Protecting Customer Identity and Access Management (CIAM) services against online threats should be top of mind for CISOs, IT administrators and business line managers. However, doing so is messy, not only because your applications are likely to be exposed to large-scale internet attacks, but also because of the ins and outs of managing customers’ identities. Consumers are a varied group and automatically distinguishing between a confused user and an advanced attacker is not straightforward. Securing your customers’ identities is made more difficult by the industry-wide failure to protect data. The prevalence of breached passwords and the availability of automated attack tools makes the humble password a protective measure from the past. We’re also in a time of transition where traditional enterprises are starting to look more like a set of consumer-facing applications, which means enterprises don’t have the luxury of ignoring CIAM’s security problems.