Security Experts:

CIAM Startup Strivacity Raises $9.3 Million in Series A Funding

Herndon, VA-based start-up Strivacity has raised $9.3 million in a Series A funding round from TenEleven Ventures and Toba Capital. The money will be used for further developing its product and expanding its market reach.

The company offers a cloud based customer identity and access management (CIAM) solution. CIAM puts the consumer into IAM. While standard Identity and Access Management faces inward to provide identity and access to a company workforce, the technology is not a good fit for outside consumers wishing to register and use an account with a company.

Strivacity LogoThere are several reasons for this. The first is the user experience (UX). A company's workforce is a captive audience that has no option but to accept the access controls that are imposed upon them. For this reason alone, UX inevitably takes a back seat to security. This approach does not easily translate to the consumers of an online business, who have a choice between suppliers.

The second is simply scale. An online business may have a few thousand employees but several million consumer customers. It is difficult to scale up a standard business IAM to the necessary numbers for consumer access. 

A third is the driver behind the requirement. While IAM is largely a security and IT process, connecting the right workers to the right resources at and for the right time, CIAM is really about allowing company resources (predominantly 'Marketing') to access consumer data in accordance with compliance requirements.

For these reasons, while IAM may be bought in, CIAM is often developed in-house – by engineers who understand their business, but may not understand the psychology of their consumers. If the UX is poor, the company will have fewer customers and less profits than it may deserve. On top of this, the engineers who developed the CIAM (which at its simplest is an online user registration and data collection form feeding a hashed database) must then integrate the database with other databases within the company for its other business purposes.

This is the problem that Strivacity seeks to solve. “Business shouldn’t be forced to choose between providing a great customer journey and keeping data secure,” said Keith Graham, CEO of Strivacity. “Customers have more choices today than ever before, and they expect the brands they interact with to provide great service and safeguard their personal information. Strivacity adds secure CIAM capabilities to your online properties fast so you can grow your revenue, stay compliant with fast-changing privacy regulations and personalize your service thanks to the insights you’ll get into how customers interact with you.”

Data collected at user registration is sent to the cloud. Each customer has its own isolated area in the Strivacity Fusion cloud service. "It's a bit like having your own private cloud to hold your data – we call it 'isolation by design'," Graham told SecurityWeek. One obvious reason for this is to retain strict privacy of customer data – but it also minimizes the blast radius should any customer be breached (attackers cannot pivot from one customer to another).

The data stored by Strivacity is always encrypted while at rest. It can be temporarily decrypted by the customer for processing on demand. The encryption key is generated by Strivacity and stored on AWS.

There are additional advantages to the Strivacity process that help customers ensure data protection compliance. Consumer consent management is one of these. "We are not a consent management platform," said Graham, "but we do provide a comprehensive consent management capability," including the storage of consent receipts. These consents can be granular, so the consumer could consent to local analytics, but decline the data being sold on.

A second could be a simplified approach to ensuring the 'right to be forgotten'; that is the right for consumers to demand that any personal information is deleted. Strivacity seeks to provide the single source of truth where PII is stored only within the Strivacity cloud. The customers still own the data and can process it (or download it) at will. But consider a data analytics requirement from the marketing department. The PII can be analyzed, but only the results need to be stored on premise. The PII remains within the Strivacity source of truth. Since there is only one source of the PII, individual records can be easily discovered and deleted to satisfy RTBF.

“We believe that brands shouldn’t be forced to choose between providing a great customer journey and keeping their data secure. And they also shouldn’t have to hire an army of developers or consultants to get the outcome they want,” writes Graham in an accompanying blog.

Strivacity was founded in June 2019 by Keith Graham (CEO) and Stephen Cox (CTO).

Related: The Great Analyst Debate Over Consumer IAM

Related: Akamai Acquires Identity Management Firm Janrain

Related: How Security can Drive Business Competitiveness

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.