Data breach vigilantes: CIAM and IGA for customer data protection

In today's digital battleground, it seems like a week doesn’t go by where we don’t hear about some kind of data breach involving identity security. It's easy to become desensitized to the constant stream of identity security compromises. Yet, beneath the surface, a silent war is waged against the very essence of our online identities. Each breach is a battle fought on the front lines of cybersecurity. 

The hidden threat: Dormant accounts 

The type of data breaches that get the most public attention involve customer data. Rightfully so, as we're all too aware that we could have easily been included in the long list of victims, our personal information floating in the vast expanse of cyberspace. Nearly everyone has a slew of online accounts with a longer list of companies and organizations than we can keep track of. And that is exactly what makes these accounts so vulnerable.  

Studies indicate each of us may have as many as 100 unused online accounts, which are often out of sight and out of mind. By that estimate, there are billions of unused accounts containing sensitive information at risk of a breach, scattered across the digital landscape like dormant mines waiting to be triggered. We may overlook these forgotten remnants of our online existence, but hackers do not. 

CIAM: The guardian of customer identity 

Fortunately, many organizations with large customer bases are stepping up their defenses with customer identity and access management, or CIAM, to help fortify their customers’ account security. These vigilantes of the digital realm, armed with solutions like OneLogin, stand as the first line of defense against intruders. CIAM solutions enforce stringent security measures in the form of institutional implementation and enforcement of password and MFA policies, the ability to detect some risky authentication behavior patterns and control sessions, and creation of a more secure cloud directory for customer identity data which is separate from the company’s internal customer database. A preemptive CIAM strategy might reduce the impact of an eventual breach and may also make any breach far less likely. With CIAM, companies can enforce the most cutting-edge industry tools for securing their customers’ access.  

CIAM builds a formidable barrier between sensitive information and attackers waiting to strike. But CIAM alone is not enoughit's merely the first line of defense in a layered approach to customer data protection. 

Customer identity’s bodyguard duo: CIAM + IGA 

Most enterprises today utilize identity governance and administration (IGA) solutions, such as One Identity Manager, which empower them to proactively patrol the digital landscape and reduce their attack surface. IGA solutions provide auditable records of precisely who has access to what within their workforce. By automating processes such as provisioning and role-based access control, IGA reduces the attack surface, particularly concerning dormant accounts. 

But the primary motivator for many organizations that choose to deploy an IGA program tends to be regulatory compliance, such as SOX or HIPAA. Since these regulations do not typically apply to customer data, the benefits of IGA for customer data can be easily overlooked. But the same principle of least privilege that is desirable for a workforce user population can also be applied directly to customer data. 

In much the same way that it does for employees, IGA can reduce this potential attack surface in customer populations. In the case of unused accounts, an IGA solution can detect which accounts are inactive, and then mitigate the risk of these old accounts by removing personally identifying information and other sensitive attributes from the accounts, and eventually deleting them entirely. Since they are often self-registered and not off-boarded in a conventional manner, it may be challenging for an IGA tool on its own to automatically respond to lifecycle changes in customer accounts. This is where the integration with CIAM is important. By collecting signals of activity from the CIAM solution, such as login and app usage behavior, the IGA tool can detect inactive accounts and take appropriate action to not only remove unneeded access, but to also remove sensitive data from the accounts and even change passwords and flag them to require the outdated user to reset the password if ever they begin using the account again. While actions like this wouldn’t completely remove any risk from unused accounts, it can potentially reduce the impact of a future breach. 

Achieving regulatory harmony and customer confidence 

Additional benefits from this CIAM + IGA strategy for governing customer data come from easing compliance with GDPR regulations, and achievement of the “right to be forgotten” objectives of your customer base. The IGA solution can ordinarily even be configured to notify users when their accounts have become inactive, and when they are transitioning into a slimmed-down state or completely removed. Likewise, certification processes can be put in place to assure inactive or orphaned customer accounts have been correctly remediated, and an audit record of these processes can be produced. This would not only provide the service provider with the assurance that they have reduced their potential exposure in a breach, but also give them valuable documentation in the future to quantify the impact of any breach that might one day occur. 

To employ these types of risk-reduction methods only requires unconventional thinking about the purpose of CIAM and IGA. Companies can potentially reduce their customer database attack surface significantly and minimize the impact of an unforeseen breach by integrating CIAM and IGA solutions they already have in place. 


Incorporating CIAM and IGA solutions offers a strategic approach to mitigating data breach risks and safeguarding customer information. By adopting unconventional strategies and leveraging existing technologies, companies become vigilant guardians of customer data, reducing their exposure to breaches and demonstrating their unwavering commitment to customer security. 

Related Content