What is Partner Identity and Access Management (PIAM), and How Does it Relate to B2B?
On this page
What is Partner Identity and Access Management (PIAM)?
Partner Identity and Access Management (PIAM) is a type of Identity and Access Management (IAM) that incorporates the processes and tools to onboard, grant and govern access for business partners. Business partners are external organizations that commit to collaborate with and contribute to a business. Examples of areas where organizations cooperate include promotion, distribution, supply chain, outsourcing and research & development.
Essentially, in any business-to-business (B2B) scenario, external users such as the employees of partner organizations need to get access to data and services of the organization they partner with to fulfill their business duties. PIAM focuses on managing and securing access of such third-party identities.
Why PIAM Matters for B2B
Business partnerships can have many forms, and how organizations collaborate depends on the individual businesses. Still, you can categorize the relationships in two groups:
- Partnerships that create customer relationships (e.g., retailers).
- Partnerships that assist with operations (e.g., vendors, suppliers).
In the first case, business partners are responsible for onboarding new customers. While Customer Identity and Access Management (CIAM) provides a secure user experience for those customers, PIAM focuses on securing the business partner access to customer data and the tools they need to sell the organization's products and services in a secure manner. CIAM systems often have some PIAM capabilities, like a customer portal, to address part of the use cases that arise from this kind of partnership.
The responsibility of PIAM is to ensure that partners can only manage customer data they are authorized to access. It includes guaranteeing that customers agree on partners handling their data. Failures in properly enforcing access controls and collecting user consent can lead to serious privacy and compliance risks.
Some business partnerships may focus on optimizing operations. Typically partners within this category may require access to internal systems such as supply chain systems, development environments or non-public documents. It is likely that such business partners gain access to confidential information.
Without proper access control, organizations risk security incidents such as supply chain attacks, data or compliance breaches that can threaten the future of a business. PIAM addresses those risks.
What's the Difference Between PIAM, CIAM, and IAM?
Despite some overlapping, PIAM, CIAM and (workforce) IAM are distinct initiatives with different purposes. The following table lists some characteristics to highlight important differences.
| PIAM | CIAM | IAM | |
|---|---|---|---|
| Target Users | Business partners | Customers | Employees, contractors |
| User Type | Individuals or organizations | Individuals or organizations | Individuals |
| Identity Source | External / federated | Mainly internal | Internal |
| Identity Ownership | Business partner | Customer and enterprise | Enterprise |
| Lifecycle Management | Contract-driven or self-service | Self-service | HR-driven, based on employment |
| Target Access | Limited, specific (confidential) resources | Limited, public resources / public interfaces | Broad, internal resources |
| Scalability | High, needs to be able to handle many different personas | Very high, needs to be able to handle spikes and potentially millions of users | Low, fairly fixed amount of users with predictable usage patterns |
| Security Goal | Mitigate risks concerning third-party access to sensitive systems. | Secure customer data, protect access to public business resources, and prevent fraud. | Secure internal systems, and mitigate insider threats. |
Acronym
PIAM in this article refers to Partner Identity and Access Management. In another context it may stand for Physical Identity and Access Management, Public Identity and Access Management or even Privileged Identity and Access Management.
What are the Key Features of PIAM?
Partner IAM solutions should drive secure operational efficiency. They should, for example, allow for partners logging in using their own ID. This approach is also known as Bring Your Own ID (BYOI or BYOID). Important features of a PIAM system are
- Identity federation,
- Delegated administration,
- Audit, threat detection and compliance,
- Adaptive access,
- Identity lifecycle management.
Identity Federation
PIAM systems should support identity federation to integrate with the partner organization's existing identity providers (IdPs). A good PIAM system can complement the external authentication mechanisms with their own requirements and add, e.g., multi-factor authentication on top of it. Beside user experience, federation also provides security and business benefits because it reduces the risk of growing service desk tickets due to lost credentials as it offloads identity management to the partner organization.
Delegated Administration
Partners should be able to administer the access to the organization's data and systems for their employees. This means a PIAM system needs to be able to group users and to define administrators for those groups, e.g., by implementing multi-tenancy features. In addition, the PIAM system should provide a portal for partners to manage their employees and/or customers in a self-service manner.
Audit, Threat Detection and Compliance
Good PIAM systems facilitate continuous auditing and metrics to allow for threat detection and security risk mitigation. Auditing and reporting features are also important to prove compliance with regulations such as CCPA, GDPR, HIPAA, SOX or SOC 2. When entering a business partnership, regulations may not only apply to the business' own organization but also to their partners.
Adaptive Access
PIAM solutions should enforce the principle of least privilege with dynamic, fine-grained access control that can dynamically adapt not only to risks in real time but also to the expiration and scope of projects or legal documents such as contracts and agreements that lay the foundation for business partnerships.
Identity Lifecycle Management
A PIAM system should enable automated workflows for onboarding new customers. This includes sending invitations and enabling self-service registration, identity verification, account activation and consent management.
Even more importantly, a PIAM solution needs to be able to automatically revoke user access when the legal foundation changes, e.g., when a user leaves a company or a business partnership ends to prevent orphaned accounts. Regular or event-driven reviews help further to avoid left-over, standing privileges.
How to Implement PIAM?
When implementing PIAM, make sure your authorization policies support various groups and personas of external users, e.g., via a tenant ID. Get the policies right before integrating with business partners. The PIAM system should allow for flexibility and enable you to add required claims such as the tenant ID to access tokens to support the implementation of the policies.
As part of the login process, consider identifying partner users before authentication. This can mean to prompt users to enter their corporate email address. In this way, you can then identify the business partner and route the users to their corporate identity provider (IdP). After successful authentication, the user returns to the PIAM system that issues an access token. As part of that, the PIAM system should be able to include in the access token any data that it receives from the external IdP. This is important, because in a PIAM and B2B scenario, business partners manage their own users - primarily in their own systems.
PIAM requires specialized capabilities to cater for various B2B use cases. Depending on the kind of integration and partnership, you may need to separate data and behavior from various business partners. In such cases, consider the use of distinct profiles that allow for isolation with regard to data, management and behavior.
Make sure, the PIAM system lets you control with regard to where to retrieve data from, where to store and how to manage it. You should be able to customize user experience concerning both authentication and administration of users. In addition, ensure you can tailor access tokens because they are a fundamental piece of API access control. The Curity Identity Server, for example, allows for highly customizable scopes and claims configuration. In addition, its extensibility enables almost endless adaptions to implement specific use cases.
PIAM is a Mature CIAM
CIAM systems offer features that are tailored to managing external users. In that sense, PIAM is like a mature CIAM for business partners with well developed and more complete features to govern third-party access. This article highlights the important features organizations should look out for in PIAM systems. For additional insights check out Gartner's report on Innovation Insight for Customer and Partner Identity and Access Management.
Judith Kahrer
Product Marketing Engineer at Curity
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
