Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor with KuppingerCole Analysts. My guest today is Marina Iantorno. She is a Research Analyst with KuppingerCole Analysts. Hi Marina, good to have you.
Hi, Matthias. Nice to be here. It's been a while.
Yeah, it's been a while, but it's not a full year, but we are actually trying to continue a conversation that we did almost a year ago where we talked about the developments of the markets around identity and access management, then running up to EIC 2023. And there you had a great presentation about what's happening on the market and in the markets that are related to identity and access management. And guess what, we are doing the same for EIC 2024 today. So we are looking at the recent developments regarding market developments, market growth, new topics, new four letter acronyms, and how they are developing in the market. So great to have you and let's jump right in. So when you look, as a research analyst that you are, at the broader market of identity and access management, what happened in the meantime and what are the trends that you are currently seeing?
Well, the identity access management is experiencing a rise, but it is not just now. It is something that it's been happening for a while. We talked about this last year, as you mentioned earlier. And something that is a good indicator for that is the compound annual growth rate. This metric is an accurate way to actually determine what is happening in different segments in a certain period of time. We can describe it as a kind of mean or average, let's say, of the growth or, well, tendencies or a slowdown in the market. And what we can see in the different segments within identity access management is that the compound annual growth rate is actually going on the rise in many of the markets. For example, now in identity threat detection and response, for instance, that this is a pretty new market, we see that the compound annual growth rate exceeds 20 % yearly in the period between 2022 and 2026. And we can see the same, for example, in access management. This is a good indicator saying that this market is presenting a rise. Now, the main point is that organizations and investing companies, they check on what is happening with those rates to actually make investments, break into the market, expand it. And many businesses, what they are doing is improving their security posture. There are many threats nowadays. And of course, with the rise of AI and all the sophistication and complexity of the cyber threats, it is important to escalate the use of identity access management and as well as cybersecurity, I would say.
Absolutely. And it's one thing to have the figures to see the growth. The other thing is that is where you as an analyst come in is actually interpreting that. But where does this growth come from? What are the trends behind that? And maybe... you've mentioned access management solutions are on the rise. You are working from home. I am sitting in my home studio. So we are obviously really demonstrating a trend and it's 100 % of us, you and me. So remote work is the new normality for these days. Is this something that is reflected in access management as well? So this work from anywhere trend?
Totally, because as you said, there are people who are working 100 % remote, even from different countries. And this is showing a trend in terms of companies wanting to secure their assets, secure their access, and giving the access to the proper people. Now, this robust growth that we see, actually indicates that the companies are investing in scalable solutions because what is happening is, as you said, people are working from everywhere and even from different regions. So for example, let's say that your company is based in the U.S. and maybe you have employees who are working in Europe or in the U.K. or in Latin America. And in that sense, it is important to actually maintain strict security controls. Now, the trend is going towards different techniques, let's say we can say, for example, a multifactor authentication, passwordless, single sign on. And well, of course, adapting the policies, not to what is happening now, especially if we talk about the use of AI, what is the data that can be shared and with whom. This is what is driving the growth in this market.
Right. And you've mentioned that also in your introduction, when you said which markets you are covering right now, I had an episode of this podcast just last week or a few weeks ago, I think it was last week with our colleague, Mike Neuenschwander, and he introduced me to yet another four letter acronym. It's ITDR, identity threat... and you know the acronym much better than I do. So detection and response, of course it is. So this is a new market, but it's really not. It's a new combination of technologies that are combined to each other to also reflect the trend that you just mentioned. People are working from anywhere and this increases the attack surface. So dealing with this in this work from anywhere scenario demands for a new product market and a new set of technologies. Can you discuss, when you look at the market figures, the increased importance of ITDR solutions in this cybersecurity market? Because it goes beyond IAM.
Yes, of course. As you mentioned, this is a new segment or we can call it a new segment because it's directing the efforts to identify very fast, detect and respond in a fast way. So then there are no alterations or minimum alterations in terms of operations, for example, or minimal impact. Now, the thing is ITDR solutions are now, let's say in the mode, everyone is talking about this because the market is actually starting as such. The techniques or the, well, the technologies were actually already in use, but now this is becoming a market itself. And what we can see is that the compound annual of growth rate is almost 30 %. We see it's like 28.6 which shows that there is a constant rise coming here with this market. Now, why this is important and why this is becoming a market or a segment? And this is because in the digital environment that we have today with people working from everywhere, with companies switching from... let's say, on-site to online and even with digital, for example, retail opportunities or in the financial sector or in multiple industries, we can see that identity-related breaches are very common because the only thing that you need to be a target is being online. And ITDR offers a proactive perspective on this. And it is not just about detecting the threats, as the name is actually indicating, but it is also including new techniques or new technologies, like for example, advanced analytics. The importance of the data is actually something that we have to consider. I dare to say that eventually the synthetic data will overshadow the real data that we have because it will be very risky to use the original data, for example, in open sources like in Python. And if you want to use new technologies, you need to actually use machine learning, deep learning, artificial intelligence, and all these technologies could actually help to identify anomalies and potential threats. And usually what is happening with the ITDR solutions is that companies can detect the threats before they cause any harm in the organizations. And this is why ITDR is gaining importance in the market. Now, these trends that we can see here shows that there is a growing recognition from organizations to actually dedicate efforts to the threat detection, to respond to the threats, and to focus on identities that are fundamental to a whole cybersecurity strategy. Because as we said, there are many things going on, and it is important to protect the digital assets of the company.
Right, and you've mentioned many of these modern and up-to-date state-of-the-art technologies. You've mentioned machine learning. You've mentioned preparing for all these new kinds of threats. On the other hand, it's 2024, and I thought this might be something that we can skip for this year, but we cannot. We need to talk about email. We need to talk about email security. And we, of course, are talking about phishing, about ransomware, about attacks via email, because this technology, email, everything that's below there is implicitly insecure. So that needs to be work done. So critical concern for business in email security. Is this still a growing market because of phishing, ransomware, and all of us regularly falling victims to these attacks that come in?
Well, there are many things going on in this sense. As you said, ransomware and phishing were the nightmare of many organizations in the last years. We presented with Christopher in the last cyberevolution event a survey that we conducted and we compared what was happening within the threats and what were the attacks that were threatening them the most to organizations and ransomware was like at the very top. But now there are many cybersecurity awareness training, people in different levels in the organization are actually learning on how to be preventive, let's say. But still, email security is a market that has certain, let's say, importance in this sense, especially because... we need to understand that even though this is a mature market, still emails are a good target for attackers. And there is a steady growth that we can see. For example, the compound annual of growth rate of this market is 14.2 %, which is actually pretty good considering that this market is in the mature level. Now, the attacks that you mentioned, the ransomware deficient, often compromise the emails. And the problem here is if there is a breach, not only the companies that are actually failing in comply with GDPR regulations or well, other data protection regulations, but also it could mean a reputational damage. We know already several organizations who face this kind of problems and it was very hard for them to actually recover after that. So email security is actually very important to defend the organizations from the sophisticated email attacks. And by doing so, by actually responding and filtering and doing like a threat intelligence, let's say, companies can actually prevent. What is happening now with the use of AI, for example, is that there is a valid identification on the emails that are coming from dangerous addresses. And we can even see in the open source emails, for example, Gmail. You can see in a spam some emails that are coming from addresses that are targeting people to actually attack the user. So imagine what is happening in organizations. So having a proper email security solution could be saving, let's say, the reputation and a lot of loss for organizations. So I believe that this market is still relevant and it will keep growing. There is a steady growth here that we can see.
Absolutely. I understand that growth and I understand the risks that go with that. But nevertheless, I want to turn away from this dark side of IT to move over back to the shiny bright side of what IAM can provide. So when it comes to this growth across the IAM sector, and again, we are moving towards EIC 2024, quick hint, June 4th to June 7th in Berlin, what are the key strategies that businesses are adopting to ensure that they remain ahead of the curve when it comes to IAM, so to be faster than the competition, but also to leverage more interesting, more creative, more emerging technologies earlier than others.
Well, it is important to understand that organizations are not focusing only on one solution. Businesses are taking multifaceted approach, let's say. And organizations are investing in scalable solutions. So they try to offer a comprehensive coverage across different identity types, including consumers, employees, machines. And this is why decentralized identity and CIAM gain importance in the market. So there is a clear push towards integrating advanced technologies like artificial intelligence, as we mentioned before, to predict and prevent breaches. And the companies are focusing on creating a better experience as well for the users. So then it is something easy for the users and it doesn't compromise the security, which is actually the main point in maintaining the productivity and the user satisfaction.
Right. And you've mentioned that already before, these are also markets that are not really clearly delineated. So there are overlaps, there are technologies that are in use and who can describe this much better than we can, as KuppingerCole with the Identity Fabric, combining all these concepts into one overall overlapping picture. So how do you see these markets, for example, ITDR for more on the cybersecurity side of things for protecting identities and their access and consumer identity on the other hand, traditional IGA and access management on the real time access provisioning side of things. How do these things influence each other? And do you see that also reflected in the figures already?
Yes. Well, if we see, for example, ITDR that is growing, the integration is driving a more holistic or a more comprehensive approach to the security. So then it encouraged the converse between access management, CIAM and other solutions that will contribute to the threat detection. So the market data that we see, it's reflecting this trend. So it's reflecting that there is a growth here and it indicates that each segment is actually growing on its own. But there is an overlap in the solutions required by the organizations. Now, the companies are not looking only at ITDR in isolation, because as I said before, they are doing a multiple approach. So then they are embedding these capabilities into their identity access management solutions with the idea of an integrated security platform that covers all the aspects of identity protection.
Right, when it comes to the drivers behind that, to make sure that we understand why people are doing this. And this is the question, I'm an advisor, I talk to end user companies, large ones, medium sized ones. Usually the question is, why should I do that? Why should I do IAM? Why I should be better there? And the most common answer is, because I have to, because I have to be compliant, I need to follow this next big regulation, be it DORA in financial industries, be it NIS2 for many, many others that could not consider themselves to be critical before or critical infrastructure, but they are now under that umbrella. So many are doing that for regulatory compliance purposes. How much does that really influence these figures? Or are people also thinking about business enablement, new technologies being better, faster in providing the right solutions. Is it really just compliance? Is it just the law? Is it just because they have to?
Well, it is appropriate to say they have to or they must. Regulatory compliance now, it's part of the digital environment. We like it or not, it is there. And the idea is that there should be some limitations and some rights to protect the users and organizations' data. So governments are implementing stricter data protection regulations in the world, actually. Europe started with the GDPR, but then we have this CCPA, for example, in California, and there are other regulations as well around the world. Now, this is actually pushing the market towards more advanced solutions. And the idea would be to have solutions that are capable of providing detail access log, robust access control, comprehensive audit trails. Compliance is not just about legality. As you said, okay, they have to. But it is also something important for the customer trust because organizations or customers that actually see that companies have certain certification or they comply with the regulations would actually trust better in these vendors. And there are several certifications nowadays that can prove that organizations are complying with the regulations. And I believe that this is, let's say, a stamp of quality as well.
Exactly. I did a presentation on Zero Trust and the impact of strong, reliable identities on the availability and the quality of Zero Trust earlier this year in Vienna. And the question then was raised, are we doing all this IAM stuff for Zero Trust? So it was just the other way around. So I said, no, it's also really beneficial. Everything that you do for Zero Trust in terms of identity and access management, making that stronger, increasing the trust in authentication and authorization, that also helps you in being compliant to the regulations. So that was the other way around. And I think that that's the bigger story, the better story to tell. Everything that you do for your compliance will also help you in, as you said, demonstrating strong cybersecurity, demonstrating compliance, demonstrating adherence to privacy regulations and protecting customer data, for example. So this is all part of a bigger picture that needs to be understood. It's not only regulation, but they are a good driver when it comes to vendors selling products.
Absolutely. It's a kind of retrofitting, you know, if you think about that, as you mentioned. So it is good for your organization, it is good for the customer, and you also are complying with the regulations of the country or the regions where you are operating. So in the end, it is necessary.
Right. And I think when we did this last year, I asked the same question that I will ask right now for the final questions. Having a research analyst, understanding the figures, looking at the markers, doing predictions in that podcast episode. Of course, I need to ask you for your big crystal ball to look into it and to say what will happen in these segments that we just talked about, or maybe some that we did not talk about in the next five years, beyond the current forecast period. Do you dare?
Well, it is very challenging to predict the future, as you say. It's like looking at the crystal ball. But what we see is that these segments suggest that there will be an increasing emphasis on identity-centric security in the coming years. Now, we might see a further version, for example, of artificial intelligence and machine learning with access management and with ITDR. And AI is still growing. So now we are in the very beginning of this journey. And the idea would be to integrate artificial intelligence technologies to the existing technologies, and then we can predict the threats more accurately. I believe that this is what will happen. And the rise of quantum computing cloud also would introduce both new risks and solutions. So the constant rule here is that as long as cybersecurity threats evolve, so then the solutions will always evolve. And because there should be new solutions or new technologies that fight against these new threats.
Exactly. And if I think of what I will be doing at EIC, I will be doing a moderation for a whole day on decentralized identity and the standardization efforts that are going on in there. We will do a two hours introductory workshop on, guess what, decentralized identity. So this is a topic on the rise. It is not yet well reflected within the figure. So it's an emerging market, but I expect that to be a really, really big market and maybe it shows up in the figures next year. When we look at the topics at EIC, Marina, you will be there, I will be there. What are topics that are you looking forward to? Are these the ones that you just mentioned? So ITDR, CIAM, or what else are you looking at when we meet in Berlin in June?
Yes, well, these topics for sure will be there, but also I will be moderating a track that is upgrade reality. And this upgrade reality will focus mostly on artificial intelligence and the impact of artificial intelligence in all these technologies and in different sectors. So I'm super looking forward to it. And I really hope we can meet some of our audience there.
Absolutely. Looking really forward to that. So we will cover everything from boring email security to really shiny AI decentralized identity. So the full scope of topics will be there at EIC. We'll have lots of experts. It will be the biggest EIC ever, of course. So I'm really looking forward to seeing you there. I'm really looking forward to the audience maybe being there. If you see us there, if you can catch us there and you've been watching this episode, reach out to Marina or to me just to make sure that you can raise your questions, but you don't have to wait for Belin. You can leave your questions, your comments everywhere. You are listening to that podcast. Otherwise, just reach out to us by mail or via social media. We are at LinkedIn and almost everywhere anyway. So Marina...
We are reachable.
- we are reachable and you can communicate us. You don't have to send mails. And if you send mails, we of course will check them for security and we will not click on phishing links. But reach out to us. We are happy to answer your question and get in touch and really looking forward to socializing just with the people at EIC and with our audience if you are there. Thanks Marina for being my guest today. We will do that in one year, I think again. But in the meantime, let's start with doing EIC and doing cyberevolution later that year. And yeah, thank you for being my guest today, Marina.
Thank you, Matthias. It was my pleasure. Have a great day.
Thank you very much. Bye bye.
