Chief information security officers cite trust as the most important value attribute they can deliver to their organizations. And when it comes to security, identity is the new attack surface. As such, identity and access management continue to be the top priority among technology decision makers. It also happens to be one of the most challenging and complicated areas of the cyber security landscape. Okta, a leader in the identity space, has announced its intent to converge privilege access and identity governance in an effort to simplify the landscape and reimagine identity. Our research shows that interest in this type of consolidation is high, but organizations believe technical debt, compatibility issues, expense and lack of talent are barriers to reaching cyber nirvana with their evolving zero trust networks.
In this Breaking Analysis, we explore the complex and evolving world of identity access and privileged account management. With an assessment of Okta’s market expansion aspirations and fresh data from ETR and input from Erik Bradley.
Identity is Fundamental to Digital Transformations
The pandemic accelerated digital transformation and digital raises the stakes in cybersecurity. We’ve covered this extensively but today we’re going to drill into identity which is one of the hardest nuts to crack in security. If hackers can steal someone’s identity, they can penetrate networks. If that someone has privileged access to databases, financial information, HR systems, transaction systems, the backup corpus…well you get the point.
There are many bespoke tools to support a comprehensive identity access management and privileged access system. Single sign on, identity aggregation, deduplication of identities, identity creation, governance, group management to name several. Many of these tools are open source. So you have lots of vendors, lots of different systems and often many dashboards to scan.
Practitioners tell us that it’s the “paper cuts” that kill them. Meaning small things like patches that aren’t applied, open ports or orphaned profiles that aren’t disabled. They’d love to have a single dashboard but it’s often not practical for large organizations because of the sprawling nature of the tooling and skills to manage them.
Adding to the complexity, many organizations have different identity systems for privileged accounts, the general employee population and customer identity. For example, around 50% of ETR respondents in a recent survey use different systems for workforce identity and consumer identity.
This is often done because the consumer identity is a totally different journey – the consumer is out in the wild and takes an unknown, non-linear path…and then enters the known inside a brand’s domain. The employee identity journey is known throughout. From onboarding, to increasing responsibilities and access to off-boarding. Privilege access may have different attributes – like no email and/or no shared credentials. And we haven’t even touched on the other identity consumers in the ecosystem like selling partners, suppliers, machines, etc.
Like I said – it’s complicated. And meeting the needs of auditors is stressful and expensive for CISOs. Open chest wounds such as sloppy histories of privileged access approvals, obvious role conflicts, missing data, inconsistent application of policy and the list goes on. The expense of securing digital operations goes well beyond the software and hardware acquisition costs.
So there’s a real need and often desire to converge these systems but technical debt makes it difficult. Companies have spent a lot of time, effort and money on their identity systems and they can’t justify rip and replace. So they often build by integrating piece parts or they add on to their quasi-integrated, monolithic system.
And then there’s the zero trust concept. It means different things to different people but folks are are asking…if I have zero does it eliminate the need for identity? And what does that mean for my architecture going forward.
Let’s take a snapshot of some of the key players in identity and PAM.
Below is an XY graph that shows Net Score or spending momentum on the vertical axis and Market Share or presence in the ETR data set on the horizontal axis. Note the chart insert which shows the actual data for Net Score and Shared N, which informs the position of the plot.
The red dotted line indicates an elevated level. Anything over that 40% mark we consider the strongest spending velocity. In this subset of vendors, chosen to represent identity, you can see six are above that 40% mark, including Zscaler, which tops the charts. Okta, which has been at or near the top for several quarters. Note: There’s an argument to be made that Okta and Zscaler are on a collision course as Okta expands its TAM but let’s just park that thought for a moment.
You see Microsoft with a highly elevated spending score AND a massive presence on the horizontal axis, CyberArk and SailPoint, which Okta is now aiming to disrupt; and Auth0, which Okta officially acquired in May of this year. More on that later.
Below that 40% mark you can see Cisco, which has largely acquired companies in order to build its security portfolio – for example Duo, which focuses on access and multi-factor authentication. Now a word of clarification, Cisco and Microsoft in particular are overstated on the horizontal axis because this includes their entire portfolio of security products, whereas the others are more closely aligned as pure plays in identity and privileged access.
ThycoticCentrify is pretty close to that 40% mark and came about as the result of the two companies merging in April of this year…more evidence of consolidation in this space. BeyondTrust is close to the red line as well, which is interesting because this is a company whose roots go back to the VAX/VMS days in the mid 1980’s (Google it if you’re under 40 years old) and the company has evolved to provide more modern PAM solutions.
Ping Identity is also notable in that it emerged after the dotcom bust as an identity solution provider of SSO and MFA solutions. It IPO’d in the second half of 2019 prior to the pandemic and has a $2B market cap, down from its highs of around $3B earlier this year and last summer. Like many of the remote work stocks they’ve bounced around as the reopening trade and lofty valuations have weighed on many of these names including Okta and SailPoint. Although CyberArk acted well after its August 12 earnings call as its revenue growth about doubled year on year.
So hot space and a big theme this year is around Okta’s acquisition of Auth0 and its announcements at Oktane 2021, where it entered the PAM market and it’s thrust to converge its platform around PAM and identity governance and administration. We spoke earlier this week with Diya Jolly, the Chief Product Officer at Okta and will share some of her thoughts later in this segment.
CISOs Desire a Single Dashboard
The data below is from a recent ETR drill down study asking organizations how important is it to have a single dashboard for access management, identity governance and privileged access. This goes directly to Okta’s strategy that it announced this year at its Oktane user conference. Basically 80% of the respondents want this. No surprise.
Complexity is a Cry for Convergence
Staying on this theme of convergence for a moment, ETR asked security pros if they thought convergence between access management and identity governance would occur within the next three years.
As you can see above, 89% believe this is going to happen – strongly agree or somewhat agree. It’s almost as though the CISOs are willing this to occur. And this seemingly bodes well for Okta, which in April announced its intent to converge PAM & IGA. Okta’s Diya Jolly stressed to us that this move was in response to customer demand and this chart confirms that. But there’s a deeper analysis worth exploring.
Commoditization of SSO & MFA Necessitate Expansion
The traditional tools of identity, single sign on (SSO) and multi-factor authentication (MFA) are being commoditized. The most obvious example is OAth or Open Authorization – log in with Twitter, Google, LinkedIn, Amazon or Facebook. Today, Okta has around a $35B market cap, off from its highs which were well over $40B earlier this year. Okta’s stated total addressable market has been around $55B. So CEO Todd McKinnon had to initiate a TAM expansion play, which this move puts in motion. It increases the company’s TAM by $20-$30B in our view. Moreover, the top criticism of Okta is “your price is too high” – good problem to have we’d say.
Regardless, Okta has to think about adding more value to its customers and prospects and this move both expands its TAM and supports a longer term vision to enable a secure, user controlled, ubiquitous digital identity. Supporting federated users and data in a centralized system.
The other thing Jolly stressed to us is that Okta is heavily focused on the user experience, making it simple and consumer-grade easy. At Oktane ‘21, she gave a keynote laying out the company’s vision and it was a compelling presentation designed to show how complex the problem is and how Okta plans to simplify the experience for end users, service providers, brands and the technical community; across the entire ecosystem. Essentially a one stop shop for identity.
The Journey to Convergence is not Trivial
There are many challenges Okta faces so let’s dig into that a bit. Zero Trust has been the buzzword and it’s a direction the industry is moving towards; although there are skeptics. Zero trust is aspirational today. It essentially says you don’t trust any user or device and the system can ensure the right people or machines have the proper level of access to the resources they need, all the time…with a fantastic user experience. So you can see why we called this nirvana earlier. In previous Breaking Analysis segments we’ve laid out a map for protecting your digital identity, your passwords, crypto wallets, how to create air gaps – it’s a bloody mess.
ETR asked security pros, shown in the chart above, if they thought a hybrid of access management and zero trust network could replace their PAM system. Because if you can achieve zero trust in a world with no shared credentials and real time access – a direction which Diya Jolly clearly told us Okta is headed – then in theory you can eliminate the need for privileged access management. Another way of looking at this is you do for every user what you do for PAM. And that’s how you achieve zero trust.
But you can see from this picture that there’s more uncertainty here with nearly 50% of the sample not in agreement that this is achievable. Practitioners in Erik Bradley’s roundtables tell us that you’ll still need the PAM system to do things like session auditing and credential check outs but much of the PAM functionality could be handled by zero trust in our view.
Rip and Replace is not an Option
ETR then asked the security pros how difficult it would be to replace their PAM systems and this is where it gets interesting.
You can see by this picture above, the enthusiasm wanes quite a bit when the practitioners consider the challenges of replacing privileged access systems with a new hybrid. Only 20% of the respondents see this as something that is easy to do– likely because they are smaller and don’t have a ton of technical debt.
What are the Business and Technical Barriers to Replacing PAM Systems?
Below is a chart that shows the blockers. 53% say gaps in capabilities, 26% say there’s no clear ROI – i.e. too expensive and 11% interestingly said they want to stay with best of breed solutions, handling much of the integration of bespoke capabilities on their own presumably. Speaking with Erik Bradley, he shared that there’s concern about rip and replace and the ability to justify that internally. There’s also a significant build up in technical debt.
One CISO on an Erik Bradley ETR Insights panel explained that the big challenge Okta will face here is the inertia of entrenched systems from the likes of SailPoint, Thycotic and others. Specifically, these companies have more mature stacks and have built in connectors to legacy systems over many years. And processes are wired to these systems and will be very difficult to change.
Another practitioner told us that he went with SailPoint almost exclusively because of their ability to interface with SAP. Further he said that he believed Okta would be great at connecting to other cloud API-enabled systems but there’s a large market of legacy systems for which Okta would have to build custom integrations.
Another said We’re not implementing Okta but we strongly considered it. The reason they didn’t go with Okta was the company had a lot of on-prem legacy apps and so they went with Microsoft Identity Manager – but didn’t meet the grade because the user experience was sub par. So they’re searching again for a solution that can be good at both cloud and on-prem.
A fourth CISO said “I’ve spent a lot of money writing custom connectors to SailPoint. A lot of money. So who is going to write those custom connectors for me? Will Okta do it for free? I just don’t see that happening.” Further this individual said “It’s just not going to be an easy switch…and to be clear, SailPoint is not our PAM solution, that’s why we’re looking at CyberArk.” So the complexity and fragmentation continues and we actually see this as a positive trend for Okta if it can converge these capabilities.
I’ve spent a lot of money writing custom connectors to SailPoint. A lot of money. So who is going to write those custom connectors for me? Will Okta do it for free? I just don’t see that happening… –CISO, Large Financial Services Company
We questioned Okta’s Diya Jolly on these challenges and the difficulties of replacing the more mature stacks of competitors. She admitted that this was a real issue but her answer was that Okta is betting on the future of microservices and cloud disruption. Her premise is that Okta’s platform is better suited for the new application environment and they are essentially betting on organizations modernizing their application portfolios. Okta believes that will ultimately be a tailwind for the company.
BoB, Incumbent or Best Value?
Let’s now look at the age old question of best-of-breed versus incumbent/integrated suite.
ETR in its drill down study asked customers, when thinking about identity and access management solutions, do you prefer best-of-breed, an incumbent that you’re already using or the most cost efficient solution.
The respondents were asked to force rank 1, 2, 3. And you can see above, incumbent just edged out best-in-breed with a 2.2 score versus a 2.1, with the most cost effective choice at 1.7.
Now overall we would say this is good news for Okta. Yes they face the big migration issues we brought up earlier but as digital transformations lead to modernizing much of the application portfolio with containers and microservices layers, Okta will be in a position to pick up much of this business– assuming it stays paranoid and continues to innovate.
And to the point earlier where the CISO told us they’re going to use both SailPoint and CyberArk…when ETR asked practitioners which vendors are in the best position to benefit from the zero trust trend…the answers were, not surprisingly, all over the place. Lots of Okta and Zscaler (there’s that collision course). But plenty of SailPoint, Palo Alto, Microsoft, Netskope, Thycotic, Cisco…all over the map.
Customers Plan to Evaluate Okta’s Converged Offerings
Let’s now look specifically at how practitioner’s are thinking about Okta’s latest announcements.
The chart above shows the results of the question: Are you planning to evaluate Okta’s recently announced identity governance and PAM offerings?
Forty-five to nearly 50% of the respondents either were already using or plan to evaluate Okta in this context with just around 40% saying they had no plans to evaluate. We see this data as positive for Okta because a huge portion of the market will take a look at what Okta’s doing. Combined with the underlying trends we shared earlier related to the need for convergence this is goodness for the company.
Even if the blockers are too severe to overcome in the near term, Okta is on the radar of most companies and as with the Microsoft MIM example, the company will be seen as increasingly strategic and could get another bite at the apple.
Even if customers don’t buy Okta’s convergence offerings in the near term, disaffection with other products could give Okta another bite at the apple.
Moreover, Okta’s acquisition of Auth0 is strategically important. One of the other things Jolly told us is they see initiatives having two distinct starting points. On the one side, devs initiate and then hand to IT to implement. The reverse is also common where IT is the starting point and then go to devs to productize the effort. The Auth0 acquisition gives Okta plays in both games.
The effects of the Auth0 acquisition are somewhat counterpoised. On the one hand, when you talk to practitioners, they’re excited about the joint capabilities and the gaps that Auth0 fills. On the other hand, it takes out one of Okta’s main competitors. And customers like competition because it accelerates innovation and gives pricing leverage to buyers.
We look at it this way. Many enterprises will spend more money to save time and that’s where Okta has traditionally been strong. Other enterprises look at the price tag of an Okta and they have development capabilities, so they prefer to spend engineering time to save money. That’s where Auth0 has seen momentum.
Now, Todd McKinnon and company can have it both ways. If the price of Okta classic is too high, here’s a lower cost solution with Auth0 that can save you money (if you have the developer talent and they have the time). It’s a compelling advantage for Okta despite the perceived downside from less competition.
Architecting Zero Trust is a Big Effort
The road to zero trust networks is long and arduous. The goal is to understand, support and enable access for different roles safely & securely across an ecosystem of consumers, employees, partners and suppliers. You’ve got to simplify the user experience, today’s kluge of password management and security exposures just won’t cut it in a digital future.
Supporting users in a decentralized, no perimeter world is compulsory but you must have federated governance.
There will always be room for specialists in this space, especially for industry-specific solutions – e.g. within healthcare, education or government.
Hybrids are the reality for companies that have any substantive legacy apps on prem.
Okta has put itself in a leadership position but is not alone. Complexity and fragmentation will likely remain. This is a highly competitive market with lots of barriers to entry, which is both good and bad for Okta. On the one hand disrupting incumbents will not be easy. On the other hand, Okta is scaling and growing rapidly – almost 50% per annum. With its convergence agenda and Auth0 acquisition, it can build a nice moat to its business and keep others out.
The vision is pretty clear. Next up…execution.
Keep in Touch
Remember these episodes are all available as podcasts wherever you listen.
Email david.vellante@siliconangle.com | DM @dvellante on Twitter | Comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.
Watch the full video analysis:
Image credit: warmtail
Note: ETR is a separate company from Wikibon/SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.