Full Report - OKTA - Defining An Industry (1/3)
At a modest valuation, there is a huge room for OKTA to continue to grow as the sector defining vendor.
This is the edited version originally from the discussion within Convequity on 30th Jun 2021,
Sources of Alpha: Complexity of the Business
Expected Price Appreciation: 110% from $220 within 3 years
A brief review of the mega trends propelling Identity Management to growing importance within the cybersecurity industry.
OKTA’s CEO & Founder, Todd, McKinnon, has a grandiose and differentiated vision for the role of identity and aims for OKTA to define the industry’s standards.
A technical dive into the progression of identity and how it works.
An assessment of OKTA’s dominance in its core IAM market and likely success entering into neighbouring IGA and PAM markets.
We view high growth, improving profitability, and gradual multiple contraction will generate market-beating investor returns over a long horizon.
Year founded: 2009
Headquarters: San Francisco
IPO date: 7th April 2017
Overall market: Identity Management. Size estimated to be around $80bn. At a high-level the market is divided in Workforce Identity ($50bn) and Customer Identity ($30bn). Identity is rapidly growing in importance within the cybersecurity industry.
Sub-Markets: Okta’s (OKTA) core market is in Workforce Identity. They rose to success in delivering Identity & Access Management (IAM), a market worth an estimated $35bn. OKTA has recently announced they’ll be entering into neighbouring workforce identity markets with full suites within the next few quarters – Identity Governance & Administration (NYSE:IGA) and Privileged Access Management (NYSE:PAM), estimated to be worth c. $8bn and $7bn, respectively. They’ve also recently made a strong move into Customer Identity (CIAM) by acquiring a market leader.
Competitors: The main private IAM rivals are OneLogin and ForgeRock. The main public IAM rivals are Microsoft and Ping Identity. The main IGA rival is SailPoint (public). The main PAM rival is CyberArk (public).
M&A: In March, 2021, OKTA bought market leading CIAM provider, Auth0, for $6.5bn, all paid for in stock.
Market cap, Share Price, & P/S: $37.3bn, $245/share, 42x.
Valuation: Our Enterprise DCF valuation has produced an intrinsic value of $469/share. We think a 2-to-3-year timeframe for this is achievable. For more detail, please see the Valuation section.
In recent years, OKTA has emerged as the leader IAM. They came to market with a divergent cloud-centric approach that offered enterprises an easier, more streamlined, more secure, and more cost-effective solution than the legacy on-prem IAM systems managed by Oracle and IBM. Being the first to fully leverage the cloud to deliver better IAM has given them first-mover advantages that are hard for rivals to overcome. And by building their entire software stack on open-source standards such as SAML, 0Auth, and OpenID Connect, whereas competitors are primarily focused on proprietary source code or are entangled with legacy formats, OKTA has a tremendous sustainable advantage in terms of integration and extensibility. This means integrating their software with others is easier and the extensibility part means that their software is designed to accommodate continual changes. Therefore, we view OKTA as nimbly adapting to the dynamic world of cybersecurity, and the probability that OKTA will ever become a future legacy software player is extremely unlikely.
OKTA has grown to be known as the outright leader in IAM and now they are planning ventures into neighbouring markets – IGA, PAM, and CIAM. The WFH conditions has expedited the importance of IGA and PAM, however, just like IAM back in the early 2010s, they are dominated by legacy players – SailPoint (NYSE:SAIL) and CyberArk (NASDAQ:CYBR), respectively. We expect OKTA’s cloud-first and divergent approach to IGA and PAM will outcompete these two legacy providers that have been way too slow in adapting to the cloud.
CIAM is a complete greenfield market opportunity. The main competition is that of enterprise’s own IT pride and the determination to build something in-house. Auth0, is a software platform that empowers developers to build their own apps and systems in a much easier fashion that puts the managing of customer identity at its core. Customer identity has been thrusted into the spotlight recently, as social distancing has caused consumers to demand better experiences online to compensate. Responding to this, organizations are looking for ways to enhance user experiences whilst delivering the highest levels of security and being compliant. Customer identity and access management, or CIAM, is designed to achieve this by bridging security and seamless user experience – and Auth0 are simply the best at doing this. And Auth0’s and OKTA’s software approaches, Go-to-Market (GTM) strategies, and complimentary skill sets, will make the deal a huge success, in our opinion.
Intro to Identity
Identity management is all about making access to apps/websites/systems easier for the user and more difficult for bad actors. It’s also about unburdening IT admins with voluminous, repetitive, tasks so they can refocus on higher-value adding activities for their organizations.
As COVID-19 triggered the WFH trend, identity has taken on a new level of importance. It’s emphasized that the best way to protect a corporation’s customers, employees, and data, amid distributed business environments is to protect user identities and make sure people are only accessing the data that they are entitled to. Identity has become integral to various cybersecurity trends and is critical in seamlessly bridging security and user experience.
There are various mega trends that are thrusting the role of identity into the spotlight, today and into the future. These will be strong tailwinds for broad-scale consolidator identity providers, like OKTA, as well as for emerging BoB niche players.
Without the emergence of cloud computing, identity management would have remained a niche area of cybersecurity. It is only because of cloud computing that organizations can scale their apps and websites to billions of users dispersed around the globe. However, the shift to cloud computing and the explosion of SaaS and internal apps, has led to widespread improper access levels – basically, too many people were given too many privileges to too many things. This was an easier topic to address in narrower computing environments. Technologies like Cloud Access Security Brokers (NASDAQ:CASB) and zero trust are solutions to these problems; however, they need to work in conjunction with identity providers to deliver effective security. So, as we are still relatively early on in the cloud transformation journey, expect demand for identity management solutions to grow in lockstep with cloud adoption – well, in fact, at a faster rate in order for security to catch up.
When the world suddenly switched to remote work, companies made a beeline for VPN solutions. They served a purpose as a quick-fix but they do contain inherent security weaknesses and degrade the user experience. They are commonly the weakest link that lead to data breaches.
VPNs tunnel remote employees’ connection into the private corporate network - this poses a couple of problems.
1) They give access to the entire corporate network, meaning if a cybercriminal hacked the connection, they would gain access to traverse the whole network and snoop around for valuable data.
2) If the remote employee wants to connect to SaaS apps, then connecting to the corporate network before being backhauled to the public cloud adds latency and degrades user experience.
Zero trust, which is predicated on identity, resolves these problems by only giving employees access to the apps they want to use, not the entire corporate network. Secondly, zero trust provides direct-to-cloud connectivity to SaaS apps, thereby improving latency and user experience.
Many security and productivity issues during the depths of the pandemic were a result of VPN solutions and our research suggests only a small proportion have decided to alleviate the issues with a zero trust architecture.
The core principle of zero trust is to approach each and every counterparty to a connection as untrustworthy until identities (users, apps, machines, etc.) have been authenticated. Therefore, it’s clear to see why zero trust is dependent on identity management. Expect BoB identity names to prosper in the next few years.
OKTA is an ideal stock for exposure to the zero trust trend. Most identity providers interoperate with zero trust providers, but OKTA has its own embedded solution, which gives it a material advantage. It’s noteworthy, that many zero-trust providers also build their software with OKTA as the top integration priority. So, OKTA is grabbing the zero-trust market from many angles.
Catalyzed by regulations such as GDPR, HIPAA, PCI, and CCPA, data privacy is a topic of increasing importance and complexity that organizations need to continually keep on top of. Again, user identity is the key piece of information that ties all the requirements together in order to be compliant. Identity providers are in an advantageous position to not only efficiently comply themselves, but also to assist customers and partners remain compliant.
Since the pandemic there has been renewed focus on improving the online customer experience (NYSE:CX) or user experience (commonly referred to UX to encompass employees as well). This has been brought to the fore to compensate for the limited in-person service interactions customers/users can have during social distancing.
Identity management is pivotal for companies to deliver streamlined and secure experiences to customers/users – it is the bridge between experience and security. Also, various lines of business will begin using data managed by identity providers to enhance experiences and generate greater revenue. OKTA’s acquisition of Auth0 is a crucial strategic move to capitalize on these trends. The complexity of omnichannel communications is compelling companies to create unique customer engagement systems which require customized identity solutions – a perfect backdrop for OKTA and Auth0.
Biden’s Executive Order for Cybersecurity
In May-21, President Biden released an executive order pushing federal agencies to strengthen their security posture with various technologies including zero trust architectures and Multifactor Authentication (NYSE:MFA). OKTA currently has FedRamp Moderate Authorization and has High Authorization on the near-term roadmap. Therefore, this is a long-tail of incremental growth for OKTA and other BoB identity providers.
Following the SolarWinds attack, unveiled in Dec-20, there is a long-tail of incremental growth for the cybersecurity industry. The attack emphasized the systemic issues embedded in many organizations’ security posture, and will not be resolved simply by purchasing more defenses or changing vendors. Consultations, assessments, and responses have been underway but the process will be drawn out as the security revamps require organization-wide reviews. Therefore, expect broad enterprise demand tailwinds as we move into the second half of 2021 and beyond.
Continuous Adaptive Risk & Trust Assessment, aka CARTA, is an emerging framework for corporations to balance security and user experience. Binary-like decisions related to black and white lists (websites, signatures, etc.) and denying or allowing access are suboptimal in the new dispersed digital world. CARTA pertains to real-time monitoring of threats and applying various contextual data (user, device, browser, location, time, etc.) to continually assess risk levels for every connection and event and permit access accordingly. For example, if there is unusual user behaviour (different time of access) but everything else looks like baseline behaviour, then the CARTA system may allow instantaneous limited access to protect the data whilst maintaining satisfied user experience, and then reinstate full privileges once the user has completed MFA.
Identity and zero trust are at the heart of CARTA. As the industry evolves companies will expand their identity and zero trust solutions into comprehensive CARTA frameworks. By default, OKTA will benefit from the growing recognition of CARTA, however, we see that they could go a step further by padding out their technology into a fully-fledged CARTA platform to further differentiate themselves within the cybersecurity industry.
OKTA’s CEO & Founder, Todd McKinnon, has a vision that eclipses the leaders of all other identity players we’ve reviewed. His vision is to cement OKTA as the primary cloud of computing and define the identity standard. Identity has long been a peripheral aspect of security, however, the altering landscape, expedited by COVID-19, is changing the perception.
We agree with McKinnon that identity is on the path to being the nucleus of security operations that also provides the bridge for seamless user experiences. With this in mind, having identity as the primary cloud that seamlessly connects across a distributed and multi-cloud environment is very believable. In essence, identity management will become the centre of computer networks and enable all business functions to be more productive.
McKinnon has also discussed how he intends OKTA to be the most connected and easiest-to-work-with company around. In effect, he aims for OKTA to be at the heart of digital operations but at the same time be invisible. No other identity CEOs are describing their vision like this.
Identity & Access: A Brief History
In the beginning of the Internet identity use cases pertained to one-dimensional authentication only. Users inputted their username and password into an online form, the server will check for a match in the database, and grant or deny access accordingly. This flow would apply for consumers accessing online accounts and employees accessing internal company systems/applications alike. And the only necessary protocols for such rudimentary authentication was HTTP and ethernet.
In the 2000s, however, use cases became increasingly complex. In 2002, the Security Assertion Markup Language, or SAML, was introduced to enable a Single Sign-On (SSO) framework to authenticate the identity of employees accessing multiple internal company systems. Then, in 2007, the advent of the iPhone caused developers to rethink authentication for various reasons including the fact that cookies didn’t work as well on mobile devices as they did in the desktop browser. Then around the same time, socially-oriented online companies made the first attempts for gaining user permission, or authorization, so they could leverage their users’ contact lists from elsewhere.
Yelp were one of the first companies to leverage pre-existing contact lists of their new users, but did it in a really bad way. Yelp asked their users for permission in using their Hotmail/Yahoo/Gmail email address and password so they can access the users’ contact lists. They would literally login to user email accounts to collect contacts, on the promise that they will not store their credentials afterwards.
Figure 1 - The First Attempts at Authorization
Clearly, from many angles, this is not a secure way to access users’ contacts stored with 3rd parties. OAuth, was an open-source protocol introduced in 2006 designed to add security to this authorization process. Instead of Yelp going to Google and logging into Gmail accounts, it entailed:
Yelp redirecting the user to Google servers (with a callback attached).
Then, Google confirming the user agrees to sharing their contacts with Yelp.
Upon user permission, Google sends the user back to Yelp (using the callback) with an access token.
Then, Yelp connects to the Google servers showing the access token.
Google verifies the access token.
And upon verification, Google sends Yelp the user’s contact list.
This is much more secure way to share contact lists because Yelp (or any other socially-oriented vendor) isn’t given the email account password.
You may notice how the concept of SAML (corporate network SSO) and the OAuth protocol (gaining authorization across the web) provided a springboard to how SaaS-based SSO is conducted today. There has been some problems enroute to modern SSO, however. SAML has always been a tricky protocol for developers to work with and isn’t ideal for the internet. And OAuth became a victim of its own success, because subsequently it was widely used for other use cases that it wasn’t designed for. Eventually, OAuth was applied to authentication as much as it was for authorization. But as OAuth isn’t able to collect identity data, related to user and device, to complete authentication, there were a few years whereby developers came up with complex, ad hoc, workarounds.
In 2014, OpenID Connect was another open-source protocol introduced to resolve the headaches involving 3rd party authentication. In essence, it is a protocol that is laid atop OAuth that only adds c. 10% extra code for the developer, but provides a standardized way for letting users securely access their account with a different account’s login credentials.
And it is the combination of SAML, OAuth and OpenID Connect that enables the likes of OKTA to provide enterprises and consumers with SSO technologies, and in effect, created the both the IAM and CIAM markets.
The following diagram attempts to summarize the aforementioned. Apologies for the font size; if you want a closer look, I’ll send you an email. Ask me at email@example.com.
Figure 2 – Evolution of Use Cases for Authentication & Authorization
A SSO provider provides users with a single interface to login once and access all their applications. They utilize SAML and OpenID Connect so they can authenticate the user for each app they’re accessing, and they utilize OAuth to make sure the user is properly authorized and can only work with data that has been scoped out to them. SSO technology greatly enhances the productivity of both IT admins and the general workforce. It liberates IT admins from repetitive low-value tasks such as password resets so they can deliver more value to their employers, and by removing multiple logins each day employees become more engaged and productive.
SSO technology streamlines access to apps but doesn’t address the threat of passwords being compromised. Notwithstanding strong password principles, hackers are employing increasingly sophisticated twists on brute force attacks, phishing, malware keyloggers, and offline cracking to get the passwords. Multifactor Authentication (MFA), is a layer of security to thwart the bad actors attempts at finding the passwords. MFA requires the user to verify another identity factor such as inputting an OTP code sent to their mobile device, answering a secret question, or using biometric information (fingerprint, facial recognition).
SSO and MFA form the core of the IAM industry, as together the facilitate speedy access, appropriate authorization, and high levels of security.
Home-Grown IAM Solutions?
Given the complexity behind IAM, it is very difficult for businesses to develop home-grown solutions. Not only does it require ample resources to launch an IAM system, keeping things up-to-date in regards to hashing standards for passwords and regulations for storing users’ information (GDPR, CCPA, HIPAA etc.) are extremely time-consuming. Furthermore, adding to the troubles in IT departments attempting to build something in-house, is the substantial fuzziness in regards to the OAuth spec and lots of overly complicated jargon and contradictory advice online. It’s hard to imagine any organization producing a higher ROI by operating a home-grown IAM system compared to using a specialist provider like OKTA.
This complexity is a very strong tailwind for the future growth of the IAM industry. The sudden shift to highly dispersed work environments has forced organizations to adopt IAM frameworks, however, they simply don’t have the in-house resources and expertise to run it themselves.