Dr. Patrick Kolb
Senior portfolio manager, Thematic Equities

The first types of identity and access management (IAM) were introduced in the early 1960, when Fernando Corbato, an American computer scientist and professor at the Massachusetts Institute of Technology (MIT), created the use of passwords for securing computer files.1

In the last couple of decades the IAM marketspace had evolved and witnessed a significant change. Originally, identity management solutions were solely built for internal use by employees. As organizations grew in size and complexity, an increasing number of people and devices were assigned across networks to authenticate and verify their identities and access privileges. In addition, due to the COVID-19 pandemic, remote working accelerated this trend. This only increases the need of the right tools to ensure that the right people have the right access to the right systems at the right time. Nowadays identity security has become the digital front door to the IT networks, spanning across users, devices, applications, and infrastructure.

What is IAM?

Identity and access management is the framework of business processes, policies, and technologies that makes it possible for the right entities (such as people or things, e.g. servers) to use the right resources (applications or data) when they need to, without interference, using the devices they want to use. IAM systems can be deployed on premises or be provided by a third-party vendor using a cloud-based subscription (SaaS) or be deployed in a hybrid mode.

Identity is the number one attack vector for cyber criminals, according to a couple of statistics:

  • 80% of data breaches in the financial industry leverage compromised credentials to gain access to digital assets.2
  • Over 94% of all organizations have experienced a breach that stems from poor identity security.3
  • 79% of organizations experienced an identity-related security breach in the last two years.4

Cyber threats are evolving at a rapid rate, becoming faster and more complex. According to CrowdStrike, a US IT security company, criminal breakout time, which is the time it takes for cyber criminals to break into a network and access data, shortened from 9 h 42 min in 2018 to 1h 38 min in 2022, a fivefold reduction in time to access critical assets and infrastructure5.

Historically, enterprises used a so-called “castle and moat approach”. It assumes that all security threats come from outside an organization and “traditional” firewalls are enough to secure the IT infrastructure of a company or a government entity. In today‘s digital, location-agnostic world this approach is no longer effective. Nowadays, IT infrastructures extend far beyond the walls of buildings across applications, data centers, users, and devices. The COVID-19 pandemic has only accelerated this trend, working from home is a reality. As a result, the digital ecosystems became more complex, the number of digital identities is growing exponentially. Each external connection to an IT network needs a digital identity, whether it is an application, a server, a user, or a device. Unfortunately, this widens the potential attack vector for cyber criminals as there are more entry points to the network, which is presenting an ongoing challenge for IT security.

Most common cyber attacks are happening in form of phishing, malware, credential stuffing, or privilege abuse.6 As a counter measure, enterprises are adopting a zero-trust network framework, which assumes that nobody, not even an internal user, can be trusted and each user must be authenticated, authorized, and continuously assessed before gaining access to data or application. As a result, IAM acts as the core entry point to the network, verifying and providing access to users, devices, and applications. To this end, IAM solutions aid in the authentication, authorization, administration, analysis, and audit.

The market for IAM

According to Jefferies, an investment bank, the market for identity and access management, which consists of five segments: Access Management / Single Sign-on (SSO), Advanced Authentication, Privilege Access Management (PAM), Identity Governance and Administration (IGA) and Customer Identity and Access Management (CIAM), is projected to grow from USD 20.1 billion in 2021 to USD 37.4 billion in 2025 at a compound annual growth rate (CAGR) of 15.7%. CIAM is poised to see the strongest acceleration of growth with a CAGR of 26.5%, PAM, Advanced Authentication, IGA, and Access Management / SSO have an expected CAGR of 16.0%, 15.3%, 9.9% and 5.2% respectively.7

Figure 1: The market for IAM (in billion USD)

Bar graph: The market for Identity and Access Management will grow from USD 20 bn in 2021 to around USD 27 bn in 2025E
Source: Jefferies (2022): Okta, initiation report, equity research, 15.09.2022, p. 13.

The market for Identity and Access Management will grow from USD 20 bn in 2021 to around USD 27 bn in 2025E

The market for IAM represents around 10% of the total spending for IT security.8 Its strong growth is driven by the ongoing digitization of our society and the transition to the cloud. We think the IAM market is forecast to outperform the overall market for IT security in the next couple of years, mainly driven by the rising number of users, applications and devices attempting to access the network. In addition, the shift to Zero Trust also continues to be a growth driver for IAM. In addition, we think there might be three possible restraints on growth:

  • As the economy slows, enterprises might scale back their IT security budget.
  • There might be a limited prioritization from Chief Information Security Officers (CISOs) that IAM solutions are not a top priority, which could limit the forecast growth rates.
  • And finally, commoditization is accelerating among authentication, which could pressure pricing.

The IAM market is largely driven by the growth of cloud adoption, at cost of the legacy on-premise vendors which in our view are at risk of losing market share. The main reasons for this market share shift are the following:

  • Modern cloud-based solutions centralize and automate IAM by applying uniform policies across the entire digital ecosystems, rather than having IT teams manually provision each new connection to the network.
  • IAM solutions are able to automatically on-board and off-board users.
  • Through automation they also provide cost savings and efficiencies to IT teams.

Figure 2 shows an example of a total cost of ownership comparison (TCO) of traditional IAM on-premise software solution versus an IAM cloud delivered software solution for a mid-sized company (5,000 users). This includes the technology portion (at a similar cost level, whether it is delivered in a cloud or on-premise module). However, adding implementation experts, service and maintenance, software updates and provisioning could inflate the costs over five years.9

Figure 2: Total cost of ownership comparison of traditional IAM on-premise approach versus IAM cloud approach (in USD)

Cost of

Cost of

Year 1

Year 1

Year 2

Year 2

Year 3

Year 3

Year 4

Year 4

Year 5

Year 5

Total

Total

Cost of

Software

Year 1

300,000

Year 2

-

Year 3

-

Year 4

-

Year 5

-

Total

300,000

Cost of

Hardware

Year 1

50,000

Year 2

-

Year 3

-

Year 4

-

Year 5

-

Total

50,000

Cost of

Maintenance

Year 1

-

Year 2

60,000

Year 3

60,000

Year 4

60,000

Year 5

60,000

Total

240,000

Cost of

Implementation

Year 1

1,000,000

Year 2

-

Year 3

-

Year 4

-

Year 5

-

Total

1,000,000

Cost of

Staff

Year 1

125,000

Year 2

125,000

Year 3

125,000

Year 4

125,000

Year 5

125,000

Total

625,000

Cost of

Upgrade

Year 1

-

Year 2

-

Year 3

-

Year 4

-

Year 5

750,000

Total

750,000

Cost of

Total:

Year 1

 

Year 2

 

Year 3

 

Year 4

 

Year 5

 

Total

2,965,000

Cost of

Cost of

Year 1

Year 1

Year 2

Year 2

Year 3

Year 3

Year 4

Year 4

Year 5

Year 5

Total

Total

Cost of

Set up

Year 1

20,000

Year 2

-

Year 3

-

Year 4

-

Year 5

-

Total

20,000

Cost of

Subscription

Year 1

60,000

Year 2

60,000

Year 3

60,000

Year 4

60,000

Year 5

60,000

Total

300,000

Cost of

Total:

Year 1

 

Year 2

 

Year 3

 

Year 4

 

Year 5

 

Total

320,000

Source: Identropy (2013): IDaaS for Dummies, 2013, John Wiley & Sons, Hoboken, NJ, p. 30. Despite the fact that this TCO calculation example was published several years ago, newer publications are showing similar cost benefits. To interested readers we are recommending as examples the TCO analysis mentioned in the footnote.¹⁰

Comparison of total cost of traditional IAM on-premise approach (USD 2,965,000) versus IAM cloud approach (USD 320,000)

Figure 2 shows that an IAM cloud approach is more attractive than a traditional on-premise approach in terms of total cost of ownership. Main reasons are that cloud solutions require neither the purchase of specialized hardware nor dedicated implementation and operations teams as they are managed by the IAM provider. In addition, cloud solutions leverage the shared hardware and operations staff from the cloud model to pass along cost savings from economies of scale to the customer. Furthermore, because cloud delivered IAM solutions are software-based, there is no need for the enterprise to undertake hardware refreshes every 4 to 5 years and payments are done on a pay-per-use model, which makes scaling up or down much easier.

The transition from on-premise to cloud-based IAM solutions has been significant over the last few years, driven by scalability, flexibility, efficiency, and cost savings. In general, we believe this trend is only going to accelerate, reaching roughly 65% penetration by 2025 according to IDC forecasts, while on-premise deployments might decelerate in our view.11

IAM – a central component of IT architecture

Ever since humans started communicating, there has been a need for protecting and controlling access to information. The essential components of that control were much the same as they are today: establishing who you are when you try to access systems, applications, and information and determining whether you can access a specific resource or take a particular action once you are authenticated.

Nowadays, securing workforce identity has become a priority for organizations as the global workforce moves to work from anywhere and as the transition to the cloud blurs traditional perimeter lines. Identity and access management is a central component of any IT security architecture, driven by the evolving threat environment and by the ongoing digitization of our society. This makes the market for IT security an attractive multi-year secular growth theme, therefore we are invested in leading companies in the field of IAM.

About the author
  • Dr. Patrick Kolb

    Senior portfolio manager, Thematic Equities

    Patrick Kolb (PhD), Managing Director, has been a Senior Portfolio Manager for the Security Equity strategy since 2007. In 2005, he joined Credit Suisse Asset Management, now part of UBS Group, where he initially focused on the industrials and technology sectors. Patrick graduated from the University of Zurich with a major in Finance and then worked as a research assistant at the Institute of Banking and Finance at the University of Zurich before earning his PhD in Financial Economics.

Related insights

Contact us

Make an inquiry

Fill in an inquiry form and leave your details – we’ll be back in touch.

Introducing our leadership team

Meet the members of the team responsible for UBS Asset Management’s strategic direction.

Find our offices

We’re closer than you think, find out here.