Doug Merritt, CEO of Splunk, spoke to a group of Silicon Valley entrepreneurs late last year and proclaimed that “the security perimeters are completely destroyed and they are not coming back.” It was not a call to arms to start dismantling years of investment in firewall, IDS / IDP, CASB, DLP, SIEM / SOAR and EDR / XDR technologies, but rather a realization that people are now the security perimeter of every modern system. business. The security of commercial enterprises today relies entirely on the management of end user credentials and behaviors.
Authentication and authorization procedures are the primary defenses in a guerrilla cyber warfare in which every end user is a potential avenue of compromise. Unfortunately, vendors offering solutions in this space frequently use language that can be confusing and misleading. They fail to distinguish between access permissions, action privileges, and entity rights. For example, an HR business partner may have access to a Workday compensation package; it may be able to modify the salary tables (an action privilege); but she may not be able to view or edit executive compensation records (an entity right).
The terms authorization, privilege, and right are used interchangeably by many providers. Some are compounding the confusion by introducing terminology on âcoarse-grainedâ and âfine-grainedâ authorizations so as to shed a favorable light on the capabilities of their products.
Most authentication and authorization tools on the market today are not universal solutions. The nuances involved in managing the credentials and behaviors of individuals performing work in application, data, and infrastructure environments are very different. To date, there is no comprehensive platform that provides adequate coverage of all of these environments with the sophistication required to manage permissions, privileges, and rights in detail.
The good news is that some vendors are working on this issue. The authentication and authorization market is conventionally divided into three complementary areas: Identity and Access Management (IAM), Identity Governance and Administration (IGA) and Privileged Access Management (PAM). Leaders in each of these areas are encroaching on adjacent spaces partly based on current customer needs and partly because of the obvious opportunity for revenue expansion.
For example, Okta, a leader in IAM, announced its intention to offer IGA and PAM capabilities in spring 2022 at its 2021 user conference. ForgeRock – another popular IAM solution – introduced IGA capabilities in 2019. And finally, CyberArk – the eternal leader of PAM – acquired Idaptiv in 2020 with the intention of adding IAM, single sign-on and multi-factor authentication capabilities to its platform.
As authentication and authorization leaders expand the capabilities of their platforms in an attempt to deliver more compelling solutions, the VC community has invested money in a variety of startups that offer authentication services. Much more granular identity-based security (IBS).
Over $ 1 billion in start-up / Series A / Series B venture capital funds were invested in IBS companies from 2018 to 2020. IBS companies have also been riding the wave of increased investment in security while throughout the pandemic. According to Crunchbase, an additional $ 2 billion was distributed to IBS start-ups at all stages of investment during the first half of 2021.
Where is this money going? It is used by companies like Saviynt and Britive to extend conventional IGA and PAM capabilities in multi-cloud environments. XIX, Validsoft and Imprivata are developing new biometric factor authentication services. Trulioo, Jumio and Socure offer user-friendly identity verification features. Beyond Identity and Axiad can be used for passwordless authentication. Infinicloud and Wootcloud offer device identification capabilities. PlainID and Styra function as stand-alone policy engines accessible by various authentication and authorization services. Aserto, Authzed, and Oso are development toolkits that can be used to create application-specific authentication and authorization workflows.
We could go on, but you get the idea. The functionality of all-in-one platforms is being deconstructed into an assortment of services that can be used to develop custom security procedures for end users for workgroups, industries or specific customer communities.
So who will win in the future? Will consolidated platforms capture the majority of the IBS market or will do-it-yourself solutions proliferate due to the unique requirements of specific workgroups or the desire to deliver unique experiences to paying customers?
Maybe the answer is both. The generic security solutions provided by the consolidated platforms will likely be sufficient to meet the internal and customer requirements of many businesses. On the flip side, many software engineering, pharmacology research, and supply chain modeling teams would no doubt welcome custom DIY solutions to suit their resource needs and work practices.
The $ 3 billion venture capital investment in IBS startups cited above must be based on fairly large projections of the total market available for disaggregated authentication and authorization services. Perhaps venture capitalists are betting that these services could initially increase and eventually replace platform architectures as companies update their IBS systems in the years to come. We will all know if there is a market for custom IBS solutions very, very soon.