5 things all CIAM vendors should be doing to protect customer data November 9, 2016 by Mayur Upadhyaya How many times have you received a password reminder with your actual password and not a reset link? That means the brand is storing the password in plain text, and this still happens and with some pretty high-profile brands. The protection of personally identifiable information (PII) should be top of mind for all businesses. Are creative or digital agencies storing data safely (encrypted at rest) and sending it to their clients securely (encrypted in transit), or is the client services manager emailing the brand manager a CSV of PIIs each Friday? Are those free gig tickets worth the risk of being pwned? As more information goes online, the threat of disastrous breaches increases, which is why security is more important than ever. Brands and companies are increasingly outsourcing the risk to customer identity and access management (CIAM) vendors to maintain customer data. So far this year, there have been over 500 data breaches, exposing more than 12 million identity records, according to the Identity Theft Resource Center. Coupled with the recent Yahoo! Breach that exposed 500 million records, having a CIAM solution is increasingly becoming table stakes. As companies collect data, they take on the responsibility to keep that information safe. The security of customer identities also directly impacts margins and brand equity. IBM’s recent data breach survey showed that the cost of a breach has grown 2.5% annually, and in real terms could reduce Verizon’s valuation of Yahoo! by $200 million. As a custodian of customer data, it is mission-critical that CIAM vendors focus their energies on security and privacy rather than be distracted by trivial non-vital functionality such as gamification (which can be delivered by a niche vendor). How can businesses tell if their CIAM vendor is enterprise level and a serious contender for outsourcing their risk? Check that they offer these five things. 1. Layered security It’s important that your CIAM solution uses appropriate administrative, physical and technical safeguards to help protect the security, confidentiality and integrity of customer data. If your solution gives access to data at all levels, the risk of a breach or mistake happening is greater. Find a solution that provides security at the systems and applications layers. Some CIAM solutions partner with the industry cloud providers, such as Amazon Web Services (AWS), which provides its own security for its infrastructure and data centres. Take the time to learn about a platform’s partners and how they store data. It will ultimately affect your customers. 2. Restricting and monitoring access Make sure you know who will have access to your customers’ data. Does the vendor restrict access on their end? Some providers refer to this as scoped access, a way to help ensure that only the minimum level of data is available to each individual and provides built-in, customisable field-level scoped access capability for websites, mobile apps, tools and integrations. Internal governance is critical – make sure you have the ability to restrict access for who can access the data. Your CIAM solution should allow for restrictions and monitoring ability to ensure that only those who absolutely need access from your company can view and manage customer data. The more people who have access, the greater the possibility for unintentional data leaks. 3. Certification practices and compliance What security certifications and compliances does your vendor have and are they are working to obtain more? While security is important to all, certain industries require that CIAM solutions comply with industry standards. Finance, pharmaceutical and government companies have to especially make sure they are following and meeting all requirements – ensure your CIAM provider is. 4. Availability It’s difficult to predict when and where events that require disaster recovery and data backup will occur, so it’s necessary to always be prepared. If you have data stored in only one location and that place experiences a disaster, you lose everything. Make sure your CIAM provider has data backed up to servers in a separate data centre than the one where your customer production data is hosted, to reduce the risk of loss. To provide extra security, you can have backup storage solutions as a company to make sure you reduce that risk as well. 5. Third-party testing After making sure your CIAM provider has these in place, find out if they conduct third-party testing. Performance monitoring to proactively detect and remediate brute force and denial-of-service attacks is important. Vulnerability scans, penetration testing and intrusion detection of CIAM platforms can also prevent disastrous breaches. Don’t get swayed by the shiny suites – no number of baubles, widgets or ‘extra’ features could ever make up for a breach of millions of customer profiles. CIAM is risk mitigation – everything else is secondary. Learn more about how Janrain works to protect customer data, or contact us with any further questions about our trusted CIAM solution. ‘ This article was originally posted on Information Age.