. Every, every consumer facing site has to have some sort of fraud prevention technology these days. There's a need for identity proofing, again, as as fraud reduction method. We see some C I M solutions that are offering this directly and many are now offering a p i connectors to third party identity proofing services, the privacy regulation compliance, more laws, more complexity. Businesses and organizations need the help of c i M solution providers in being able to meet those regulatory requirements. There are now passwordless authentication options that make it a lot easier for consumers to log in much, you know, less painful and also increase usability and security. There's a need for integrating and interoperating using those APIs. So standards based APIs, you know, rest web hooks, GraphQL, we see more in different kinds of functions that are exposed through APIs for integration with, you know, different kinds of on-premises or cloud-based applications.
Iot, device identity, many manufacturers and and stores will want to be able to allow their consumers to control or associate their purchase devices with a known and trusted digital identity. So iot device identity management is a, a very important consideration in c i M today. And then lastly here, you know, B2B is increasing. B2B customer relationships are, are in most cases very well handled by c IM solutions that are out there today. And in fact, vendors report that B2B and B2 B2C kinds of use cases are, are driving some of the most growth in uptake in C I M.
So we did a, a round of research on CM and what we found where, you know, a number of different improvements with the evaluation criteria that I used to rate them are onboarding. And by onboarding I mean how easy is it for a consumer or customer to get into a, you know, a deploying organization's systems to register? Can you do customization of the workflows? Is there identity proofing that can be built into that? You know, we've seen an increase in the use of like remote mobile document verification app apps that are, you know, facilitating easier onboarding and, and bringing additional identity assurance, identity assurance itself, you know, increasing the identity assurance level to what customers feel is appropriate for their particular business cases, a t o protection. Again, I think this is so key, it it deserve to be called out as a, a special line item in the report.
What facilities does a C I M solution have within it to be able to help protect the accounts of their customers authentication? This is a measure of, you know, what kinds of authentication methods are possible within the solution? Does it offer passwordless risk-based and is it easy for the customer or deploying organization to configure consent management? This measures, you know, does it do everything you would expect it to do for like G D P R consent collection? Including, you know, presenting a user with a screen to review and revoke consent if they, if they no longer choose to do business or share information with an organization. Some often will put in data subject access request facilities within the consent management platform in the C I M system, IOT device management, what what is possible for IOT device management in the solution that we're looking at? And we'll show you some examples in a minute.
Identity analytics, you know, again, this can be very, very helpful for security. And then lastly, marketing integration. You know, earlier Gen CM solutions tried to present a lot of the marketing information directly within the C I M solution, but most customers want to, you know, be able to get that information out and into other data analytics platforms that they use today. So marketing integration covers not only a p i connectivity, but you know, how many pre-built connectors are there that make it easy for a deploying organization to connect their c i m to whatever data analytics, marketing automation kind of tool that they've got.
So let's look at our processes and how we go about doing our research. First of all, we will identify all the vendors in the field, get briefings, demonstrations. We send out, you know, massive technical questionnaires and, and get them to answer questions. We get all this information back, we analyze it, we rate them, we write about them, then we send that out for fact check, get updates if needed. And then once, once it's all clear, then we publish on conet cole.com and, and now we will also be doing this in open select, which we'll see in just a moment.
In addition to those special categories for C I M I just talked about, we also look at nine standard categories, security. This is about how secure is the product itself, functionality, does the product do everything that we expect it to do? Does it have all the right features? Deployment, you know, is this only for the cloud? Can it be run on prem? Is it you know, fully managed SaaS? And then how easy is it to deploy and what level of effort is needed to maintain it? Interoperability, this is really where standards are key. There are many different identity standards for, you know, how accounts are stored, how they communicate, how you authenticate, how you can be authorized and support for standards is very important for interoperability.
And then usability. You know, how easy is it not only for the end user or the consumer or customer or citizen, but what's it like for the admin, the deploying organization? Is it easy and intuitive for them to manage? Then we also look at innovation. You know, does the product deliver what we expect it to? Is it leading edge or a little bit behind market? You know, how many customers, how geographically distributed are they? What's their, what regions of the world are they operating in? Ecosystem is really about how does a customer organization find support? Do they have, you know, resellers or system integrators and, and how well distributed around the world are they? And then lastly, we will look at, you know, any relevant company from startup to, you know, massive public company. And we tried to explain what their overall financial strength is in the financial strength rating.
So let's do a couple of quick poll questions here. Which of the following, if you're looking for c I m, has been a main motivation for you and your organization? Is it improving the customer or consumer experience? Improving security, enhancing your marketing opportunities or increasing revenue? Great, we see the results here in real time. Excellent. So more than half say improving the customer experience. That's great. That is an important consideration. Okay, let's move to poll number two. What's the biggest obstacle your organization faces in deploying or upgrading C I n? Would you say it's budget business versus IT alignment on goals integrating with the apps that you've got or scalability or difficulty in managing C IM and lack of or lack of customizability in a p I and integration this time we see budget versus, or business versus IT alignment on goals as the the top concern.
Okay, so now let's look at how what KC opens select is like and you can use this new tool to view the results of the leadership compass and subsequent research. So a quick word about KC Open Select, like I said, it's our new tool, it's free for everyone to use. The motivation behind it is to be able to help organizations come in, sort of look at their own use cases, the things that the they think are most important. And sort of customize the rating and help you make, you know, better decisions on where you might, what products you might wanna look at when you're doing an R F P. It certainly can't give you full guidance on selecting a product, but it's a great starting point for doing that. So in this leadership compass for C I M, I won't read off all these vendors, but there's probably a lot of names you recognize and maybe some that you don't. Each time we run the report, you know, every year, year and a half or so, we find that not only are, you know the overall numbers of customers that these organizations have increasing, but there are more companies that are getting into CM because it is, you know, a really rapidly growing field.
So when you first get into Open Select and you drill into cm, you'll find, you know, an overview a little bit like maybe what we've discussed today. And from here, you know, you can navigate to, you know, finding out more about how it works. You can get into and see the different vendors that I mentioned and here, you know, as an example, you can see how they're rated across those standard categories like deployment functionality as well as each individual vendor's spider graph that shows the specific categories that I mentioned earlier about, you know, the for for C I M, you know, the Identity assurance, A T O protection, marketing integration, iot device management. So you can see how they rate. Then you can also drill down into more details on each vendor and you can build your own comparison table to look at which vendors you know, you think might be most applicable.
You can also sort by use cases we've listed, you know, a number of different use cases that we find are important to different organizations that these vendors support. You can read about those. Then you can also down select and rate or see what the ratings are for each company By that in another comparison table, you can get information about what you should be thinking about when you're going out to do an R F P for C I M, what are the internal considerations, you know, beyond technical and as well as getting, you know, the good list of technical questions too.
And here are some questions that you might want to ask as you start a acquisition process for a C I M solution. And then you can also read the full documents and related documents on our website under KuppingerCole dot com slash research. So let's see, do we have any questions? Okay, first question. Is there a real adoption of on Passwordless in CM space? There are lots of opportunities in terms of, you know, products that support different passwordless authentication mechanisms. I think, you know, as we can see in our day-to-day experience, there are not nearly as many deploying organizations that are taking advantage of the passwordless authentications capabilities that are there. But yeah, I would say, you know, take a look at Open Select or read the Leadership Compass. You can see exactly which vendors support Passwordless authentication Plus we did a Passwordless Authentication Leadership Compass back, I think it published in January. And that's also available in case the open select. So you can see which vendors support that today, self-service account and profile management in the evaluation criteria that is in the evaluation criteria. I mean, I just did not roll it up to, you know, one of the, the major, you know, eight, eight categories this time. But there is text in the document that that describes what the self-service account management is like so that it's, you can have an idea by reading through either the report or checking it out online on KC Open Select.
So I don't see any further questions at the moment. So thanks everyone for attending. And yeah, please feel free to check out KC Open Select for not only what you see here on C I M, but our other topics and we will be bringing additional topics to KC opens select in the weeks ahead. So encourage you to do that and if you have any questions, other questions, feel free to reach out. Thank you.
