Yunxiu Capital Enterprise Service Group March 2021
[Introduction] With the emergence of cloud, ecological collaboration, multi-cloud and other scenarios in business, the identity and access control that used to take firewall as the boundary is confronted with new challenges. How to get through the cloud and local identity system, the internal staff and external partners to unified control, accounts, permissions, break the data island of multiple business applications, the identity of the establishment of a comprehensive picture, to provide users with more smooth and accurate service, as a new security requirements cloud native times.
◼ IT The change of the overall environment has spawned the demand for unified identity management based on cloud native security
Fundamental change in IT architecture: with the popularity of mobile Internet and IOT devices, a large number of devices have expanded the identity and trust boundaries of enterprises. The traditional separation of internal and external networks and the localized IAM solution cannot meet the current needs.
Enterprise Database migration from IDC to cloud: With the wave of cloud computing, more and more enterprises choose the cloud of full site or 50% of the business, resulting in a change in the protection environment.
Development of enterprise SaaS services: The development of enterprise SaaS services such as enterprise web disk and Tongs means that more and more enterprise workflow, data flow and identity are external, instead of being fixed in the original isolated environment; A large number of SaaS service certification credentials cannot be managed uniformly and effectively.
Preparation for further improvement of cloud conditions: multi-application and hybrid cloud environment brings heavy management burden to enterprises. Enterprise IT administrators need to maintain the account information of each employee in different systems, audit logs, and manage authorization. When employees use internal AD domain accounts to access external systems or external systems need to log in to the internal AD domain through VPN, employees need to maintain complex account and password systems.
◼ The global identity security market will exceed billions of dollars, and the data security field is in urgent need of technological breakthroughs to usher in the outbreak
Investment in cloud infrastructure drives growth of cloud security market: According to the latest report of Million Insights, the global cloud security market is expected to maintain a cagR of 14.6% from 2020 to 2027, and the global cloud security market is expected to reach US $20.9 billion in 2027. Global security spending in the identity and access management market shows an increasing trend year by year. According to Gartner, the global identity and access management security markets spent $8.82 billion, $9.77 billion and $10.58 billion in 2017-2019, respectively.
International Community for Identity Security: In 2016, the Fast Identity Online Alliance (FIDO) published its second generation authentication specification, marking a new standard in the field of online identity authentication. China has made it clear in the Cyber Security Law that the country implements the strategy of online trusted identity and supports the research and development of secure and convenient electronic identity authentication technology. In 2019, the EU amended its General Data Protection Regulation (GDPR) to increase fines for organisations that fail to keep personal data secure. In 2020, California, the world’s fifth-largest economy, enacted the Consumer Privacy Act (CCPA).
◼ Enterprises need new identity management technologies to achieve comprehensive identity through identification, access control, and tracking of people, terminals, and systems
Identity and Access Management (IAM) : IAM is an enterprise internal identity permission management solution. The core idea is to break through information islands and connect various applications with people’s digital identities (such as accounts) as the starting point. It manages Account, Authentication, Authorization, and Audit for users’ access to different types of application systems.
Identity as Service (IDaaS) : Identity as Service (IDaaS) is a dedicated Service for Identity management. Cloud-based IAM is able to manage both SaaS applications and internal applications. Compared with traditional IAM, the importance of IDaaS is as follows:
1) Stronger adaptability: in terms of deployment mode, traditional IAM only supports private deployment, while IDaaS supports hybrid cloud deployment; In terms of tenant mode, traditional IAM only supports single-tenant mode, but IDaaS adds multi-tenant mode on this basis.
2) Stronger performance: it can process larger and more complex data;
3) Stronger security: it can protect enterprises and their users from the risk of data leakage.
Core element of choosing IDaaS solution: IDaaS solution is a centralized mechanism for customers to access all important business. Enterprises need to choose this product carefully as any downtime/outage will result in significant business interruption for the organization. Core IDaaS products are judged based on:
1) Sufficient security: Security is at the heart of all factors and has the highest priority.
2) Good “out of the box” capability: IDaaS solutions should be flexible in terms of foresight to apply to any type of IT infrastructure, and IDaaS needs to provide a good development/integration model for easy integration with arbitrary applications and other solutions.
3) Support integration with existing user directory stores: Whether deployed in-house or in the cloud, the evaluated solution needs to support employee information recording systems, such as human resources systems or active directories, with the goal of minimal disruption. This ensures the solution’s rapid deployment and superior value in terms of time.
4) Provide SSO experience and management capabilities for critical user access: The evaluated solution should provide flexible support for a wide range of SSO technologies, such as Security Claim Markup Language (SAML), OpenID connectivity, Active Directory Federation Service (ADFS), and others. This will ensure integration with various enterprise applications.
5) support for intelligent security authentication strategy: by evaluating the solution should provide a kind of intelligent, so as to adapt to the risk profile and is suitable for various applications to detect suspicious of access to the different situation, the solution should support a variety of certification, including soft hardware token, terminal certificate, and look forward to support the new, such as biometric innovation factors.
6) Provide automated user behavior tracking and auditing: Another important factor to consider is whether IDaaS can implement a comprehensive behavior audit that tracks every login and access behavior of users. Because for enterprise managers, audit is always the last barrier of security, unable to audit access, never real security.
7) Provide a unified and centralized experience: A unified and centralized experience is very important for end users and IT administrators. A unified and easy-to-use portal greatly improves the user experience. For administrators, a centralized identity management platform can save a lot of time and increase efficiency exponentially.
8) Usage cost: The cost of IDaaS solutions needs to be properly priced through a flexible and simple licensing model.
◼ comparison of major IDaaS service providers in China
Trained IDaaS players are divided into two main groups: enterprises with mature cloud computing background and enterprises specializing in cloud security services with entrepreneurial background. The deployment of mature enterprises with cloud computing background in IDaaS mainly focuses on identity authentication. Its competitive advantages are more powerful resource support, richer operational experience and higher visibility. IDaaS specialized vendors are mainly entrepreneurial companies, which realize the whole scene and process from cloud identity authentication to management. Its competitive advantage is the flexibility, independence and scalability of the platform.
◼ Foreign benchmarking company: Okta, global leader in online identity and access management
Founded in 2019, Okta is an identity management service provider for multi-cloud deployment and SaaS era in the US. Through mergers and acquisitions, Okta quickly acquired core technologies and talents, and gradually expanded its business from the initial single sign-on (SSO) to the whole field of IAM, and simultaneously served the whole scenario and life cycle of B2E, B2C and B2B.
The clients of Okta are mainly large and medium-sized enterprises in the industry, and the charging method is mainly subscription fee. Okta gained a large number of customers and penetrated several vertical industries, focusing on paying global medium to large customers, including Adobe, Colorx, MGM Resorts, American Express, Magellan Health, etc. At present, the penetration rate among global Fortune 2000 customers exceeds 20%. The company charges subscribers by number of products and number of end users, and 85% of its revenue comes from its home market. In Q2 FY2021, the company achieved revenue of $200 million, up 43% year over year, with 8,950 customers. The company now has a market capitalisation of nearly $30bn, and its share price has risen nearly nine-fold since listing.
◼ To sum up, we give the following views on the status quo and development prospects of IDaaS industry in China:
Chinese market is still far behind the overseas market in terms of cloud computing development stage and cloud native technology. There are two main reasons:
1) China’s private cloud market is more advanced than the public cloud market, and has a greater demand for the security mechanism of private deployment such as security resource pool. China’s cloud computing development starts from virtualization, from private cloud to public sector cloud. Generally, commercial private cloud systems are closed and lack application interfaces for on-demand network traffic control. Therefore, the security mechanism for such private clouds is based on locally deployed security resource pools.
2) In terms of technology application, China is still in the early stage of emerging cloud security technology. On the one hand, the domestic market is small due to the lack of heavyweight enterprise SaaS; On the other hand, compared with private clouds and industry clouds, there are still fewer public clouds in China, so the identity authentication and management based on cloud native has not received much attention.
Small and medium-sized enterprises (smes) will provide a large business opportunity for IDaaS. From the demand point of view, the demand for cloud native identity management technology is more urgent for small and medium-sized enterprises. The target customers of IDaaS products of foreign cloud computing gene manufacturers are mainly large and medium-sized enterprises in the industry. However, the business of domestic big B is still mainly based on private cloud deployment in the past. It is expected that the transformation of deployment mode will take a long time and the urgency of implementing cloud native security is low. In this context, traditional IAM products have more advantages. On the other hand, small and medium-sized enterprises have greater potential demand for IDaaS as a result of cloud business. From the perspective of supply, the start-up gene makes it easier for young IDaaS providers to seize the market of small and medium-sized customers. Established vendors have stronger resource integration ability and higher popularity, and can add IDaaS branches based on existing product lines, which makes it easier to quickly acquire existing large B customer groups in IDaaS field. However, IDaaS has the unique advantages of light model and strong innovation ability, which enables enterprises to take the initiative in the rapidly changing underlying technology environment, and the young team can quickly adapt to the trend of technological development.
Product experience and cost of use are the main considerations for smes. At the product level, ensuring a good user experience is key. Service providers need to consider product performance, ease of use and service capability from the perspective of customers. Product design should follow Occam’s Razor principle. Authentication must be easy for users to perform and easy for IT departments to deploy. Therefore, IDaaS vendors should focus on the core needs of customers and only retain the necessary key functions to enhance the usability of their products. Service mode should be based on consultant mode, and continue to serve customers from the whole process of preparation, design, implementation and application. At the level of charging mode, flexible charging mode is more applicable in China. Small and medium-sized enterprises are sensitive to cost, and copying foreign mainstream subscription fees may lead to customers’ weak willingness to pay, thus causing difficulties in acquiring customers and reducing customer stickiness. Domestic manufacturers can charge customers flexibly according to the number of calls.
Cloud security market is growing rapidly with the rapid development of cloud computing market and the wide application of cloud native technology. At present, the proportion of cloud security spending in cloud computing spending is still at a low level, about 1% in 2020, and in the long run, the proportion will rise to about 5%. By 2023, the global market size will exceed 10 billion DOLLARS. In addition, the domestic cloud security market demand is strong, and the application of emerging cloud security technology is constantly catching up with the rapid development can be expected. The epidemic continues to demand cloud identity management services from enterprises. For foreign enterprises and domestic IDaaS start-ups, it is expected that unicorns in the industry will have prominent growth in the medium and long term with the rising customer demand, the increase of user unit price and the improvement of profits brought by scale effect.
Some references
[1] Tianfeng Securities, Computer Industry Research: Okta, three Times ten, the largest NETWORK security company in the United States.
[2] Open Source Securities, Cloud Security Special Report: The Future of Network Security in the Cloud.
If you like our content, please pay attention to the public account “Authing Identity Cloud” and visit our blog, more interesting content waiting for you to see ~