Preview: Part 2 – Okta Deep Dive Refresh

Okta and Saviynt are destined to dominate IGA, a market becoming increasingly integral for hybrid and distributed enterprises.

In Part 1 of the Okta Deep Refresh, we revisited the broad tailwinds supporting the long-term Okta bull case. We also discussed the recent share price performance, the current valuation, and speculated on the near-term investor considerations. Additionally, we examined the 4Q23 results and guidance and then reassessed Okta’s competitive positioning in its core market of IAM.

This is a 1400-word preview of Part 2 for our Substack subs. In Part 2 we evaluate Okta’s prospects in IGA, a new and adjacent market to its core IAM.

For the full Part 2 and Part 1 reports, click the link to visit our website. For institutional investors interested in a chat about Okta feel free to book a 30 minute call with us to discuss. Alternatively, send an email to jordan@m.convequity.com to share your research/information requirements. The preview is below.

Investor Note

For public investors contemplating exposure to the IGA market, Okta is the best and really the only option. Following Okta's recent rally from November lows, we wouldn't say the stock is cheap right now. The rally galvanised by the company's 5% layoffs is probably overdone, as in comparison to other software restructures, the changes are pretty tame. In our opinion, it is trading at the lower end of the fair value range, and given its long-term prospects, buying dips is probably the ideal way to manage a long-term investment in Okta.

For private investors, whether VCs, PEs, or investors interested in secondaries, Saviynt is the best choice. It is a less hyped name but is one of the two best choices for IGA, a market becoming increasingly important for hybrid and distributed enterprises.

Okta’s advantages in its core IAM market, will serve it well in its new venture into IGA. Okta’s platform-agnostic, cloud-native, and rich integration ecosystem, with BoB user experience are going to be key attributes and make it the ideal IGA choice for those enterprises executing a cloud-first and/or multicloud strategy.

Saviynt has deep expertise in IGA and has leading capabilities in machine and workload identities, which is a nascent but extremely innovative and high-growth area of IGA. With this in mind, we expect Saviynt to experience a longer tail of high growth over the coming years.

IGA

Building a good IGA solution is very challenging because of the intricacies involved. It must serve enterprises that have thousands of user identities with a mix of employees constantly joining, leaving, or changing roles, and also manage the identities of contractors and partners. Additionally, IGA vendors must enable IT admins with granular access control, whether it be RBAC, ABAC, PBAC, or a hybrid of all three, in order to deliver the least-privilege access model, which is key for an effective overall Zero Trust Architecture implementation.

In terms of market share, IGA is still dominated by legacy solutions. This is because they have historically been such sticky on-prem deployments. They need to integrate with Active Directory, IAM & PAM systems, HR systems, applications, and the cloud. The breadth and depth of IGA, along with the on-prem stickiness, is why a newer cloud-native vendor has not yet taken the market leadership away from SailPoint, the pervasively incumbent legacy vendor. Enterprises know they need to migrate to a cloud-native IGA but they often procrastinate because the pain of doing so is too great. However, this is destined to happen, because SailPoint has not fully adapted to the new hybrid environment, making its solution even harder to implement, more challenging to customise, and further deteriorating the user experience for IT admins.

Okta and Saviynt are the two cloud-native vendors equipped to grab the market leadership away from SailPoint and capitalise on the $10bn+ TAM opportunity. Hybrid environments with multicloud operations are better suited to have an ecosystem-agnostic IGA, which gives them a big advantage over Microsoft also. Okta’s IGA lacks maturity, but promises to extend Okta’s DNA of super easy deployment and great user experience. Saviynt offers an extremely broad and mature IGA platform, able to serve every enterprise use case imaginable, but is behind Okta in the ease of deployment and ease of use aspects.

Without doubt Saviynt is Okta’s most direct, like-for-like competitor, having great capabilities in IGA. Though, it’s clear, given that Saviynt’s revenue is only at the $150m to $250m level (our estimate) and yet it has been operating since 2010, it isn’t great at S&M. Therefore, we think Okta has the the upper hand. Okta has c. 17k customers, c. 4k of which are enterprises spending over $100k in ARR, to leverage and gain a firm foothold in this market. Okta also has the consolidation advantage, by being able to provide IAM and IGA and generate more customer value via those synergies. The recent merging of IAM and IGA in Gartner’s Magic Quadrant for Access Management, is another GTM advantage for Okta over Saviynt (as the latter does not feature). With this in mind, we surmise that Okta’s GTM advantages and the edge in ease of deployment and ease of use will help them outperform Saviynt.

That being said, Saviynt still has a very bright future and will continue gaining market share away from SailPoint. It is very possible that Okta and Saviynt become equal IGA leaders over the next several years.

One big caveat, however, is the emergence of machine identities within the IGA realm - these are device and workload identities. Saviynt has deep expertise in this space and a notable advantage over Okta. At present, using IGA for machine identities is still nascent but will surely gain more adoption over time. Typically, orgs do not centrally manage workload identities. Usually, a developer will create a workload identity as and when needed. Though, subsequently they often get forgotten about and left in the system even when they’ve been discontinued, leaving opportunities for attackers to exploit (many recent high-profile breaches were assisted by unmanaged workload identities). Hence, applying IGA and its capabilities, such as lifecycle management, to workload identities promises to deliver significant DevOps efficiencies while strengthening security. Moreover, they can potentially serve as the single source of truth of all machine identities upon which tools like microsegmentation can use to become more effective.

When we consider the present problems of workload identities, and how the volume of them will increase multifold in the future, it is clear that capabilities like which Saviynt possess, are going to soon be in high demand.

Given that applying IGA to workload identities is still nascent, Okta has the overall advantage over Saviynt. However, Okta needs to move fast and acquire these capabilities or else they could find themselves behind the innovation curve.

Okta's IGA Growth Prospects

Probably the biggest factor of confidence in the IGA aspect of Okta’s long-term investment thesis, is that Okta’s own customers have long been asking the vendor to develop an IGA solution. This is despite many IGA solutions being available in the market. This is a leading indicator that Okta’s focus on simplicity and greater user experience is ready to take advantage of the IGA market. Okta has recently made its OIG, the name of its IGA offering, generally available. Our calculations are as follows:

• According to McKinnon’s estimates, a $100k IAM customer may spend another $30k-$50k on IGA. Based on this, we'll speculate that OIG will increase total spend by large enterprises by 40%.

• Okta's 4Q23 revenue was $510m and 97% is subscription based. Therefore, as management doesn't disclose ARR, we estimate that current ARR is about $2bn ($510m * 4 = $2bn).

• Okta has c. 4k enterprise customers spending over $100k in ARR. There is substantial estimation error in this estimate, but we're going to speculate that the average ARR of these 4k customers is $250k. This estimate means these customers generate $1bn, or half, of Okta's ARR (4,000 * $250k = $1bn).

• Now we're going to use the 40% anticipated increase in spend for IGA and multiply it against $1bn. This equates to $400m incremental ARR that Okta will generate from its OIG over the next few years.

If Okta can convert 1/4 of its enterprise customers to IGA in the first 12 months, then this equates to $100m in the first year of launching OIG. The remaining 3/4 may be converted over the course of the next 3-4 years.

Including the customers below the $100k ARR threshold would increase this estimate, as does including new logos. However, the caveat is that the OIG predecessor, Okta’s Lifecycle Management solution, is a narrower solution that already includes an unknown amount of this incremental TAM. Nonetheless, the base case is that OIG promises to provide a significant uplift in revenue for Okta over the next few years. If OIG was a startup then it would presumably grab heaps of attention. The bull case would be that Okta executes excellently and grabs c. 5%-7% of the $10bn market over the next 5 years.

Here is an assessment of the IGA competitor landscape and under what environmental circumstances each vendor is most appealing to customers. We discuss this is greater depth in the full Part 2 report.