Article
The evolving threat environment and the ongoing digitization of our society make Identity and Access Management (IAM) a central component of any IT security architecture. The market for IT security is an attractive multiyear secular growth theme, therefore Credit Suisse Asset Management is invested in leading companies in the field of IAM.
January 10, 2023
The first types of Identity and Access Management (IAM) were introduced in the early 1960, when Fernando Corbato, an American Computer Scientist and Professor at the Massachusetts Institute of Technology (MIT), created the use of passwords for securing computer files1.
In the last couple of decades the IAM marketspace had evolved and witnessed a significant change: Originally identity management solutions were solely built for internal use by employees. As organizations grew in size and complexity, an increasing number of people and devices were assigned across networks to authenticate and verify their identities and access privileges. In addition, due to the COVID-19 pandemic remote working accelerated this trend. This only increases the need of the right tools to ensure that the right people have the right access to the right systems at the right time. Nowadays identity security has become the digital front door to the IT networks, spanning across users, devices, applications and infrastructure.
In this Thematic Insight we elaborate about Identity and Access Management, its market potential, a cost analysis cloud versus on-prem and we finalize with a conclusion.
Identity and Access Management is the framework of business processes, policies and technologies that makes it possible for the right entities (such as people or things, e.g. servers) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM systems can be deployed on premises, or be provided by a 3rd party vendor using a cloud based subscription (SaaS) or be deployed in a hybrid mode.
Identity is the number one attack vector for cyber criminals, according to a couple of statistics:
Cyber threats are evolving at a rapid rate, becoming faster and more complex. According to CrowdStrike, a US IT security company, criminal breakout time, which is the time it takes for cyber criminals to break into a network and access data, shortened from 9h 42min in 2018 to 1h 38min in 2022, a fivefold reduction in time to access critical assets and infrastructure5.
Historically, enterprises used a so-called “castle and moat approach”. It assumes that all security threats come from outside an organization and “traditional” firewalls are enough to secure the IT infrastructure of a company or a government entity. In today‘s digital world this approach is no longer effective in a location-agnostic world. Nowadays IT infrastructures extend far beyond the walls of buildings across applications, data centers, users and devices. The COVID-19 pandemic has only accelerated this trend, working from home is a reality. As a result, the digital ecosystems became more complex, the number of digital identities is growing exponentially. Each external connection to an IT network needs a digital identity, whether it is an application, a server, a user or a device. Unfortunately, this widens the potential attack vector for cyber criminals as there are more entry points to the network, which is presenting an ongoing challenge for IT Security.
Most common cyber attacks are happening in form of phishing, malware, credential stuffing or privilege abuse6. As a counter measure, enterprises are adopting a zero trust network framework, which assumes that nobody, not even an internal user, can be trusted and each user must be authenticated, authorized and continuously assessed before gaining access to data or application. As a result, IAM acts as the core entry point to the network, verifying and providing access to users, devices and applications. To this end, IAM solutions aid in the authentication, authorization, administration, analysis, and audit.
According to Jefferies, an investment bank, the market for Identity and Access Management, which consists of five segments Access Management / Single Sign-on (SSO), Advanced Authentication, Privilege Access Management (PAM), Identity Governance and Administration (IGA) and Customer Identity and Access Management (CIAM), is projected to grow from USD 20.1bn in 2021 to USD 37.4bn in 2025 at a compound annual growth rate (CAGR) of 15.7%. CIAM is poised to see the strongest acceleration of growth with a CAGR of 26.5%, PAM, Advanced Authentication, IGA and Access Management / SSO have an expected CAGR of 16.0%, 15.3%, 9.9% and 5.2% respectively7.
Exhibit 1: The Market for Identity and Access Management (in billion USD)
To the extent that these materials contain statements about the future, such statements are forward looking and are subject to a number of risks and uncertainties and are not a guarantee of future results/performance.
Source: Jefferies (2022): Okta, initiation report, equity research, Sept. 15th 2022, p. 13.
The market for IAM represents around 10% of the total spending for IT security8. Its strong growth is driven by the ongoing digitization of our society and the transition to the cloud. We think the IAM market is forecasted to outperform the overall market for IT security in the next couple of years, mainly driven by the rising number of users, applications and devices attempting to access the network. In addition, the shift to Zero Trust also continues to be a growth driver for IAM. In addition, we think there might be three possible restraints on growth:
The IAM market is largely driven by the growth of cloud adoption, at cost of the legacy on-premise vendors which in our view are at risk of losing market share. The main reason for this market share shift are the following:
Exhibit 2 shows an example of a Total Cost of Ownership comparison (TCO) of traditional IAM on-premise software solution versus an IAM cloud delivered software solution for a mid-sized company (5’000 users). This includes the technology portion (at a similar cost level, whether it is delivered in a cloud or on-premise module). However, adding implementation experts, service & maintenance, software updates and provisioning could inflate the costs over five years9.
Exhibit 2: Total Cost of Ownership comparison of traditional IAM on-premise approach versus IAM cloud approach (in USD)
Source: Identropy (2013): IDaaS for Dummies, 2013, John Wiley & Sons, Hoboken, NJ, p. 30. Despite the fact that this TCO calculation example was published several years ago, newer publications are showing similar cost benefits. To interested readers we are recommending as examples the TCO analysis mentioned in the footnote10.
Exhibit 2 shows that an IAM cloud approach is in terms of total cost of ownership more attractive than a traditional on-premise approach. Main reasons are that cloud solutions neither require the purchase of specialized hardware nor dedicated implementation and operations teams as they are managed by the IAM provider. In addition, cloud solutions leverage the shared hardware and operations staff from the cloud model to pass along cost savings from economies of scale to the customer. Furthermore, because cloud delivered IAM solutions are software-based, there is no need for the enterprise to undertake hardware refreshes every 4-5 years and payments are done on a pay-per-use model, which makes scaling up or down much easier.
The transition from on-premise to cloud-based IAM solutions has been significant over the last few years, driven by scalability, flexibility, efficiency and cost savings. In general we believe this trend is only going to accelerate, reaching roughly 65% penetration by 2025 according to IDC forecasts, while for on-premise deployments we think they might decelerate11.
Ever since humans started communicating, there has been a need for protecting and controlling access to information. The essential components of that control were much the same as they are today: Establishing who you are when you try to access systems, applications and information and determining whether you can access a specific resource or take a particular action once you are authenticated.
Nowadays, securing workforce identity has become a priority for organizations as the global workforce moves to work from anywhere and as the transition to the cloud blurs traditional perimeter lines. Identity and Access Management is a central component of any IT security architecture, driven by the evolving threat environment and by the ongoing digitization of our society. This makes the market for IT security an attractive multi-year secular growth theme, therefore we are invested in leading companies in the field of IAM.
Find investment products that suit your personal needs. Choose from our extensive range of investment solutions across all major asset classes, and access all product-related information.
You can also follow a fund and receive the monthly factsheet quickly and easily.
To the extent that these materials contain statements about the future, such statements are forward looking and are subject to a number of risks and uncertainties and are not a guarantee of future results/performance.
The individuals mentioned above only conduct regulated activities in the jurisdiction(s) where they are properly licensed, where relevant.
1 Source: The Wall Street Journal (2014): Despite Data Thefts, the Password Endures, in: The Wall Street Journal, May 21st 2014.
2 Source: VansonBourne/HYPR (2022): The State of Authentication in the Finance Industry, survey, p. 5, URL: https://get.hypr.com/hubfs/DL%20Assets/State-of-Authentication-in-Finance-Industry-2022.pdf, 25.9.2022.
3 Source: Egress (2021): Insider Breach Data Survey, p. 5, URL: https://www.egress.com/media/4kqhlafh/egress-insider-data-breach-survey-2021.pdf, 25.9.2022.
4 Source: The Identity Defined Security Alliance (IDSA) (2020): Identity Security: A Work in Progress, media release, URL: https://www.idsalliance.org/press-release/79-of-organizations-have-experienced-an-identity-related-security-breach-in-the-last-two-years-according-to-new-identity-defined-security-alliance-study/, 25.9.2022.
5 Source: CrowdStrike (2022): The CrowdStrike 2022 Global Threat Report, p. 8, URL: https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf, 25.9.2022.
6 Source: Source: VansonBourne/HYPR (2022): The State of Authentication in the Finance Industry, survey, p. 7, URL: https://get.hypr.com/hubfs/DL%20Assets/State-of-Authentication-in-Finance-Industry-2022.pdf, 25.9.2022.
7 Source: Jefferies (2022): Okta, initiation report, equity research, Sept. 15th 2022, p. 13.
8 Source: Oppenheimer (2022): Cybersecurity Primer 1.0, industry report, April 18th 2022, p. 15.
9 Source: Identropy (2013): IDaaS for Dummies, 2013, John Wiley & Sons, Hoboken, NJ, p. 30.
10 Below two recommended studies for further readings:
11 Source: IDC (2021): IDC forecasts worldwide "Whole Cloud" spending to reach USD 1.3 trillion by 2025, URL: https://www.idc.com/getdoc.jsp?containerId=prUS48208321, 28.9.2022.
This material constitutes marketing material of Credit Suisse Group AG and/or its affiliates (hereafter "CS"). This material does not constitute or form part of an offer or invitation to issue or sell, or of a solicitation of an offer to subscribe or buy, any securities or other financial instruments, or enter into any other financial transaction, nor does it constitute an inducement or incitement to participate in any product, offering or investment. This marketing material is not a contractually binding document or an information document required by any legislative provision. Nothing in this material constitutes investment research or investment advice and may not be relied upon. It is not tailored to your individual circumstances, or otherwise constitutes a personal recommendation, and is not sufficient to take an investment decision. The information and views expressed herein are those of CS at the time of writing and are subject to change at any time without notice. They are derived from sources believed to be reliable. CS provides no guarantee with regard to the content and completeness of the information and where legally possible does not accept any liability for losses that might arise from making use of the information. If nothing is indicated to the contrary, all figures are unaudited. The information provided herein is for the exclusive use of the recipient. The information provided in this material may change after the date of this material without notice and CS has no obligation to update the information. This material may contain information that is licensed and/or protected under intellectual property rights of the licensors and property right holders. Nothing in this material shall be construed to impose any liability on the licensors or property right holders. Unauthorised copying of the information of the licensors or property right holders is strictly prohibited. This material may not be forwarded or distributed to any other person and may not be reproduced. Any forwarding, distribution or reproduction is unauthorized and may result in a violation of the U.S. Securities Act of 1933, as amended (the “Securities Act”). In addition, there may be conflicts of interest with regard to the investment. In connection with the provision of services, Credit Suisse AG and/or its affiliates may pay third parties or receive from third parties, as part of their fee or otherwise, a one-time or recurring fee (e.g., issuing commissions, placement commissions or trailer fees). Prospective investors should independently and carefully assess (with their tax, legal and financial advisers) the specific risks described in available materials, and applicable legal, regulatory, credit, tax and accounting consequences prior to making any investment decision.
Distributor: Credit Suisse Asset Management Limited, One Cabot Square, London E14 4QJ, United Kingdom I Supervisor (Entity of Registration): Financial Conduct Authority (FCA), 12 Endeavour Square, London E20 1JN, United Kingdom, Tel.: +44 207 066 1000, Website: https://www.fca.org.uk/
