The Monetization Ecosystem: CIAM vs. EMS

Customer Identity and Access Management (CIAM) and Entitlement Management Systems (EMS) are two of the most talked about technologies for giving users access to software applications. The two solutions are often confused because they seem to have the same functionality. But EMS and CIAM solve different challenges. Through the lens of monetization, we'll explore the similarities and differences between the two systems and the problems they solve. But first, let's start with a definition of each.

Customer Identity and Access Management (CIAM) is a subcategory of identity and access management (IAM). It is designed to help organizations manage user identities and provide them with a frictionless onboarding experience. CIAM includes technologies like SSO and two-factor identification, and provides both users and software providers with secure, easy access to software solutions. You know the relief that you feel when you have an easy SSO and you don’t have to remember a zillion passwords? That’s the goal of CIAM.

EMS also controls access, but as opposed to CIAM, it's built to solve the challenge of software monetization. EMS makes it easy for providers to isolate features and components of an application and grant access to individual users or user groups. EMS also grants or revokes access according to conditions like project quantity, number of users, or storage space. EMS also has a customer experience component, but its focus is on ensuring you are maximizing revenue from your software.

Access Control Helps Manage Users at Scale. But Does It Drive Monetization?

Monetization means leveraging existing products, features, and components to increase revenue with little or no additional R&D investment. Successful companies monetize by configuring packages to suit different customer types at various price points and by constantly keeping a pulse on customer willingness to pay.

The basic good, better, best pricing model is the first step in addressing customer willingness to pay. But as you grow and the elements of your plans become more complex, you want to test monetization in new ways. At that point, you need an easy way to manage many variables, including users, product types, features, and consumption.

When just starting, companies often assume they can rely on billing systems or developers to manage all types of access. As use cases become more complex, a company might even engineer a homegrown system to try to automate access control.

But granting granular access becomes even more complicated when a SaaS company experiences massive growth. Organizations need a future-proof solution to manage access and monetize their products at scale.

Let's look deeper into the differences between CIAM and EMS systems.

CIAM & EMS Provide Different Types of Customer Access Control

It can be helpful to think of SaaS applications like apartment buildings: multi-tenant units with more than one type of access control. To enter the building, each renter has a key to the front door. But a key to the building is not enough. To get into your apartment, you need a specific apartment key.

A CIAM system provides access to the SaaS environment. It's the key that gives users access to the building.

Renters need a separate key to access the apartment they are paying for, which has specific configurations: hardwood floor, stainless steel appliances, etc. The key that controls access to individually configured apartments is the entitlement. It’s configured and managed by a dedicated entitlement management system.

For a single-family home, one entry key is fine. If you turn your home into a B&B and start renting out rooms, you will need to figure out a better system. And if you're managing a 100-story skyscraper filled with residences and businesses, owners and renters, corporate offices, and shared workspaces —you need a dedicated system to control access for every use case.

Monetization includes offering different types of access to various features or components of your software. Like managing a skyscraper, you need to differentiate access with ultra-fine-grain control.

Here is where companies often get confused between the capabilities of CIAM and EMS.

CIAM systems address identity and access management (IAM) and security-oriented access management, while EMS addresses the full scope of entitlement management. They complement and interface with each other, but they are not interchangeable.

The CIAM technology was born out of a security need. It functions through internal role-based application access and request-approve-deny workflows. For example, a user sends the internal resource administrator a request to access an application. The admin approves or denies the request and, if approved, adds that user to the group that is allowed access. The user now has access to the application or feature. It’s much like giving a key to the apartment building.

Some CIAM solutions provide the simplest form of entitlement management – you could call it "access to an application for everyone listed in a predefined group". Put a user or group of users on a list, and they get access to an entire application. This list-based access is perfect for providers that want to provide secure, seamless access to software that is used similarly by all users.

A Dedicated EMS Is Built to Sustain Long-Term Monetization Strategies

The same rules of role-based application access don't apply to monetization scenarios. If you rely on creating predefined groups, you have no built-in way to control access to more exclusive features that you could otherwise monetize. It’s kind of like allowing anyone with the front door access key to access all apartments. CIAM has no intrinsic knowledge of user rights, the offerings to which it allows access, if there is a time limit on permissions, or how many units are allowed.

SaaS providers that already have an IAM system, or that are exploring access management, might fall back on managing entitlements with the limited capabilities in a CIAM system. But when their revenue exceeds $10M, their entitlement management needs often outgrow what CIAM systems can provide. At that point, revenue growth stalls, operational costs tend to increase dramatically, and customer experiences take a hit.

EMS does more than allow access. It’s the backbone of a flexible pricing infrastructure.

The entitlement itself contains information about who has access to what features, where, when, and for how long.

EMS helps manage countless variations and combinations of pricing and packaging. You can see the extent of what EMS manages in this graphic:

The entitlement management system streamlines policies concerning entitlements, licensing renewal, workflow, plus access across platforms, applications, and devices. Each authenticated user has access to a specific application configuration. The configuration is based on their entitlement which includes specifications for each user--some have upgrades and add-ons, and some don't. Some have access to different features or higher usage rates than others.

The entitlement also manages changes to user agreements over time. If a customer upgraded in order to receive access to a premium feature, the entitlement changes. Therefore, entitlements become a single source of truth for what the customer is entitled to over the entire user lifecycle. And, because an EMS is used to control & validate application use, it is also used as the installed base master, which is very useful for renewal quoting, etc.

Building the Right Infrastructure to Support Long Term Business Growth

SaaS project managers know the importance of selecting the best technology to achieve project requirements. If your goal is easy, frictionless access to the entire application, a CIAM system is the solution you’re looking for.

But if you are solving for easy, frictionless fine-grained access to a single application with a variety of pricing & packaging schemes? Then a dedicated entitlement management will provide you with the functionality, scalability and compatibility you need for long-term growth.