Knowing Your Customer
Telepocalypse has a post on customer relationship management:
The four key axes are as follows:
1. How do we locate this customer? You dont know someone unless you can ask for data that uniquely differentiates them from everyone else. This includes the obvious things like account numbers and login user names. It also includes those profile fields that you use to search for individual customers: name, address, social security number, etc.
2. How do we authenticate this customer? You dont know them if someone else can act as an impostor.
3. What are they authorized to do? You dont know someone unless you place appropriate bounds on their capabilities. (Is it safe to give someone a pair of scissors? Only if you know they arent a young child or a psychopath.) You cant protect your customers privacy either unless you constrain what other customers can see and do.
4. How else do we know this customer? Your customer may subscribe to multiple products that you offer. You dont know your customer until you get a complete picture of their portfolio of relationships with you.
None of these activities is trivial. Coordination of the policies on data collection procedures and storage formats is a lot of effort. Federated authentication is not easy to retro-fit into an operating company; too many legacy IT systems and incompatible security profiles. Getting the permission of customers to do things is a pain. Accurately matching multiple customer records is really hard.