Identity and access management: guardians of the digital front door
The evolving threat environment and the digitization of our society make IAM a central component of any IT security architecture. The market for IT security is an attractive multiyear secular growth theme.
The first types of identity and access management (IAM) were introduced in the early 1960, when Fernando Corbato, an American computer scientist and professor at the Massachusetts Institute of Technology (MIT), created the use of passwords for securing computer files.1
In the last couple of decades the IAM marketspace had evolved and witnessed a significant change. Originally, identity management solutions were solely built for internal use by employees. As organizations grew in size and complexity, an increasing number of people and devices were assigned across networks to authenticate and verify their identities and access privileges. In addition, due to the COVID-19 pandemic, remote working accelerated this trend. This only increases the need of the right tools to ensure that the right people have the right access to the right systems at the right time. Nowadays identity security has become the digital front door to the IT networks, spanning across users, devices, applications, and infrastructure.
What is IAM?
What is IAM?
Identity and access management is the framework of business processes, policies, and technologies that makes it possible for the right entities (such as people or things, e.g. servers) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM systems can be deployed on premises or be provided by a third-party vendor using a cloud-based subscription (SaaS) or be deployed in a hybrid mode.
Identity is the number one attack vector for cyber criminals, according to a couple of statistics:
- 80% of data breaches in the financial industry leverage compromised credentials to gain access to digital assets.2
- Over 94% of all organizations have experienced a breach that stems from poor identity security.3
- 79% of organizations experienced an identity-related security breach in the last two years.4
Cyber threats are evolving at a rapid rate, becoming faster and more complex. According to CrowdStrike, a US IT security company, criminal breakout time, which is the time it takes for cyber criminals to break into a network and access data, shortened from 9 h 42 min in 2018 to 1h 38 min in 2022, a fivefold reduction in time to access critical assets and infrastructure5.
Historically, enterprises used a so-called “castle and moat approach”. It assumes that all security threats come from outside an organization and “traditional” firewalls are enough to secure the IT infrastructure of a company or a government entity. In today‘s digital, location-agnostic world this approach is no longer effective. Nowadays, IT infrastructures extend far beyond the walls of buildings across applications, data centers, users, and devices. The COVID-19 pandemic has only accelerated this trend, working from home is a reality. As a result, the digital ecosystems became more complex, the number of digital identities is growing exponentially. Each external connection to an IT network needs a digital identity, whether it is an application, a server, a user, or a device. Unfortunately, this widens the potential attack vector for cyber criminals as there are more entry points to the network, which is presenting an ongoing challenge for IT security.
Most common cyber attacks are happening in form of phishing, malware, credential stuffing, or privilege abuse.6 As a counter measure, enterprises are adopting a zero-trust network framework, which assumes that nobody, not even an internal user, can be trusted and each user must be authenticated, authorized, and continuously assessed before gaining access to data or application. As a result, IAM acts as the core entry point to the network, verifying and providing access to users, devices, and applications. To this end, IAM solutions aid in the authentication, authorization, administration, analysis, and audit.
The market for IAM
The market for IAM
According to Jefferies, an investment bank, the market for identity and access management, which consists of five segments: Access Management / Single Sign-on (SSO), Advanced Authentication, Privilege Access Management (PAM), Identity Governance and Administration (IGA) and Customer Identity and Access Management (CIAM), is projected to grow from USD 20.1 billion in 2021 to USD 37.4 billion in 2025 at a compound annual growth rate (CAGR) of 15.7%. CIAM is poised to see the strongest acceleration of growth with a CAGR of 26.5%, PAM, Advanced Authentication, IGA, and Access Management / SSO have an expected CAGR of 16.0%, 15.3%, 9.9% and 5.2% respectively.7
Figure 1: The market for IAM (in billion USD)
The market for IAM represents around 10% of the total spending for IT security.8 Its strong growth is driven by the ongoing digitization of our society and the transition to the cloud. We think the IAM market is forecast to outperform the overall market for IT security in the next couple of years, mainly driven by the rising number of users, applications and devices attempting to access the network. In addition, the shift to Zero Trust also continues to be a growth driver for IAM. In addition, we think there might be three possible restraints on growth:
- As the economy slows, enterprises might scale back their IT security budget.
- There might be a limited prioritization from Chief Information Security Officers (CISOs) that IAM solutions are not a top priority, which could limit the forecast growth rates.
- And finally, commoditization is accelerating among authentication, which could pressure pricing.
The IAM market is largely driven by the growth of cloud adoption, at cost of the legacy on-premise vendors which in our view are at risk of losing market share. The main reasons for this market share shift are the following:
- Modern cloud-based solutions centralize and automate IAM by applying uniform policies across the entire digital ecosystems, rather than having IT teams manually provision each new connection to the network.
- IAM solutions are able to automatically on-board and off-board users.
- Through automation they also provide cost savings and efficiencies to IT teams.
Figure 2 shows an example of a total cost of ownership comparison (TCO) of traditional IAM on-premise software solution versus an IAM cloud delivered software solution for a mid-sized company (5,000 users). This includes the technology portion (at a similar cost level, whether it is delivered in a cloud or on-premise module). However, adding implementation experts, service and maintenance, software updates and provisioning could inflate the costs over five years.9
Figure 2: Total cost of ownership comparison of traditional IAM on-premise approach versus IAM cloud approach (in USD)
Cost of | Cost of | Year 1 | Year 1 | Year 2 | Year 2 | Year 3 | Year 3 | Year 4 | Year 4 | Year 5 | Year 5 | Total | Total |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cost of | Software | Year 1 | 300,000 | Year 2 | - | Year 3 | - | Year 4 | - | Year 5 | - | Total | 300,000 |
Cost of | Hardware | Year 1 | 50,000 | Year 2 | - | Year 3 | - | Year 4 | - | Year 5 | - | Total | 50,000 |
Cost of | Maintenance | Year 1 | - | Year 2 | 60,000 | Year 3 | 60,000 | Year 4 | 60,000 | Year 5 | 60,000 | Total | 240,000 |
Cost of | Implementation | Year 1 | 1,000,000 | Year 2 | - | Year 3 | - | Year 4 | - | Year 5 | - | Total | 1,000,000 |
Cost of | Staff | Year 1 | 125,000 | Year 2 | 125,000 | Year 3 | 125,000 | Year 4 | 125,000 | Year 5 | 125,000 | Total | 625,000 |
Cost of | Upgrade | Year 1 | - | Year 2 | - | Year 3 | - | Year 4 | - | Year 5 | 750,000 | Total | 750,000 |
Cost of | Total: | Year 1 |
| Year 2 |
| Year 3 |
| Year 4 |
| Year 5 |
| Total | 2,965,000 |
Cost of | Cost of | Year 1 | Year 1 | Year 2 | Year 2 | Year 3 | Year 3 | Year 4 | Year 4 | Year 5 | Year 5 | Total | Total |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cost of | Set up | Year 1 | 20,000 | Year 2 | - | Year 3 | - | Year 4 | - | Year 5 | - | Total | 20,000 |
Cost of | Subscription | Year 1 | 60,000 | Year 2 | 60,000 | Year 3 | 60,000 | Year 4 | 60,000 | Year 5 | 60,000 | Total | 300,000 |
Cost of | Total: | Year 1 |
| Year 2 |
| Year 3 |
| Year 4 |
| Year 5 |
| Total | 320,000 |
Figure 2 shows that an IAM cloud approach is more attractive than a traditional on-premise approach in terms of total cost of ownership. Main reasons are that cloud solutions require neither the purchase of specialized hardware nor dedicated implementation and operations teams as they are managed by the IAM provider. In addition, cloud solutions leverage the shared hardware and operations staff from the cloud model to pass along cost savings from economies of scale to the customer. Furthermore, because cloud delivered IAM solutions are software-based, there is no need for the enterprise to undertake hardware refreshes every 4 to 5 years and payments are done on a pay-per-use model, which makes scaling up or down much easier.
The transition from on-premise to cloud-based IAM solutions has been significant over the last few years, driven by scalability, flexibility, efficiency, and cost savings. In general, we believe this trend is only going to accelerate, reaching roughly 65% penetration by 2025 according to IDC forecasts, while on-premise deployments might decelerate in our view.11
IAM – a central component of IT architecture
IAM – a central component of IT architecture
Ever since humans started communicating, there has been a need for protecting and controlling access to information. The essential components of that control were much the same as they are today: establishing who you are when you try to access systems, applications, and information and determining whether you can access a specific resource or take a particular action once you are authenticated.
Nowadays, securing workforce identity has become a priority for organizations as the global workforce moves to work from anywhere and as the transition to the cloud blurs traditional perimeter lines. Identity and access management is a central component of any IT security architecture, driven by the evolving threat environment and by the ongoing digitization of our society. This makes the market for IT security an attractive multi-year secular growth theme, therefore we are invested in leading companies in the field of IAM.
About the author
Dr. Patrick Kolb
Senior portfolio manager, Thematic Equities
Patrick Kolb (PhD), Managing Director, has been a Senior Portfolio Manager for the Security Equity strategy since 2007. In 2005, he joined Credit Suisse Asset Management, now part of UBS Group, where he initially focused on the industrials and technology sectors. Patrick graduated from the University of Zurich with a major in Finance and then worked as a research assistant at the Institute of Banking and Finance at the University of Zurich before earning his PhD in Financial Economics.
Make an inquiry
Introducing our leadership team
Meet the members of the team responsible for UBS Asset Management’s strategic direction.