What Okta’s IPO means for the CIAM industry

What Okta’s IPO means for the CIAM industry

The identity and access management (IAM) market has officially broken through with Okta’s IPO filing (and Ping’s $600 million acquisition prior to that). And while securing access to applications and devices in the enterprise has become a big-money enterprise in itself, the IAM market has barely scratched its growth potential. There is an even bigger–but no less important–need for secure access in the consumer world for customers connecting to brands via the web and smart phones today. And of course, this need will grow by leaps and bounds with the addition of the 30+ billion Internet of Things (IoT) devices that are expected to be in the marketplace by 2020.

This grand opportunity is, of course, not lost on IAM vendors, many of which have already been working to blur the line between consumer and employee identities. And the move has some merit. As organizations draw their employees–and to a certain extent business partners–further into the cloud, their customer relationships are often drawing consumers into the cloud as well. It makes sense for an IAM vendor to want to extend its management of business identities to that of customer identities given the challenges seem the same on the surface.

The problem is those challenges are in fact, not the same.

Customer Identity and Access Management (CIAM) and the Identity of Things requires significantly greater scale than enterprise IAM (think 100s of millions or billions rather than 100s of thousands of identities), not to mention an ability to manage distributed environments and understand consumer expectations and behaviors. Here at Janrain, we have been helping our clients enable their customers seamless movement around the web with no friction to the end user–something enterprise IAM vendors have never been called on to do – yet … And with the IoT opportunity, CIAM vendors like Janrain are much better equipped to scale exponentially and enable B2B, B2C and B2C2T use cases.

Look at regulation for example. In May of 2018, the European Union’s General Data Protection Regulation (GDPR) is set to go into effect. Billed as the most important change in data privacy regulation in 20 years, the purpose of GDPR is to protect the personal data of European citizens by giving control of their data back to the consumers. This regulation will affect any organization that has customers in Europe, regardless of where the business operates, and penalties for violations will be stiff: €20M or 4% of global revenue, whichever is higher. While lawmakers are now working to repeal the FCC rules that were passed last year to give consumers greater security, transparency and control over their data, the pendulum is in motion. We believe the trend toward user-controlled data—not enterprise-controlled data—is clear. Adhering to the ever changing personal data regulations of 196 countries–not to mention the individual permissions of the world’s 4 billion connected population across billions of devices–is a far cry from adhering to the enterprise access rules of thousands of employees.

Given these limitations, we expect IAM vendors to start looking to acquire or merge with smaller CIAM vendors to overcome limitations in scale and expertise. But even then, they will only be gaining the capabilities of smaller players that lack the vast expertise of established CIAM pioneers.

For more information on the topic, check out the webinar we presented with Forrester Research that demonstrates how customer IAM is fundamentally different from employee IAM.