Contact

Menu

Article

Identity and Access Management: Guardians of the digital front door

The evolving threat environment and the ongoing digitization of our society make Identity and Access Management (IAM) a central component of any IT security architecture. The market for IT security is an attractive multiyear secular growth theme, therefore Credit Suisse Asset Management is invested in leading companies in the field of IAM.

January 10, 2023

Dr. Patrick Kolb

Senior Portfolio Manager, Credit Suisse Asset Management Thematic Equities

 Identity and Access Management

The first types of Identity and Access Management (IAM) were introduced in the early 1960, when Fernando Corbato, an American Computer Scientist and Professor at the Massachusetts Institute of Technology (MIT), created the use of passwords for securing computer files1.

In the last couple of decades the IAM marketspace had evolved and witnessed a significant change: Originally identity management solutions were solely built for internal use by employees. As organizations grew in size and complexity, an increasing number of people and devices were assigned across networks to authenticate and verify their identities and access privileges. In addition, due to the COVID-19 pandemic remote working accelerated this trend. This only increases the need of the right tools to ensure that the right people have the right access to the right systems at the right time. Nowadays identity security has become the digital front door to the IT networks, spanning across users, devices, applications and infrastructure.

In this Thematic Insight we elaborate about Identity and Access Management, its market potential, a cost analysis cloud versus on-prem and we finalize with a conclusion.

What is Identity and Access Management (IAM)?

Identity and Access Management is the framework of business processes, policies and technologies that makes it possible for the right entities (such as people or things, e.g. servers) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM systems can be deployed on premises, or be provided by a 3rd party vendor using a cloud based subscription (SaaS) or be deployed in a hybrid mode. 

Identity is the number one attack vector for cyber criminals, according to a couple of statistics:

  • 80% of data breaches in the financial industry leverage compromised credentials to gain access to digital assets2.
  • Over 94% of all organizations have experienced a breach that stems from poor identity security3.
  • 79% of organizations experienced an identity-related security breach in the last two years4.

Cyber threats are evolving at a rapid rate, becoming faster and more complex. According to CrowdStrike, a US IT security company, criminal breakout time, which is the time it takes for cyber criminals to break into a network and access data, shortened from 9h 42min in 2018 to 1h 38min in 2022, a fivefold reduction in time to access critical assets and infrastructure5.

Historically, enterprises used a so-called “castle and moat approach”. It assumes that all security threats come from outside an organization and “traditional” firewalls are enough to secure the IT infrastructure of a company or a government entity. In today‘s digital world this approach is no longer effective in a location-agnostic world. Nowadays IT infrastructures extend far beyond the walls of buildings across applications, data centers, users and devices. The COVID-19 pandemic has only accelerated this trend, working from home is a reality. As a result, the digital ecosystems became more complex, the number of digital identities is growing exponentially. Each external connection to an IT network needs a digital identity, whether it is an application, a server, a user or a device. Unfortunately, this widens the potential attack vector for cyber criminals as there are more entry points to the network, which is presenting an ongoing challenge for IT Security.

Most common cyber attacks are happening in form of phishing, malware, credential stuffing or privilege abuse6. As a counter measure, enterprises are adopting a zero trust network framework, which assumes that nobody, not even an internal user, can be trusted and each user must be authenticated, authorized and continuously assessed before gaining access to data or application. As a result, IAM acts as the core entry point to the network, verifying and providing access to users, devices and applications. To this end, IAM solutions aid in the authentication, authorization, administration, analysis, and audit.

The market for Identity and Access Management

According to Jefferies, an investment bank, the market for Identity and Access Management, which consists of five segments Access Management / Single Sign-on (SSO), Advanced Authentication, Privilege Access Management (PAM), Identity Governance and Administration (IGA) and Customer Identity and Access Management (CIAM), is projected to grow from USD 20.1bn in 2021 to USD 37.4bn in 2025 at a compound annual growth rate (CAGR) of 15.7%. CIAM is poised to see the strongest acceleration of growth with a CAGR of 26.5%, PAM, Advanced Authentication, IGA and Access Management / SSO have an expected CAGR of 16.0%, 15.3%, 9.9% and 5.2% respectively7.

Exhibit 1: The Market for Identity and Access Management (in billion USD)

Exhibit 1: The Market for Identity and Access Management (in billion USD)

To the extent that these materials contain statements about the future, such statements are forward looking and are subject to a number of risks and uncertainties and are not a guarantee of future results/performance.
Source: Jefferies (2022): Okta, initiation report, equity research, Sept. 15th 2022, p. 13.

The market for IAM represents around 10% of the total spending for IT security8. Its strong growth is driven by the ongoing digitization of our society and the transition to the cloud. We think the IAM market is forecasted to outperform the overall market for IT security in the next couple of years, mainly driven by the rising number of users, applications and devices attempting to access the network. In addition, the shift to Zero Trust also continues to be a growth driver for IAM. In addition, we think there might be three possible restraints on growth:

  • As the economy slows, enterprises might scale back their IT security budget.
  • There might be a limited prioritization from Chief Information Security Officers (CISOs) that IAM solutions are not a top priority, which could limit the forecasted growth rates.
  • And finally commoditization is accelerating among authentication, which could pressure pricing.

The IAM market is largely driven by the growth of cloud adoption, at cost of the legacy on-premise vendors which in our view are at risk of losing market share. The main reason for this market share shift are the following:

  • Modern cloud-based solutions centralize and automate IAM by applying uniform policies across the entire digital ecosystems, rather than having IT teams manually provision each new connection to the network.
  • IAM solutions are able to automatically on-board and off-board users.
  • Through automation they also provide cost savings and efficiencies to IT teams.

Exhibit 2 shows an example of a Total Cost of Ownership comparison (TCO) of traditional IAM on-premise software solution versus an IAM cloud delivered software solution for a mid-sized company (5’000 users). This includes the technology portion (at a similar cost level, whether it is delivered in a cloud or on-premise module). However, adding implementation experts, service & maintenance, software updates and provisioning could inflate the costs over five years9.

Exhibit 2: Total Cost of Ownership comparison of traditional IAM on-premise approach versus IAM cloud approach (in USD)

Exhibit 2: Total Cost of Ownership comparison of traditional IAM on-premise approach versus IAM cloud approach (in USD)

Source: Identropy (2013): IDaaS for Dummies, 2013, John Wiley & Sons, Hoboken, NJ, p. 30. Despite the fact that this TCO calculation example was published several years ago, newer publications are showing similar cost benefits. To interested readers we are recommending as examples the TCO analysis mentioned in the footnote10.

Exhibit 2 shows that an IAM cloud approach is in terms of total cost of ownership more attractive than a traditional on-premise approach. Main reasons are that cloud solutions neither require the purchase of specialized hardware nor dedicated implementation and operations teams as they are managed by the IAM provider. In addition, cloud solutions leverage the shared hardware and operations staff from the cloud model to pass along cost savings from economies of scale to the customer. Furthermore, because cloud delivered IAM solutions are software-based, there is no need for the enterprise to undertake hardware refreshes every 4-5 years and payments are done on a pay-per-use model, which makes scaling up or down much easier.

The transition from on-premise to cloud-based IAM solutions has been significant over the last few years, driven by scalability, flexibility, efficiency and cost savings. In general we believe this trend is only going to accelerate, reaching roughly 65% penetration by 2025 according to IDC forecasts, while for on-premise deployments we think they might decelerate11.

Se­cu­ri­ty and Safe­ty

The security space is evolving fast. Providers with an acute awareness of the international scope and technological dimensions of security today are redefining the industry and growing their market share.

Conclusion

Investment possibilities

Find investment products that suit your personal needs. Choose from our extensive range of investment solutions across all major asset classes, and access all product-related information.

You can also follow a fund and receive the monthly factsheet quickly and easily.

fundsearch-fund-updates-newsletter2.jpg

Get in touch with Asset Management

Contact us to learn about exciting investment opportunities. We are here to help you achieve your investment goals.

To the extent that these materials contain statements about the future, such statements are forward looking and are subject to a number of risks and uncertainties and are not a guarantee of future results/performance.

The individuals mentioned above only conduct regulated activities in the jurisdiction(s) where they are properly licensed, where relevant.
1 Source: The Wall Street Journal (2014): Despite Data Thefts, the Password Endures, in: The Wall Street Journal, May 21st 2014.
2 Source: VansonBourne/HYPR (2022): The State of Authentication in the Finance Industry, survey, p. 5, URL: https://get.hypr.com/hubfs/DL%20Assets/State-of-Authentication-in-Finance-Industry-2022.pdf, 25.9.2022.
3 Source: Egress (2021): Insider Breach Data Survey, p. 5, URL: https://www.egress.com/media/4kqhlafh/egress-insider-data-breach-survey-2021.pdf, 25.9.2022.
4 Source: The Identity Defined Security Alliance (IDSA) (2020): Identity Security: A Work in Progress, media release, URL: https://www.idsalliance.org/press-release/79-of-organizations-have-experienced-an-identity-related-security-breach-in-the-last-two-years-according-to-new-identity-defined-security-alliance-study/, 25.9.2022.
5 Source: CrowdStrike (2022): The CrowdStrike 2022 Global Threat Report, p. 8, URL: https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf, 25.9.2022.
6 Source: Source: VansonBourne/HYPR (2022): The State of Authentication in the Finance Industry, survey, p. 7, URL: https://get.hypr.com/hubfs/DL%20Assets/State-of-Authentication-in-Finance-Industry-2022.pdf, 25.9.2022.
7 Source: Jefferies (2022): Okta, initiation report, equity research, Sept. 15th 2022, p. 13.
8 Source: Oppenheimer (2022): Cybersecurity Primer 1.0, industry report, April 18th 2022, p. 15.
9 Source: Identropy (2013): IDaaS for Dummies, 2013, John Wiley & Sons, Hoboken, NJ, p. 30. 
10 Below two recommended studies for further readings:

11 Source: IDC (2021): IDC forecasts worldwide "Whole Cloud" spending to reach USD 1.3 trillion by 2025, URL: https://www.idc.com/getdoc.jsp?containerId=prUS48208321, 28.9.2022.

To the extent that these materials contain statements about the future, such statements are forward looking and are subject to a number of risks and uncertainties and are not a guarantee of future results/performance.

Fund Facts

Credit Suisse (Lux) Security Equity Fund
Fund domicile
Luxembourg Benchmark MSCI World ESG Leaders (NR)1
Fund management Credit Suisse Fund Management S.A. Inception date 02.05.20132
Portfolio manager Dr. Patrick Kolb Subscriptions/redemptions Daily, with cut-off at 15:00 CET
Fund currency USD Sales charge Max. 5.00%
Currency-hedged share classes EUR, CHF Single Swing Pricing (SSP)3 Yes
Share class
ISIN Effective
management
fee p.a.4

Ongoing charge Minimum investment
USD B / USD A
LU0909471251 / LU1561147585 1.60% 1.85% None
USD IB LU0971623524 0.90% 1.15% USD 500,000
USD UB / USD UA6
LU1144416432 / LU1557207195
1.00% 1.25% None
USD EB5 LU1042675485 0.90% 1.10% None
EUR A LU2042518436 1.60% 1.85% None
EUR BH / EUR AH LU0909472069 / LU1584043118 1.60% 1.93% None
EUR IBH LU1644458793 0.90% 1.23% EUR 500,000
EUR UBH6 LU1144416606 1.00% 1.33% None
EUR EBH5 LU1575200081 0.90% 1.19% None
EUR MBH5 LU1692472852 0.70% 0.99% EUR 25,000,000
CHF BH LU0909471681 1.60% 1.93% None
CHF IBH LU1457602594 0.90% 1.23% CHF 500,000
CHF UBH6 LU1144416515 1.00% 1.33% None
CHF EBH5 LU1886389292 0.90% 1.19% None

1 While this index is officially designated as the fund's benchmark, it is not applied as such during the investment process and the fund portfolio need not bear any resemblance to it. From 01.08.2019, MSCI World ESG Leaders (NR) before MSCI World (NR).
2 The fund was originally launched on 19.10.2006 as a FCP (fonds commun de placement).
3 SSP is a method used to calculate the net asset value (NAV) of a fund, which aims to protect existing investors from bearing indirect transaction costs triggered by in- and outgoing investors. The NAV is adjusted up in case of net inflows and down in case of net outflows on the respective valuation date. The adjustment in NAV might be subject to a net flow threshold. For further information, please consult the Sales Prospectus.
4 Management fee as of 30.11.2022. The fee may change at any time without prior notice to investors. For the maximum management fee, please refer to the fund’s prospectus.
5 For professional/institutional investors only. / 6 In Italy: For professional/institutional investors only.

The list of share classes is meant for illustrative purposes only. Please note that not all share classes may be available in your jurisdiction. Depending on your jurisdiction, additional share classes may also be available. Please contact your relationship manager for more information.

The Investment promoted in this marketing material concerns the acquisition of units or shares in a fund and not of any underlying assets. The underlying assets are owned by the fund only.

If the currency of a financial product and/or its costs is different from your reference currency, the return and cost may increase or decrease as a result of currency fluctuations.

The full offering documentations including complete information on risks may be obtained free of charge from Credit Suisse representative or where available via FundSearch (credit-suisse.com/fundsearch).

Fund Risks
Credit Suisse (Lux) Security Equity Fund

  • No capital protection: investors may lose part or all of their investment in this product.
  • Focus on security and safety companies can lead to significant sector/regional exposures.
  • Exposure to small and mid caps can result in higher short-term volatility and may carry liquidity risk.
  • Due to the possibility of increased exposure to the emerging markets the fund may be affected by political and economic risks in these countries.
  • Equity markets can be volatile, especially in the short term.

This material constitutes marketing material of Credit Suisse Group AG and/or its affiliates (hereafter "CS"). This marketing material is not a contractually binding document or an information document required by any legislative provision. Nothing in this material constitutes investment research or investment advice and may not be relied upon. It is not tailored to your individual circumstances, or otherwise constitutes a personal recommendation, and is not sufficient to take an investment decision. The information and views expressed herein are those of CS at the time of writing and are subject to change at any time without notice. They are derived from sources believed to be reliable. CS provides no guarantee with regard to the content and completeness of the information and where legally possible does not accept any liability for losses that might arise from making use of the information. If nothing is indicated to the contrary, all figures are unaudited. The information provided herein is for the exclusive use of the recipient. The information provided in this material may change after the date of this material without notice and CS has no obligation to update the information. This material may contain information that is licensed and/or protected under intellectual property rights of the licensors and property right holders. Nothing in this material shall be construed to impose any liability on the licensors or property right holders. Unauthorised copying of the information of the licensors or property right holders is strictly prohibited. The full offering documentation including, the prospectus or offering memorandum, the Key Investor Information Document (KIID), the Key Information Document (KID), the fund rules, as well as the annual and bi-annual reports ("Full offering documentation"), as the case may be, may be obtained free of charge in one of the languages listed below from the legal entity/entities indicated below and where available via FundSearch (credit-suisse.com/fundsearch). "Information on your local distributors, representatives, information agent, paying agent, if any, and your local contacts in respect of the investment product(s) can be found below. The only legally binding terms of any investment product described in this material, including risk considerations, objectives, charges and expenses are set forth in the prospectus, offering memorandum, subscription documents, fund contract and/or any other fund governing documents. For a full description of the features of the products mentioned in this material as well as a full description of the opportunities, risks, and costs associated with the respective products, please refer to the relevant underlying securities prospectuses, sales prospectuses, or other additional product documents, which we will be pleased to provide to you at any time upon request. The investment promoted in this marketing material concerns the acquisition of units or shares in a fund and not of any underlying assets. The underlying assets are owned by the fund only. This material may not be forwarded or distributed to any other person and may not be reproduced. Any forwarding, distribution or reproduction is unauthorized and may result in a violation of the U.S. Securities Act of 1933, as amended (the “Securities Act”). The securities referred to herein have not been, and will not be, registered under the Securities Act, or the securities laws of any states of the United States and, subject to certain exceptions, the securities may not be offered, pledged, sold or otherwise transferred within the United States or to, or for the benefit or account of, U.S. persons. In addition, there may be conflicts of interest with regard to the investment. In connection with the provision of services, Credit Suisse AG and/or its affiliates may pay third parties or receive from third parties, as part of their fee or otherwise, a one-time or recurring fee (e.g., issuing commissions, placement commissions or trailer fees). Prospective investors should independently and carefully assess (with their tax, legal and financial advisers) the specific risks described in available materials, and applicable legal, regulatory, credit, tax and accounting consequences prior to making any investment decision. The alternative investment fund manager or the (UCITS) management company, as applicable, may decide to terminate local arrangements for the marketing of the shares/units of a fund, including terminating registrations or notifications with the local supervisory authority. A summary of investor rights for investing into European Economic Area domiciled investment funds managed or sponsored by Credit Suisse Asset Management can be obtained in English via www.credit-suisse.com/am/regulatory-information, local laws relating to investor rights may apply. 

Distributor: Credit Suisse Fund Management S.A.1, 5 Rue Jean Monnet, L-2180 Luxembourg I Language versions available: German, English, and/or French I Supervisor (Entity of Registration): Commission de Surveillance du Secteur Financier (CSSF), 110 Route d’Arlon, L-1150 Luxembourg, Tel.: +352 2625 11, Fax: +352 2625 1, Website: https://www.cssf.lu/
1 Legal entity, from which the full offering documentation, the key investor information document (KIID), the fund rules, as well as the annual and bi-annual reports, if any, may be obtained free of charge.