The first types of Identity and Access Management (IAM) were introduced in the early 1960, when Fernando Corbato, an American Computer Scientist and Professor at the Massachusetts Institute of Technology (MIT), created the use of passwords for securing computer files1.
In the last couple of decades the IAM marketspace had evolved and witnessed a significant change: Originally identity management solutions were solely built for internal use by employees. As organizations grew in size and complexity, an increasing number of people and devices were assigned across networks to authenticate and verify their identities and access privileges. In addition, due to the COVID-19 pandemic remote working accelerated this trend. This only increases the need of the right tools to ensure that the right people have the right access to the right systems at the right time. Nowadays identity security has become the digital front door to the IT networks, spanning across users, devices, applications and infrastructure.
In this Thematic Insight we elaborate about Identity and Access Management, its market potential, a cost analysis cloud versus on-prem and we finalize with a conclusion.
What is Identity and Access Management (IAM)?
Identity and Access Management is the framework of business processes, policies and technologies that makes it possible for the right entities (such as people or things, e.g. servers) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM systems can be deployed on premises, or be provided by a 3rd party vendor using a cloud based subscription (SaaS) or be deployed in a hybrid mode.
Identity is the number one attack vector for cyber criminals, according to a couple of statistics:
- 80% of data breaches in the financial industry leverage compromised credentials to gain access to digital assets2.
- Over 94% of all organizations have experienced a breach that stems from poor identity security3.
- 79% of organizations experienced an identity-related security breach in the last two years4.
Cyber threats are evolving at a rapid rate, becoming faster and more complex. According to CrowdStrike, a US IT security company, criminal breakout time, which is the time it takes for cyber criminals to break into a network and access data, shortened from 9h 42min in 2018 to 1h 38min in 2022, a fivefold reduction in time to access critical assets and infrastructure5.
Historically, enterprises used a so-called “castle and moat approach”. It assumes that all security threats come from outside an organization and “traditional” firewalls are enough to secure the IT infrastructure of a company or a government entity. In today‘s digital world this approach is no longer effective in a location-agnostic world. Nowadays IT infrastructures extend far beyond the walls of buildings across applications, data centers, users and devices. The COVID-19 pandemic has only accelerated this trend, working from home is a reality. As a result, the digital ecosystems became more complex, the number of digital identities is growing exponentially. Each external connection to an IT network needs a digital identity, whether it is an application, a server, a user or a device. Unfortunately, this widens the potential attack vector for cyber criminals as there are more entry points to the network, which is presenting an ongoing challenge for IT Security.
Most common cyber attacks are happening in form of phishing, malware, credential stuffing or privilege abuse6. As a counter measure, enterprises are adopting a zero trust network framework, which assumes that nobody, not even an internal user, can be trusted and each user must be authenticated, authorized and continuously assessed before gaining access to data or application. As a result, IAM acts as the core entry point to the network, verifying and providing access to users, devices and applications. To this end, IAM solutions aid in the authentication, authorization, administration, analysis, and audit.
The market for Identity and Access Management
According to Jefferies, an investment bank, the market for Identity and Access Management, which consists of five segments Access Management / Single Sign-on (SSO), Advanced Authentication, Privilege Access Management (PAM), Identity Governance and Administration (IGA) and Customer Identity and Access Management (CIAM), is projected to grow from USD 20.1bn in 2021 to USD 37.4bn in 2025 at a compound annual growth rate (CAGR) of 15.7%. CIAM is poised to see the strongest acceleration of growth with a CAGR of 26.5%, PAM, Advanced Authentication, IGA and Access Management / SSO have an expected CAGR of 16.0%, 15.3%, 9.9% and 5.2% respectively7.