Share this
by Marc de Haas on Feb 10, 2026 4:38:17 PM
%20-%202026-02-10T163721.950.png?width=1120&height=630&name=Blog%20Format%20(1120%20%C3%97%20630px)%20-%202026-02-10T163721.950.png)
When customer identity works well, nobody notices. Logins succeed, sessions stay active, consent is respected, and traffic spikes pass without incident. That invisibility is not accidental. It is the result of deliberate architectural choices made long before customers ever click "log in".
Customer identity and access management sits at an uncomfortable intersection. It touches revenue, customer experience, privacy, and security, yet it is often treated as plumbing or delegated to a black box provider.
But CIAM is not a UX feature. And it’s not just a tooling choice.
It’s a platform decision.
So What Does “Good CIAM” Actually Look Like?
When authentication simply works, it is not luck. It is design. Organisations that scale successfully tend to follow the same three principles.
1. Treat Identity as Core Infrastructure
Strong CIAM starts with ownership. Identity is treated as a shared platform capability, not a feature embedded differently in every product or channel.
This means:
- Centralised authentication and authorisation
- A single source of truth for customer identity and consent
- A unified API layer to validate tokens and enforce policy consistently
Owning the identity layer creates clear boundaries. Application teams do not need to reimplement security logic. Architects gain visibility and control. Over time, this reduces duplication, risk, and decision fatigue across the organisation.
For architects, this is about clean contracts and discoverability. For data leaders, it is about governance without constant intervention.
2. Design for Peaks, Not Averages
Login traffic is never linear. A promo drops, an email campaign goes out, or a mobile app update rolls out, and suddenly your authentication workload multiplies. Systems that are built for average load fall apart in these moments.
Modern CIAM platforms are designed on elastic infrastructure with autoscaling and multi-regional deployment. They absorb spikes without manual tuning or emergency fixes.
The operational payoff is significant:
- No firefighting during launches
- No emergency throttling or feature rollbacks
Predictable performance even under stress
Designing for peaks is not about overengineering. It is about removing a known failure mode before it shows up in production.
3. Invisible Security Builds Real Trust
The best security systems disappear into the background. Customers do not see token validation, rate limiting, identity federation, or threat detection. They see fast logins and consistent access.
Behind the scenes, modern CIAM combines:
- Continuous token validation
- Threat intelligence and request filtering
- Managed secrets and policy enforcement
Why Change What Already Works?
Many companies still rely on legacy authentication providers or systems that no longer scale with their digital growth. Common problems include rising costs, limited flexibility, and slow adaptability when new channels or integrations are needed.
At this point, identity is no longer neutral infrastructure. It becomes a growth blocker, affecting product velocity and operational stability. Modernising CIAM is rarely about chasing innovation, but about removing friction from the rest of the stack.
The Rituals Example: Big Change, Zero Disruptions
Rituals Cosmetics faced a forced decision. Their existing identity provider was becoming more expensive every year and was heading toward shutdown. Scalability limits were already visible, and staying put was not an option.
Together with Crystalloids, Rituals migrated over 30 million customer identities to Google Identity Platform, building a secure, multi-regional CIAM foundation fully integrated with their broader Google Cloud environment.
The scope was significant. Webshop, mobile app, in store systems, and supporting services were all affected. Yet from a customer perspective, nothing changed. Logins continued as usual.
Behind the scenes, the impact was measurable:
- API response times dropped from seconds to under 200 milliseconds
- Every request and ID token is now validated through Apigee
- Cloud Armour provides additional protection against external threats
- Operational costs were reduced by removing the legacy provider
- Full control over identity strategy was restored
Most importantly, a critical dependency was removed without destabilising the system. What appears as business as usual is the result of a deliberate architectural overhaul underneath.
When Identity Stops Being a Risk
When identity is stable and invisible, product teams move faster, architects avoid rework, and data leaders spend less time managing risk reactively.
With Google technology at the core and Crystalloids guiding the implementation, organisations can modernise authentication without disrupting what already works. That is the real power of business as usual.
