 From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. Chief Information Security Officer's site trust is the number one value attribute they can deliver to their organizations. And when it comes to security, identity is the new attack surface. As such, identity and access management continue to be the top priority among technology decision-makers. It also happens to be one of the most challenging and complicated areas of the cybersecurity landscape. Akta, a leader in the identity space, has announced its intent to converge privilege access and identity governance in an effort to simplify the landscape and reimagine identity. Our research shows that interest in this type of consolidation is very high, but organizations believe technical debt, compatibility issues, expense, and a lack of talent are barriers to reaching cyber nirvana with their evolving zero trust networks. Hello and welcome to this week's Wikibon Cube Insights powered by ETR. In this Breaking Analysis, we'll explore the complex and evolving world of identity access and privileged account management with an assessment of Akta's market expansion aspirations and fresh data from ETR an input from my colleague, Eric Bradley. Let's start by exploring identity and why it's fundamental to digital transformations. Look, the pandemic accelerated digital and digital raises the stakes in cybersecurity. We've covered this extensively, but today we're going to drill into identity, which is one of the hardest nuts to crack in security. If hackers can steal someone's identity, they can penetrate networks. If that someone has privileged access to databases, financial information, HR systems, transaction systems, the backup corpus, well, you get the point. There are many bespoke tools to support a comprehensive identity access management and privilege access system. Single sign-on, identity aggregation, deduplication of identities, identity creation, the governance of those identities, group management, many of these tools are open source. So you have lots of vendors, lots of different systems and often many dashboards. Practitioners tell us that it's the paper cuts that kill them, patches that aren't applied, open ports, orphan profiles that aren't disabled. They'd love to have a single dashboard, but it's often not practical for large organizations because of the bespoke nature of the tooling and the skills required to manage them. Now, adding to this complexity, many organizations have different identity systems for privileged accounts, the general employee population, and customer identity. For example, around 50% of ETR respondents in a recent survey used different systems for workforce identity and consumer identity. Now, this is often done because the consumer identity is a totally different journey. The consumer is out in the wild and takes an unknown non-linear path and then enters the known space inside a brand's domain. The employee identity journey is known throughout. You go onboarding to increasing responsibilities and more access to off-boarding. Privilege access may even have different attributes does usually like no email and or no shared credentials. And we haven't even touched on the other identity consumers in the ecosystem like selling partners, suppliers, machines, et cetera. Like I said, it's complicated. And meeting the needs of auditors is stressful and expensive for CISOs. Open chest wounds such as sloppy histories of privileged access approvals, obvious role conflicts, missing data, inconsistent application of policy, and the list goes on. The expense of securing digital operations goes well beyond the software and hardware acquisition costs. So there's a real need and often desire to converge these systems, but technical debt makes it difficult. Companies have spent a lot of time, effort and money on their identity systems and they can't just rip and replace. So they often build by integrating piece parts or they add on to their quasi-integrated monolithic systems. And then there's the whole zero trust concept. It means a lot of different things to a lot of different people, but folks are asking if I have zero trust does it eliminate the need for identity? And what does that mean for my architecture going forward? So let's take a snapshot of some of the key players in identity and PAM, privileged access management. This is an XY graph that we always like to show. It shows the net score or spending velocity, spending momentum on the vertical axis and market share or presence in the ETR dataset on the horizontal axis. It's not like revenue market share. It's just, it's mentioned market share if you will. So it's really presence in the dataset. Now note the chart insert, the table which shows the actual data for net score and shared in which informs the position of the dot. The red dotted line there, it indicates at elevated level anything over 40% that mark we consider the strongest spending velocity. Now within this subset of vendors that we've chosen where we've tried to identify some most of them are pure plays in this identity space You can see there are six above that 40% mark including Z-scaler which tops the charts. Akta which has been at or near the top for several quarters. There's an argument by the way to be made that Akta and Z-scaler on a collision course as Akta expands its TAM but let's just park that thought for a moment. You can see Microsoft with a highly elevated spending score and a massive presence on the horizontal axis, cyber arc and sale point which Akta is now aiming to disrupt in Auth0, which Akta officially acquired in May of this year, more on that later. Now below that 40% mark you can see Cisco which is largely acquired companies in order to build its security portfolio. For example, Duo, which focuses on access and multi-factor authentication. Now word of caution, Cisco and Microsoft in particular are overstated because this includes their entire portfolio of security products, whereas the others are more closely aligned as pure plays in identity and privileged access. Dicotic Centrify is pretty close to that 40% mark and came about as a result of the two companies emerging in April of this year. More evidence of consolidation in this space beyond trust is close to the red line as well which is really interesting because this is a company whose roots go back to the Vax VMS days which many of you don't even know what a Vax VMS is in the mid 1980s. It was the mini computer standard and the company has evolved to provide more modern PAM solutions. Paying identity is also notable in that it essentially had emerged after the dot-com bust in the early 2000s as an identity solution provider for a single sign-on SSO and multi-factor authentication MFA solutions. It IPOed in the second half of 2019 just prior to the pandemic. It's got a $2 billion market cap down from its highs of around $3 billion earlier this year in last summer. And like many of the remote work stocks, they bounced around as the reopening trade and lofty valuations have weighed on many of these names including Okta and SailPoint. Although CyberArch actually acted well after its August 12th earnings call as its revenue growth about double year on year. So hot space and the big theme this year is around Okta's acquisition of Auth0 and its announcement at Octane 2021 where it entered the PAM market and announced its thrust to converge its platform around PAM and identity governance and administration. Now I spoke earlier this week with Dia Jolly who's the Chief Product Officer at Okta and I'll share some of her thoughts later in this segment. But first let's look at some of the ETR data from a recent drill down study that our friends over there conducted. This data is from a drill down that was conducted early this summer asking organizations how important it is to have a single dashboard for access management, identity governance and privileged access. This goes directly to Okta's strategy that it announced this year at its Octane user conference. Basically 80% of the respondents want this. So this is no surprise. Now let's stay on this theme of convergence. ETR asked security pros if they thought convergence between access management and identity governance would occur within the next three years. And as you can see, 89% believe this is going to happen. They either strongly agree or somewhat agree. I mean it's almost as though the CISOs are willing this to occur. And this seemingly bolds well for Okta which in April announced its intent to converge PAM and IGA. Okta's Dia Jolly stressed to me that this move was in response to customer demand. And this chart confirms that. But there's a deeper analysis worth exploring. Traditional tools of identity, single sign on, SSO and multi-factor authentication MFA, they're being commoditized. And the most obvious example of this is OAuth or open authorization. Log in with Twitter, Google, LinkedIn, Amazon, Facebook. Now Okta currently has around a $35 billion market cap as of today, off from its highs which were well over 40 billion earlier this year. Okta previously stated total addressable market was around 55 billion. So CEO Todd McKinnon had to initiate a TAM expansion play which is the job of any CEO, right? Now this move does that. It increases the company's TAM by probably around $20 to $30 billion in our view. Moreover, the number one criticism of Okta is your price is too high. That's a good problem to have I say. Regardless, Okta has to think about adding more value to its customers and prospects. This move both expands its TAM and supports its longer term vision to enable a secure user controlled ubiquitous digital identity. Supporting federated users and data within a centralized system. Now the other thing Jolly stressed to me is that Okta is heavily focused on the user experience making it simple and consumer grade easy. At Octane 21, she gave a keynote laying out the company's vision. It was a compelling presentation designed to show how complex the problem is and how Okta plans to simplify the experience for end users, service providers, brands and the overall technical community across the ecosystem. But look, there are a lot of challenges the company faces to pull this off. So let's dig into that a little bit. Zero trust has been the buzzword and it's a direction the industry is moving towards although there are skeptics. Zero trust today is aspirational. It essentially says you don't trust any user or device and the system can ensure the right people or machines have the proper level of access to the resources they need all the time with a fantastic user experience. So you can see why I called this Nirvana earlier. In previous breaking analysis segments we've laid out a map for protecting your digital identity, your passwords, your crypto wallets, how to create air gaps. It's a bloody mess. So ETR asked security pros if they thought a hybrid of access management and zero trust network could replace their PAM systems because if you can achieve zero trust in a world with no shared credentials and real time access a direction which Diajali clearly told me Okta is headed then in theory you can eliminate the need for privileged access management. Another way of looking at this is you do for every user what you do for PAM users and that's how you achieve zero trust. But you can see from this picture that there's more uncertainty here with nearly 50% of the sample not in agreement that this is achievable. Practitioners in Eric Bradley's round tables tell us that you'll still need the PAM system to do things like session auditing and credential checking checkouts and other things but much of the PAM functionality could be handled by this zero trust environment we believe. ETR then asked the security pros how difficult it would be to replace their PAM systems and this is where it gets interesting. You can see by this picture the enthusiasm wanes quite a bit when the practitioners have to think about the challenges associated with replacing privileged access management systems with a new hybrid. Only 20% of the respondents see this as something that is easy to do likely because they are smaller and don't have a ton of technical debt. So the question then obvious question is why? What are the difficulties and challenges of replacing these systems? Here's a diagram that shows the blockers. 53% say gaps in capabilities, 26% say there's no clear ROI i.e. too expensive and 11% interestingly said they want to stay with best of breed solutions presumably handling much of the integration of the bespoke capabilities on their own. Now speaking with our Eric Bradley he shared that there's concern about rip and replace and the ability to justify that internally. There's also a significant buildup in technical debt as we talked about earlier. One CISO on an Eric Bradley ETR Insights panel explained that the big challenge Okta will face here is the inertia of entrenched systems from the likes of SailPoint, Dicotic and others. Specifically these companies have more mature stacks and have built in connectors to legacy systems over many years and processes are wired to these systems and would be very difficult to change with skill sets aligned as well. One practitioner told us that he went with SailPoint almost exclusively because of their ability to interface with SAP. Further he said that he believed Okta would be great at connecting to other cloud API-enabled systems. There's a large market of legacy systems for which Okta would have to build custom integrations and that would be expensive and require a lot of engineering. Another practitioner said we're not implementing Okta but we strongly considered it. The reason they didn't go with Okta was the company had a lot of on-prem legacy apps and so they went with Microsoft Identity Manager but that didn't meet the grade because the user experience was subpar. So they're still searching for a solution that can be good at both cloud and on-prem. Now a third CISO said quote I've spent a lot of money writing custom connectors to SailPoint and he's stressed a lot of money. He said that several times. So who is going to write those custom connectors for me? Will Okta do it for free? I just don't see that happening end quote. Further this individual said quote it's just not going to be an easy switch and to be clear SailPoint is not our PAM solution. That's why we're looking at cyber arc. So the complexity that unquote so the complexity and fragmentation continues. And personally I see this as a positive trend for Okta if it can converge these capabilities. Now I pressed Okta's Diagelli on these challenges and the difficulties of replacing the more mature stacks of the competitors. She fully admitted this was a real issue but her answer was that Okta is betting in the future of microservices and cloud disruption. Her premise is that Okta's platform is better suited for this new application environment and they're essentially betting on organizations and modernizing their application portfolios and Okta believes that it will be ultimately a tailwind for the company. Now let's look at the age old question of best of breed versus incumbent slash integrated suite. ETR and its drill down study asked customers when thinking about identity and access management solutions do you prefer best of breed and incumbent that you're already using or the most cost efficient solution? The respondents were asked to force rank one, two and three. And you can see incumbent just edged out best in breed with a 2.2 score versus a 2.1 with the most cost effective choice at 1.7. Now overall I would say this is good news for Okta. Yes, they faced the issues that we brought up earlier but as digital transformations lead to modernizing much of the application portfolio with containers and microservices. Okta will be in a position assuming it continues to innovate to pick up much of this business. And to the point earlier where the CISO told us they're going to use both the sale point and cyber arc when ETR asked practitioners which vendors are in the best position to benefit from zero trust, the zero trust trend and the answers were not surprisingly all over the place. Lots of Okta came up, Zscaler came up a lot too, here's that collision course but plenty of sale point, Palo Alto, Microsoft, Netscope, Dicotic, Centrify, Cisco all over the map. So now let's look specifically at how practitioners are thinking about Okta's latest announcements. This chart shows the results of the question are you planning to evaluate Okta's recently announced identity governance and PAM offerings. 45 to nearly 50% of the respondents either were already using or planned to evaluate with just around 40% saying they had no plans to evaluate. So again, this is positive news for Okta in our view. The huge portion of the market is going to take a look at what Okta's doing. Combined with the underlying trends that we shared earlier related to the need for convergence this is goodness for the company. Now, even if the blockers are too severe to overcome Okta will be on the radar and is on the radar as you can see from this data. And as with the Microsoft MIM example the company will be seen as increasingly strategic Okta that is and could get another bite at the Apple. Moreover, Okta's acquisition of Auth0 is strategically important. One of the other things Jolly told me is they see initiative starting both from devs and then hand it over to IT to implement and then the reverse where IT may be the starting point and then go to devs to productize the effort. The Auth0 acquisition gives Okta plays in both games because as we've reported earlier Okta wasn't strong with the devs, Auth0 that was their wheelhouse, now Okta has both. Now on the one hand when you talk to practitioners they're excited about the joint capabilities and the gaps that Auth0 fills. On the other hand it takes out one of Okta's main competitors and customers like competition. So I guess I look at it this way. Many enterprises will spend more money to save time and that's where Okta has traditionally been strong. Premium pricing but there's clear value in that it's easier. Less resources required, skill sets are scarce so boom, good fit. Other enterprises look at the price tag of an Okta and they actually have internal development capability so they prefer to spend engineering time to save money. That's where Auth0 has seen its momentum. Now Todd McKinnon and company, they can have it both ways because of that acquisition. If the price of Okta classic is too high here's a lower cost solution with Auth0 that can save you money if you have the developer talent and the time. It's a compelling advantage that's unique. Okay let's wrap. The road to zero trust networks is long and arduous. The goal is to understand, support and enable access for different roles safely and securely across an ecosystem of consumers, employees, partners, suppliers, all the consumers of your and touch points to your security system. You've got to simplify the user experience. Today's collage of password, password management, security exposures, just not going to cut it in the digital future. Supporting users in a decentralized no-mote world, the queen has left her castle as I often say is compulsory but you must have federated governance. You're always going to be room for specialists in the space, especially for industry specific solutions for instance within healthcare, education, government, et cetera. Hybrids are the reality for companies that have any on-prem legacy apps. Now, Okta has put itself in a leadership position but it's not alone. Complexity and fragmentation will likely remain. This is a highly competitive market with lots of barriers to entry which is both good and bad for Okta. On the one hand unseating incumbents will not be easy. On the other hand, Okta is both scaling and growing rapidly. Revenues are growing almost 50% per annum and with its convergence agenda and Auths Zero, it can build a nice moat to its business and keep others out. Okay, that's it for now. Remember these episodes are all available as podcasts wherever you listen, just search breaking analysis podcast and please subscribe. Thanks to my colleague Eric Bradley and our friends over at ETR. Check out ETR's website at ETR.plus for all the data and all the survey action. We also publish a full report every week on wikibon.com and siliconangle.com so make sure you check that out and browse the breaking analysis collection. There are nearly a hundred of these episodes on a variety of topics all available for your charge. Get in touch with me. You can email me david.volante at siliconangle.com or at dvolante on Twitter, comment on our LinkedIn post. This is Dave Vellante for theCUBE Insights, powered by ETR. Have a great week everybody. Stay safe, be well and we'll see you next time.