Doug Merritt, the CEO of Splunk, addressed a group of Silicon Valley entrepreneurs late last year and proclaimed that "security perimeters are completely destroyed and they're not coming back." That was not a call to arms to start dismantling years of investment in firewall, IDS/IDP, CASB, DLP, SIEM/SOAR, and EDR/XDR technologies but, rather, a sobering recognition that people are now the security perimeter of every modern enterprise. Today, the security of commercial firms rests squarely on the management of end-user credentials and end-user behaviors.
Authentication and authorization procedures are the principal defenses in a guerilla cyberwar in which every end user is a potential path of compromise. Unfortunately, vendors offering solutions in this space frequently employ language that can be confusing and misleading. They fail to discriminate between access permissions, action privileges, and entity entitlements. For example, an HR business partner may have access to a Workday compensation module; she may be able to modify salary tables (an action privilege); but she may not be able to view or modify executive compensation records (an entity entitlement).
The terms permission, privilege, and entitlement are used interchangeably by many vendors. Some compound the confusion by introducing terminology about "coarse-grained" and "fine-grained" permissions in ways that cast a favorable light on the capabilities of their products.
Most of the authentication and authorization tools currently on the market are not one-size-fits-all solutions. The nuances involved in managing the credentials and behaviors of individuals performing work in application, data, and infrastructure environments are quite different. To date, there is no comprehensive platform that provides adequate coverage of all of these environments with the sophistication required to manage permissions, privileges, and entitlements in detail.
The good news is that some vendors are working on that problem. The authentication and authorization market has conventionally been divided into three complementary domains: identity and access management (IAM), identity governance and administration (IGA), and privileged access management (PAM). The leaders in each of these domains are encroaching into adjacent spaces based partly on current customer needs and partly due to the obvious opportunity for revenue expansion.
For example, Okta — a leader in IAM — announced plans to offer IGA and PAM capabilities in the spring of 2022 at its 2021 user conference. ForgeRock — another popular IAM solution — introduced IGA capabilities in 2019. And finally, CyberArk —the perennial leader in PAM — acquired Idaptiv in 2020 with the intention of adding IAM, single sign-on, and multifactor authentication capabilities to its platform.
While the leaders in authentication and authorization are broadening the capabilities of their platforms in an attempt to offer more compelling solutions, the VC community has been pouring money into a variety of startups that offer much more granular identity-based security (IBS) services.
Over $1 billion of early stage/Series A/Series B venture funding was invested in IBS firms from 2018 to 2020. IBS firms have also ridden the wave of heightened security investment throughout the pandemic. An additional $2 billion has been distributed to IBS start-ups over all investment stages during the first half of 2021, according to Crunchbase.
Where is this money going? It's being used by firms like Saviynt and Britive to extend conventional IGA and PAM capabilities into multicloud environments. XIX, Validsoft, and Imprivata are developing new biometric factor authentication services. Trulioo, Jumio, and Socure offer consumer-friendly identity verification capabilities. Beyond Identity and Axiad can be employed for passwordless authentication. Infinicloud and Wootcloud offer device identity capabilities. PlainID and Styra function as standalone policy engines that can be accessed by a variety of authentication and authorization services. Aserto, Authzed, and Oso are developer tool kits that can be used to construct application-specific authentication and authorization workflows.
We could go on, but you get the idea. The functionality of all-in-one platforms is being deconstructed into a smorgasbord of services that can be used to develop bespoke end-user security procedures for specific work groups, lines of businesses, or customer communities.
So, who wins in the future? Will the consolidated platforms capture the majority of the IBS market or will do-it-yourself solutions proliferate due the unique requirements of specific work groups or the desire to provide unique experiences to paying customers?
Perhaps the answer is both. Generic security solutions provided by the consolidated platforms will likely be sufficient to satisfy the internal and customer-facing requirements of many companies. On the other hand, many software engineering, pharmacology research, and supply chain modeling teams would undoubtedly welcome customized DIY solutions that were tailored to their resource needs and work practices.
The $3 billion VC investment in IBS startups cited above must be predicated on some pretty big projections of the total available market for disaggregated authentication and authorization services. VCs may be betting that these services may initially augment and ultimately replace platform architectures as corporations refresh their IBS systems in the coming years. We'll all learn whether there's a market for customized IBS solutions very, very soon.