Okta Files to Go Public

Yesterday, Okta filed its S-1 with the SEC, officially marking its intent to go public. This planned IPO had been rumored in early 2016, but less than optimal capital market conditions in 2016 likely contributed to the delay. The S-1 followed last week’s news that Okta acquired Stormpath, an identity API provider based in Silicon Valley, for an undisclosed amount.

The filing is not surprising but opens a window into the financial dynamics of the identity-as-a-service (IDaaS) market. After reviewing the S-1, three main themes stand out for me:

  1. IDaaS demand is very strong. Okta’s fiscal year ends on January 31, so full-year figures are not yet available for the period ending January 31, 2017. But comparing Okta’s revenue numbers for its 2015 fiscal year with its 2016 fiscal year shows an impressive 100% year-on-year growth. A big boost in service revenue also suggests that Okta is being deployed in larger, more complex environments that require more customization and services. Over the past 18 months, Forrester has had a steadily increasing number of IDaaS-related inquiries from enterprise clients looking to deliver identity and access management (IAM) capabilities to their employees via a SaaS subscription model. Okta’s revenue growth aligns with the strong growth in demand we see from our clients.
Read more

Ping Identity Acquires UnboundID

Yesterday, Ping Identity announced it has acquired Austin, Texas-based UnboundID. Although the financial terms were not disclosed, Forrester estimates the purchase price in the $50M-$75M range, based on typical M&A SaaS revenue multiples of 6X to 8X and Forrester’s estimation of UnboundID’s annual revenue.

This acquisition is not particularly surprising, as UnboundID and Ping have had a healthy reseller relationship since April 2015, so the purchase merely consummates the existing relationship. It also demonstrates how reselling relationships can help software vendors validate how they complement each other and set the stage for a complete acquisition.

For me, there are three key takeaways from the Ping Identity/UnboundID merger:

1.       Customer identity and access management (CIAM) demand is strong and growing. UnboundID’s focus on customer IAM complements Ping’s existing strengths in enterprise IAM and provides further evidence of the strong demand from today’s digital businesses to build compelling, identity-centric digital customer experiences. Forrester has seen a steady increase in the number of CIAM-related inquiries from enterprise clients looking to provide a holistic, omnichannel customer experience that doesn’t compromise on security or privacy. The Ping/UnboundID combination is now positioned to meet that growing demand.

Read more

Reflections on my First Year as an IAM Analyst

At the RSA Conference two weeks ago, a common question from both clients and former colleagues -- “So, what’s it like being analyst?” -- led me to write this blog post.

In the interest of full disclosure, there were no massive epiphanies during my first year, but the transition from being on the vendor side for 15+ years to an analyst provided some perspectives, listed here in no specific order:

·         The security industry is massive. Some former colleagues who learned of my new role often joked, “So you’ve gone to the dark side.” The irony is that analysts are actually removed from the penumbra of the four to six competitors that you obsess about when you work for a vendor. Once removed from this tunnel vision, you become more aware of the diversity of the infosecurity ecosystem. As an example, the number of exhibiting vendors at the RSA Conference is up 45% since 2014, to over 550 vendors. This reflects the ongoing vitality and demand for cybersecurity but also presents challenges to today’s security and risk professionals who have to evaluate an increasingly large and dynamic vendor landscape.

Read more

Daily Fantasy Sports Sites’ Emerging Identity Management & Verification Challenges

Recent business and sports headlines in the US have been dominated by state and federal government efforts to assess whether daily fantasy sports (DFS) sites, such as FanDuel and DraftKings, should be treated and regulated like gambling. The New York State Attorney General recently issued cease-and-desist letters against DraftKings and FanDuel to stop accepting bets in the state, stating that DFS operations are illegal gambling.  

Last week, Massachusetts Attorney General Maura Healey announced a plan to allow DFS providers to operate in Massachusetts under certain provisions, such as:

·         Prohibiting anyone under 21 participating in DFS.

·         Prohibiting professional athletes and other employees of pro teams from participating in DFS.

·         Prohibiting employees of DFS providers from participating in games

·         Requiring DFS providers to identify ‘‘highly experienced’’ players on all contest platforms and offer ‘‘beginner’’ games that would be off limits to the more experienced players.

These provisions present a range of identity management and identity verification challenges and questions, such as:

·         How will sites verify the ages of online participants?

·         How will systems detect DFS employees?

Read more

Two-Factor Authentication (2FA) Companies Continue to be Attractive Acquisition Targets

Last week, Courion announced its acquisition of Nova Scotia-based SecureReset, which, through its QuickFactor product, provides mobile-based two-factor authentication (2FA). This is the fourth acquisition of a 2FA startup by an enterprise software vendor in 2015:

·         Twilio acquired Authy, February 2015 (purchase price N/A).

·         Salesforce acquired Toopher, April 2015 (purchase price N/A).

·         Micro Focus acquired Authasas, July 2015 (purchase price N/A).

·         Courion acquired SecureReset, November 2015 (purchase price N/A).

These acquisitions reflect ongoing enterprise demand for 2FA solutions as an alternative to passwords. By now, the problems with passwords are well-known: They are easy for hackers to steal in bulk, and ongoing advances in computing processing power have eroded password security.

Since a password-free world is still somewhere off in the future, two-factor authentication provides a compelling password alternative that can help mitigate security risks. The evolution toward software-based 2FA form factors running on smartphones instead of dedicated single-purpose hardware tokens has eased deployment and training costs; it has also enabled large-scale consumer deployments of two-factor authentication as a password replacement alternative. These 2015 acquisitions demonstrate the continued interest in two-factor authentication.

Read more

Are Passwords Dead? Take the Forrester Password Usage & Trends Survey!

To paraphrase the great humorist Mark Twain, rumors of the death of passwords have been greatly exaggerated. While people lament the challenges and problems posed by passwords, they remain a core authentication and security technology.

My colleague Andras Cser and I have been fielding so many client inquiries around passwords that we are undertaking a quantitative, anonymous survey from end user organizations to gauge their current password policies and usage. This online survey asks about your organization’s current password policies and challenge as well as the future role of passwords in your organization. We also are using the survey to gain perspectives on the future of passwords and how other technologies might replace passwords completely.

The survey is completely confidential, but participants who provide contact details will receive a complimentary copy of the report when it’s published later this year.

You can access the survey here:

http://forr.com/PWTrends2015

We look forward to your responses!

What A Teenaged Driver Can Teach You About Access Governance

Most parents cheerfully mark the key milestones in their child’s path to adulthood: first step,first word, first school, first sleepover, first broken bone, and so on. But for many parents, no milestone causes as much anxiety as “first-time driver,” which is bestowed on all USA-based teenagers upon their16th birthday.

While surviving the experience of having our child become a driver may seem far removed from the world of access governance and entitlement certification, I found some parallels between managing a teenaged driver and managing the access rights and IT privileges of the end users in your organization. You can read more about it in my latest report, “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen,” but here is a quick preview.

A common problem facing parents of teenaged drivers and IT organizations is that they have properly authorized users but often lack visibility into actual usage of those access rights. In the case of the teenaged drivers, parents often seek data around vehicle usage (Where did it go? At what time and at what speed?). For IT security professionals, organizations can no longer rely purely on static lists of authorized users and their access rights. So, just the way parents can impose mileage restrictions (reading the odometer to limit the distance a car can go in a given night) or fuel restrictions, an IT security team cansupplement access governance processes with additional usage data such as:

1.       Has the employee accessed the application/system during the last certification period?

2.       How often did the employee use the given entitlement?

Read more

Ice Dams And Identities: Remove Dams Before They Remove You

This winter in Boston has been a record breaker. Bostonians are tired of the weather, while non-Bostonians are tired of hearing Bostonians complain about the weather. However, this never-ending winter provides a useful analogy for assessing your organization’s identity and access management (IAM) processes.

My analogy is based on two words that strike fear into many Boston-area homeowners: ice dams. Ice dams are ice structures that form on roofs, following heavy snowfall, that can cause leaks.[1]



Ice dams often dissipate naturally, but record snowfalls and persistent cold temps have exacerbated ice dams this winter.

Just as ice dams can cause leaks, “identity dams” can cause data leaks and other internal problems. Identity dams may result from reorganizations or may just be existing business processes, but they should be removed.  

The challenge is overcoming complacency. Just as many homeowners hope ice dams will dissipate naturally, organizations delude themselves with “This is how we’ve always done it,” and conclude that therefore removing identity dams is not necessary. For complacent organizations, the worst case is having users become accustomed to complicated manual processes for requesting access to new applications, waiting weeks to get access to new applications, and having multiple passwords.

Organizations and homeowners should follow these three steps to minimize the potential damage caused by ice dams and identity dams:

Read more