Remember the last time you went through a ‘forgot password’ flow on a company’s website? Or chose to ‘sign-in via Google’? Or signed into your company’s CRM account ‘via SSO’? Or, as a developer, accessed the company’s database from a remote location? For each of these flows, odds are that you triggered a set of technical protocols (like OAuth2, SAML) via software tools that allowed you to achieve your desired outcome. These tools constitute a large & fast growing category called Identity Access Management (IAM), which sits in the broader cybersecurity landscape. As the surface area of our digital identities continues to increase at a rapid clip, these tools will play a crucial part in mitigating security risks for consumers & enterprises alike.
The seemingly commoditized use case of identity authentication-authorization has led to a large number of positive outcomes in the last few years. Whether it be the $6.5B acquisition of Auth0 by Okta, or one of the largest Series A’s in the history of SaaS by Transmit Security (raising $543M, subsequent to achieving $100M in ARR), or the numerous number of unicorns that have emerged recently (e.g. Stytch, Beyond Identity, Teleport), the recent innovation & value creation in the IAM category is evident. Moreover, this is in the wake of sustained dominance by numerous legacy enterprises like Ping Identity, Cyberark, AWS & Microsoft, who have perfected their products over many years of operations in the space.
We are entering a new era of IAM. A few emerging trend lines that I feel excited about are as follows.
Passwordless to (finally) go mainstream: passwords are the most popular source of authentication for applications. However, with the increase in the number of applications, the number of passwords has increased dramatically – according to an Okta survey, an average person maintains 80+ unique passwords! This password sprawl causes consumers to either set weak and/or similar passwords, or go through laborious password reset flows, both of which adversely impact user experience & security. Password managers & multi factor authentication (MFA) do a suboptimal job at mitigating cyber risk. While passwordless authentication is not a novel concept, the customer journeys associated with the same have largely been based on high friction flows around magic links or SMS/email OTPs. Identity-based passwordless flows solve for these challenges, and are expected to rapidly increase the adoption of passwordless as an authentication method. Perhaps the most notable tailwind here is the recent release & growing adoption of the FIDO2 protocol (particularly, Webauthn) that leverages public-key cryptography to deliver a passwordless experience. In essence, the protocol allows for authentication via biometrics (e.g. fingerprint, faceID) on a different device (e.g. your smartphone), without the need for installing any new software, or entering any passwords. We’re seeing an increasing number of applications supporting FIDO2, and startups building tooling around it too.
Shift toward identity-based journeys: instead of viewing authentication-authorization as a binary & point in time workflow, there is a growing trend line around creating continuous & custom identity journeys. The core idea is to create an alternate risk engine that monitors a customer’s risk profile at the time of authentication & during run time, triggering relevant workflows accordingly. For example, a login attempt from an unsecured IP address would trigger a more stringent authentication flow, relative to a login attempt from a secure IP address. Another interesting use case is around the ‘hand off of trust’ across devices & channels. For example, a successful authentication on an application’s website would by-default authenticate a user during a call center inquiry. Continuous tracking of behavioral anomalies during run time would also contribute to updated risk scores & trigger bespoke workflows. This identity-based journey is an operationalization of the Continuous Adaptive Risk & Trust Assessment (CARTA) framework released by Gartner in 2017, and is witnessing a demand uptick by enterprises across industries.
Rise of identity-native infrastructure access management: today’s enterprise infrastructure is highly elastic & multi-layered; a modern enterprise architecture would comprise cloud environments, on prem servers, data centers, kubernetes clusters, message queues, VMs, CI/CD apps, DevOps tooling & SaaS applications. Historically, access to this infrastructure relied on the notion of network parameters (via LAN or VPC) & credentials (commonly known as ‘secrets’), which were traditionally stored in a centralized secrets management system. While we’ve moved toward a combination of VPNs & firewalls for a more secure remote access, and have seen an increase in the sophistication of secret management systems, the core proposition around credential-based access poses many security & ops challenge, the primary of which is linked to the idea of centralization of secrets itself, which creates the scope for a highly targeted & effective vector of cyber attack. The problem gets further exacerbated as we think about moving toward a distributed & remote workforce with a significant amount of contractual technical support, each requiring varying degrees of infrastructure access. Startups & scaled enterprises are taking this challenge head-on by shifting from a credential-based to an identity-based access management workflow wherein access is 1) granted based on identity and not on secrets (by leveraging existing IdPs like Okta); 2) ephemeral (via certificates that have a definite time-to-live); 3) strictly role based (via a predefined role based access control policy); 4) audit friendly, allowing for greater visibility at a user level. The adoption of this architecture is nascent but fast growing.
The category represents many pockets of opportunities across both workforce & customer IAM & startups are best placed to create & deliver new identity based experiences. Im excited to see the evolution of the landscape over the next few years!
If you’re building in the cybersecurity space from this part of the world and would like to chat, drop me a line at rohil@lsip.com.
Authors