Cloud computing has resulted in an explosion in the number of applications an average employee uses on a daily basis. And for convenience, the same login credentials are often used across a suite of applications. This presents an attractive ROI for bad actors looking for opportunities to penetrate an org's systems and gain access to valuable data. If they can acquire somebody's user credentials, then it opens the door to many applications, and from there they have a vantage point to traverse across an org's systems.
Stealing credentials is also a great alternative attack strategy because the bad actor can avoid trying to pass high-quality security defenses, such as firewalls and IDS (Intrusion Detection System), and move around IT systems like a legitimate user.
The attractive ROI of stealing credentials, and the increasing dispersion of workforces and IT environments, has brought more security solutions focused on user and machine identity to the fore. If environments have become highly distributive and dynamic, then centralized and static security defenses are no longer viable. Instead, orgs need a bigger emphasis on validating the user/machine identity as they attempt to connect with resources. If orgs get good at doing this, then the fluid nature of modern orgs can still be secured.
Apart from the effectiveness in thwarting hacker attempts to gain valuable access, focusing on identity also bridges security and productivity. Requiring users to login every time slows down productivity. More sophisticated software that adds context to user credentials (device status, location, time, previous activity, etc.) can therefore safely grant a level of access while avoiding the degradation of user experience and org productivity via multiple logins.
The enterprise identity market can be divided into IAM (Identity & Access Management), PAM (Privilege Access Management), IGA (Identity Governance & Administration), and CIAM (Customer Identity & Access Management).
IAM is about granting users varying levels of access to applications in a secure and productive way, utilizing SSO (Single Sign-On) technology. PAM is concerned with managing privileged employees (IT admins, financial officers, HR personnel, etc.) and their access to critical systems. IGA entails the management of application/system access and authorization of employees throughout their tenure at an org. And CIAM is the newest market that enables orgs to provide secure and seamless authentication and authorization experiences to their customers (B2B and B2C). The concept of building security around user/machine identities has also spawned innovation in closely adjacent areas, such as ZTA (Zero Trust Access), CIEM (Cloud Infrastructure Entitlement Management), and microsegmentation.
We view Okta (OKTA) as the most attractive long-term investment in this landscape. They are a cloud-native vendor that has taken full advantage of the cloud to deliver frictionless org onboarding, and secure and seamless user experiences with their flagship IAM product. More recently, they've ventured into PAM and IGA to take on legacy incumbents with cloud-native alternatives, which we think will prove to be superior and be reflected in market share gains over time. And they have also made bold moves into CIAM to help orgs' developers incorporate slick authentication/authorization functionality into their apps - something that is very challenging even for the most adept developers.
We also believe that better identity governance is one of the major use cases for blockchain technologies. Using blockchains to verify identity and provide access to ID documentation has the potential to transform industries such as travel, real estate, healthcare, government services, and anything involving financial services. It is a huge innovation space that will unlock huge global economic value.
On the whole, identity-based solutions offer tremendous value in regards to security, productivity, and governance. Though, there is a long journey ahead before this area reaches its potential.
For institutional investors (public and private), on request, we can do tailored research for your requirements. For all types of investors, here are individual reports you can purchase related to identity-related security:
For institutional inquiries, or to pay for individual (a' la carte) reports, please click Subscribe for more information. From there you can also sign up as Premium subscriber if you wish to.
Okta: Defining an Industry (June 2021) - $50
Some Thoughts on Blockchain (April 2022) - $50
Major Tech Trends (July 2022) - $50
Tailored research requests - price negotiable