Sort of by accident I learned just now that there is a whole fairly new emerging industry category called CIAM (Customer Identity and Access Management). This CIAM industry category is populated by a bunch of companies, all of which are only a few years old, and many of which are growing fast. It turns out that CIAM is “a thing”. There are industry analysts and writers who apparently make a living writing about and analyzing the players in the world of CIAM. It turns out that lots of enterprises and corporations are willing to pay lots of money for CIAM services. In this blog article I will name some of these CIAM companies and I will poke fun at how one of the companies markets itself.
Players in the world of CIAM include companies called ForgeRock, Okta, and Ping Identity. I clicked around a bit to see what ForgeRock says about itself on its web site. It is a company with offices in ten cities. It has some 700 employees and says it has some 1300 enterprise customers. Okay folks are you ready for a long string of sound bites? Are you ready for a dozen content-free mission statements? Here are some direct quotations from the front page of this company’s web site:
Customer Identity and Access Management. One Platform For All Identities. AI-driven identity for the modern enterprise. Help people do their work with fast, easy and safe access to the apps and services they need from anywhere. ForgeRock helps you simply and safely access the connected world. Our enterprise-grade platform makes it easy to manage, secure and govern all identities at Internet scale, powered by advanced cloud architecture and artificial intelligence. We provide personalized journeys and broad authentication options, so you can better engage customers and empower employees without compromising on security and privacy. We geek out on digital identity. Our passionate and forward-thinking team of experts includes pioneers in open-standards identity, and we’re 100% focused on customer outcomes.
Wow. You can’t make this stuff up. Well, actually, you can. You could put this stuff onto refrigerator magnets and rearrange it into new sentences and it would work just as well. Here I just made up two new ones at random.
Our AI-driven platform provides personalized authentication options with fast, easy and safe access to customer outcomes. Our passionate team of pioneers helps people to manage, secure and govern access to apps and services without compromising security and privacy.
The “platforms” provided by this company, all of which I assume are “in the cloud”, are described in two-word phrases such as “Autonomous Identity”, “Identity Cloud”, “Identity Management”, “Access Management”, “Identity Governance”, “Identity Gateway”, Directory Services”, “Intelligent Access”, and “Privacy & Consent”. The “solutions” provided by the company, all of which I also assume are “in the cloud”, are said to be “Customer Identity”, “Employee Identity & Access”, “Internet of Things (IoT)”, and “Industry Solutions”. Clicking around on the company’s web site, I see photos of medical people in scrubs and a success story (I guess) about how ForgeRock provides (I guess) access control to all of the doors of a hospital complex, and probably logins on all of the computers, and probably selective access to all of the databases in the hospital’s computer systems, and maybe they provide a top-to-bottom equivalent of Docusign to keep track of employees and patients signing and consenting to all sorts of documents and agreements. I’d guess that part of what ForgeRock provides is a promise that everything about it is HIPAA compliant.
Here is an actual sentence from a news article about ForgeRock.
“I think one of the more interesting products that ForgeRock offers is ForgeRock Trees, which is a no-code/low-code orchestration tool for building complex authentication and authorization journeys for customers, which is particularly helpful in the CIAM market,” Kelly added.
I defy any reader to figure out what any part of this sentence means, let alone what, if anything, the entire sentence means. As best I can tell, the sentence is a value subtractor for humankind, consuming toner or electrons or photons and communicating less than nothing. What is an “orchestration tool”? What is a “complex authentication and authorization journey”? I suppose that you could point to just about anything and you could say that it is “particularly helpful in the CIAM market”, given that CIAM sort of means anything and everything. I guess you could point to just about anything and say that it is “a more interesting product” that a company offers, especially if many of the other products that a company offers are not very interesting. As a parting shot I will invite anyone who can help me here to let me know what it means to say that something is “no-code/low-code”. I am going to take a stab at it and I am going to guess that what this sort of means is “the way you do it is by clicking around on a web page rather than by the pesky business of having to write computer code”. I guess “orchestration tool” probably means something like “a thing that helps you get something done that you are trying to do”. I guess “journey” probably means something like “a thing that you are trying to do that takes a while to do”. So I suppose this particular word salad probably works out to mean something like:
ForgeRock Trees lets you construct a customer user interface for an authentication and authorization process, and you don’t have to write any computer software, you just do it by clicking around on a web page.
Returning to CIAM generally. Just imagine how attractive and seductive something like this CIAM stuff might be for management of some large and sprawling company or enterprise. The idea that you can outsource your ID badges, you can outsource the turnstiles for building entry, you can outsource onboarding of new employees, keeping track of who can log in to which computer systems and who can gain access to which files and databases. In a work-from-home environment, the outsourced services presumably can keep track of VPN access on employee computers to the office servers, and keep track of the company VOIP phone on the employee’s desk at home. If the employee has a company-provided mobile phone with a VOIP connection to the office, or with company email or company messaging on it, this is automatically tracked and authenticated. You get to outsource the control of which cars can get into the parking garage based on the tag in the car’s windshield. At a moment’s notice I imagine you can call up a list of the employee agreements that a particular employee has or has not signed. At a moment’s notice, I imagine you can call up a list of the databases that a particular employee has accessed recently or a list of the files that the employee has downloaded recently. I imagine you can get a log of events of interest such as building entry or exit, car entering or exiting the parking garage, computer being logged in and logged out, or email messages having been read. When an employee is going to get fired, I would guess that it only takes one click of a mouse and the now-former employee instantly loses building access and email access and every other kind of access, and logs are captured of all historical events in the system relating to the now-former employee.
And all of this is conveniently outsourced. No pesky having to figure out how to do any of this yourself.
I cannot shake from my mind a recollection of the 1995 movie The Net, starring Sandra Bullock (Wikipedia article) in which a nationwide security system called Gatekeeper goes out of control. The character played by Bullock, who is the only person who might be able to set things right, learns that all records of her life have been deleted, she has been checked out of her hotel room, her car is no longer at the airport parking lot, and her credit cards are invalid. Her home is now empty and is listed for sale. Fortunately the movie is fiction, and in the movie, the good guys win and the out-of-control system is shut down.
One hopes the potential customer of a CIAM service provider would give at least a little thought to a few things. I wonder how absolutely certain you could be that the CIAM service provider has completely protected against every possible attack against their systems by a would-be intruder? I wonder how absolutely certain you could be that no single rogue employee of the CIAM service provider could carry out some unauthorized action regarding the various things mentioned above? I wonder how absolutely certain you could be that everything in the CIAM’s cloud-based system is backed up so very well that in the event of some failure (a building burning down? an earthquake somewhere?), it could all be replicated and restored to service promptly? I wonder how absolutely certain you could be that the CIAM service provider really is maintaining the event logs that they say they are maintaining, so that at a later time you could reconstruct some events that turn out to have been important to know about. Where is the cloud located? In country A? Country B? Suppose a government agency in country B approaches the CIAM service provider, requesting or demanding information or access to information or events relating to a particular customer of the CIAM service provider. Will the CIAM service provider promise to disclose to the customer that the request or demand was received? Will the CIAM service provider promise to protect the customer against such government intrusion? Will the answer be different depending on whether or not the customer is located in country B?
Suppose you are a customer of a company or enterprise that uses one of these CIAM service providers. For example suppose you are a patient in a hospital that uses one of these service providers to control essentially every internal and external function of the hospital. Would you even have any way to know that the hospital has outsourced all of these functions in this way? Maybe there would not even be a way to know this.