Access controls continue to play a key role in many companies' cloud security strategies. As a result, the identity and access management market is poised to grow significantly over the next few years.
In general, cloud-based functionality moves costs from a Capex to an Opex model, while offering greater agility and faster time-to-value. The cloud identity and access management (IAM) market is estimated to be about $600 million, and projected to grow to $1 billion in 2017, said Gregg Kreizman, research VP at analyst firm Gartner. Much of that revenue will be divided between newer players, such as Okta, OneLogin, Ping Identity and Centrify, and more established companies, such as IBM, SailPoint and Salesforce.
One driver for the cloud IAM market, beyond the simple lure of cloud, is that some organizations have trouble finding the necessary skills to support on-premises IAM products, Kreizman said.
"The cloud market really got started with small- and medium-sized businesses with challenges delivering access to needed resources for their workforce using on-premises IAM," he said.
But now, cloud identity and access management tools are finding their way into larger companies, as well.
"Initially, we typically got inquiries about cloud IAM from companies with 300-600 users, but now it is often inquiries about 2,500 seats and even 10,000 seats or more," Kreizman added.
Merritt Maximsenior analyst at Forrester Research
Growth in the cloud IAM market will likely continue over the next few years, especially since the market has sort of "congealed around the two vendor types," said Merritt Maxim, senior analyst at Forrester Research. Like Kreizman, he sees two camps of cloud IAM vendors: the "born in the cloud," software as a service (SaaS) players, such as OneLogin and Centrify, and incumbent companies, like IBM, CA, Oracle or Microsoft.
The latter group is established companies that have also launched their own SaaS offerings, usually based on their on-premises IAM products.
"There is a healthy ecosystem now with a variety of architectures," Maxim said.
So, which vendors lead the cloud IAM market? It's not clear, according to Maxim. "Our surveys show that the market penetration of IAM is still fairly low -- between 40% and 50% -- so there is still a lot of whitespace out there for growth," he said
Single sign-on a big driver of cloud IAM market
Across the board, the killer user case for cloud IAM is still single sign-on -- the most in-demand model for user login. With single sign-on, a user can log in, typically through a portal, and from there access all the cloud apps she needs, such as Salesforce or Office 365.
"That is not so much a security play as a convenience play," Maxim said. "There is a security benefit, but that may not be how it comes in to the organization," he said.
In many cases, the cloud IAM market closely parallels the on-premises market of 15 years ago. Then, the driver for IAM was also single sign-on. Once organizations got that capability, they started looking into deeper features for ID management, account provisioning and verifying who has access to what.
A similar trend is playing out now in the SaaS world; users are first focused on single sign-on, with more user management and ID management features added over time. The main difference is the delivery model.
"From the end-user perspective, it all looks similar," Maxim said. "The end users might not even know if an application is on-premises or in the cloud, but they want single sign-on convenience."
Data security in the cloud
How much do you know about protecting enterprise data in the cloud? Take this quiz and find out.
Mobility, shadow IT create new cloud IAM challenges
However, single sign-on now presents more of a challenge than it did in the past, noted Garrett Bekker, senior analyst, information security at 451 Research. While IAM has evolved from an on-premises application to a cloud-based service, the world has changed, and users increasingly access corporate resources from mobile devices – many of which come from the BYOD trend.
"With mobile use cases, the idea of a corporate perimeter and inside versus outside are gone; your main control is now authentication and access controls to verify that the user is the user they claim to be," he said.
That problem is spawning a related category of offerings, according to Bekker -- namely, cloud application control or cloud access security brokers (CASBs). "Those approaches also address the shadow IT problem and can help you determine if employees or others are using unsanctioned SaaS applications that have not been vetted for security risks," said Bekker. Offerings with this kind of capability can "say 'yes' to single sign-on and 'yes' to accessing Salesforce, but 'no' with regard to certain pages that might have sensitive data," he explained.
"The starting point for the CASB [tools] is that you can't secure what you don’t know about," Bekker said. "Discovering what your employees are using is a starting point."
How to build an identity-based cloud security strategy
Avoid these seven common cloud security risks
CASB market grows amid acquisitions, investments