Osirium Technologies — Securing growth through PAM innovation

Osirium’s privileged access management software helps protect critical IT infrastructure from unauthorised use of privileged IT accounts, whether from hacking or internal threats. Osirium’s PxM software platform consists of four software modules and introduces innovative concepts such as the virtual air gap (to prevent passwords being shared and from making it onto users’ workstations) and task automation (to delegate tasks rather than privilege). The management team has worked together for many years and has experience in commercialising cybersecurity software. Osirium is following a land and expand strategy – selling licences to enterprise customers to help resolve pain points, and then expanding licences to cover a larger number of end devices and additional modules. Management is also targeting the mid-market, where the ease of deployment and maintenance of Osirium’s software makes it an ideal solution to sell through channel partners. The complexity of established solutions means fewer mid-market businesses use PAM software than enterprises, so this is a market ripe for development. The company has distributors covering the UK, German-speaking European countries, the Middle East and North Africa, with orders already received via some of these partners. To support partners, Osirium has business development directors in those regions, and to support customers has 24/7 global technical support in place.

H118 results confirmed that bookings and revenues grew in line with expectations. The company had a net cash position of £3.3m at the end of H118. We have made minor changes to our forecasts, mainly to reflect the timing of headcount increases in H118. Our EBITDA forecast reduces from a loss of £1.85m to a loss of £2.00m in FY18 and from a loss of £1.65m to a loss of £1.82m in FY19. We forecast a net cash position of £2.49m at the end of FY18.

As an early-stage company showing revenue growth ahead of its peer group, Osirium is trading at a premium to peers on an EV/sales basis. We have performed a reverse DCF to analyse the assumptions factored into the current share price, using a WACC of 11% and a terminal growth rate of 3%. We estimate that the share price is discounting average bookings growth of 24% for FY21–27, break-even EBITDA in FY23, average EBITDA margins of 12.8% for FY21–27 and a terminal EBITDA margin of 36.5%. In our view, bookings growth will be the key driver of share price performance.

Osirium’s financial and share price performance will primarily be sensitive to the rate at which its software is adopted. This includes the rate at which enterprises and managed security service providers (MSSPs) sign up to use the software, the amount of upsell to existing customers, and the rate at which channel partners sign up new customers. Achieving high renewal rates will also be crucial to maintaining a high level of recurring revenues. The mix between direct and channel sales will influence the rate of revenue growth. There is already an active market for PAM software and several well-established and well-funded competitors.

Osirium is a UK-based provider of PAM software. While small from a revenue perspective, the company has signed up a number of blue-chip enterprises and MSSPs, providing validation for its innovative, subscription-based software. The company is now focused on building its customer base and expanding into the mid-market.

Osirium was founded in 2008 by David Guyatt (CEO) and Kevin Pearce (technical services director). Working together to develop solutions to customers’ cybersecurity issues, they identified that privileged access management was an area ripe for innovation. They developed a solution that was adopted by several blue-chip customers, and from there, decided to standardise the technology into modular solutions: the PAM module and the PTM module. Between 2011 and 2015 the company raised funds of £4m to support development and rollout, and in February 2016 the Osirium PxM 2.0 platform was launched. In April 2016, the company listed on AIM to access growth capital, raising net proceeds of £5.1m from the issue of 5.66m shares at 156p per share. In March 2018, Osirium raised a further £4.0m from the issue of 3.14m shares at 134p per share. The company is based in Theale, UK, with a staff of 44.

The technology was originally developed to meet the exacting demands of enterprise customers. More recently the company started moving into the mid-market, where the risks relating to misuse of privileged access are as relevant, but where companies may not have the same level of IT resource to manage this risk. Osirium’s technology has been designed to be easy to implement and simple to use and maintain, reducing the amount of external and internal IT resource required to get the technology up and running and to use on an ongoing basis.

In the longer term, the company wants to have a thriving channel-driven mid-market customer base complemented by direct relationships with enterprise and MSSP customers. It uses a direct sales approach for enterprise customers and has developed a channel strategy to access the mid-market (companies with 200–2,000 employees).

Osirium is headed up by CEO David Guyatt. David has an extensive background in the cybersecurity software market and has worked for many years with other members of the management team. In the 1990s he worked with the COO, Catherine Jamieson, CTO, Andrew Harris, and technical services director, Kevin Pearce at cybersecurity integrator Integralis. While there, they developed several products, including MIMEsweeper (email security and content filtering software), which was spun off into Content Technologies in 1998. In 2000, Baltimore Technologies bought Content Technologies for $1bn, and then sold it to Clearswift Systems in 2002. David joined Clearswift as a non-executive director in 2002, and was CEO from 2003–05. In 2008, he was approached by Kevin Pearce with an idea for a privileged access management solution, which led to the founding of Osirium. Catherine Jamieson joined Osirium in 2009, with Andrew Harris joining in 2011. CFO Rupert Hutton joined Osirium in 2015; Rupert served as CFO of AIM-listed Atlantic Global for 12 years.

The majority of IT users within a business have standard access to the software and devices that they need to use; this enables them to use the applications and devices but does not give them any rights to change any elements of the underlying software or device. System administrators (sysadmins) and developers need to have enhanced access to IT infrastructure and applications to maintain services on a day-to-day basis, resolve problems encountered by other users, and to test new services and devices within a corporate network. This enhanced access is described as privileged access and typically each device and application requires a separate user name and password for this (privileged account). In some cases, only one privileged user will have access to the password, but in other cases, passwords are shared by a group of privileged users. The increasing prevalence of outsourcing increases the number of privileged users. For example, if a company outsources its IT support to a third party, users within the third-party company will need remote privileged access to the company’s IT to resolve problems. In some cases, outsourced IT providers in turn outsource some of their services to another third party, further extending the number of privileged account holders.

Historically, cybersecurity has focused on protecting businesses from external security threats, putting in place solutions to protect the perimeter, such as firewalls, and to protect endpoint devices from malware, such as anti-virus software. This is still a crucial element of IT security, but businesses also need to consider the threat from internal users as well as the need to secure assets against hackers if they do manage to breach the network. To complicate matters, with the increasing use of cloud-based software, the perimeter is no longer clearly defined. Any connected system is at risk, so as use of internet of things (IoT) increases, it provides a larger attack surface (ie number of points within a network that could be attacked to breach the network). Companies should aim to minimise the attack surface by ensuring users only have the level of privileged access they require for each device/application to do their jobs effectively (known as ‘least privilege’).

Hackers particularly target privileged accounts, as these can be used to access more users or data within a business. Once a hacker has breached the network, it can be very difficult to detect it –some breaches are not detected for months and a few continue for years. Once in, a hacker may place malware on the system that is not used until an attack several months later, or the hacker may quietly siphon off data over a long period of time.

The most obvious internal threat is a ‘bad actor’, an authorised privileged user who decides to leak data or access to outsiders for a variety of reasons including money, revenge, blackmail, or terrorism. A prime example of this was Edward Snowden and his leaks of NSA information. Another internal risk comes from elevating the rights of existing users – this means that if a hacker does manage to penetrate the system, he could obtain access to a large number of devices. A report by Verizon1 in 2018 estimated that 28% of attacks were perpetrated by insiders.

For certain industry-specific regulations, demonstrating control over privileged access is a requirement. Examples include PCI DSS regulations for debit and credit card payments, and HIPPA regulations for US patient healthcare data. In the EU, the directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament in 2016 with full adoption by member states since May 2018; the UK has adopted the directive despite Brexit. Member states have until November 2018 to identify the relevant operators, ie operators of essential services (OES) in critical national infrastructure and digital service providers (DSPs). The directive requires OESs and DSPs to:

While a company must be responsible for user identity policy and process and for deciding what levels of privilege to grant to users, PAM software can assist in implementing these policies. It can also reduce a company’s dependence on spreadsheets containing passwords and the use of shared passwords, and should improve operational efficiency for sysadmins. Such software should enable a company to manage the ownership of all privileged accounts, whether individual or shared, and should prevent the elevation of privilege above the necessary level. The software should have reporting capabilities and threat analytics and should integrate with other applications and overall security architecture.

Gartner estimates that the PAM market generated revenues of $690m in 2015, rising to $900m in 2016 (+30%). It is forecasting the market to grow to $2.274bn by 2020 (CAGR 27% 2015–20), with demand driven by regulation, the shift to the cloud and adoption spreading to smaller organisations. In June, Gartner produced a top 10 list of security priorities for CISOs2 and named PAM as the number one priority. It is developing a Magic Quadrant for PAM (expected later this year), where previously it has only looked at the wider access management market, which is dominated by identity access management.

There is a well-established market for PAM software, with a number of competitors with a focus on PAM software as well as a number of broader software vendors with PAM offerings alongside other cybersecurity offerings. CyberArk is the market leader, established since 1999, and is Osirium’s biggest competitor in the enterprise market. In the mid-market space, Osirium traditionally competed more with smaller players Thycotic, Bomgar, BeyondTrust and Wallix. Over the last year, consolidation has accelerated with Bomgar buying several PAM vendors (see page 14) – it is now of a similar size to CyberArk. Customer numbers per Exhibit 2 reflect the differing size of customers by vendor, eg Thycotic offers a freemium product in the SME market based on its cloud-based password vault.

As Osirium is still at an early stage in terms of revenue generation, it has not featured heavily in the market research reports from Gartner and KuppingerCole. However, last year Gartner named Osirium a Cool Vendor in Identity and Fraud Management, in particular because of its approach to task automation. Gartner defines Cool Vendors as disruptive vendors that are helping companies to solve long-established problems and stay ahead of the competition in a rapidly changing world.

KuppingerCole analysts recognise that Osirium’s innovative features (virtual air gap, automated tasks) take a different approach to its competitors and therefore make it hard to assess on a like-for-like basis, but also highlight that these features may be exactly what is required by some customers.

Exhibit 2 shows the platform architecture.

Osirium’s PxM 6.1.0 platform offers four modules: privileged access management (PAM), privileged task management (PTM), privileged session management (PSM) and privileged behaviour management (PBM). The solution consists of software loaded on to a server (Osirium server) and an application that is loaded onto the desktop of privileged users. The Osirium server is installed as a virtual appliance and acts as a proxy server between the privileged user and the end device. End devices managed by Osirium software include servers, routers, switches, databases, and load balancers. Also available via the desktop client is the web management interface. This is the interface that allows the customer (ie the superadmin) to manage and implement role-based access controls.

Although many customers deploy Osirium’s software on-premise, the company has also made its software available on AWS and Azure for cloud deployment.

Once the superadmin has defined which devices the Osirium software will manage, the Osirium server connects to each of these devices using its library of device knowledge. The software identifies all the privileged accounts associated with each device. This means the superadmin can remove obsolete accounts (eg those belonging to leavers or used for test purposes) and assess whether privileges have been correctly assigned. Via the web management interface, the superadmin can grant privileged access to users.

All passwords for privileged accounts are saved on the Osirium server in the Osirium Keystore. When a privileged user wants to access a device, they must authenticate themselves on the Osirium server using the customer’s preferred method, eg user password or two-factor authentication. The user is presented with a list of all devices for which they have privileged access and under each device they can see which tools and tasks they can access (as Osirium describes it, ‘Identity in, role out’). They then select the device they want to access, and the Osirium server provides the correct password to the device. This is the Osirium virtual ‘air gap’ – the user never actually sees the passwords for the privileged accounts. Instead, as long as the user’s identity is verified by the Osirium server, they can access all their privileged accounts with the passwords never making their way onto the user’s workstation. Analysis by Verizon in 2014 calculated that 86% of passwords are obtained from user workstations, with only 10% via phishing and 4% from brute force (ie repeatedly guessing the password until the correct one is found). If the password is not available on a workstation, this significantly reduces the ability of a hacker to obtain it.

Passwords can be managed by the Osirium server in several ways. Initially, customers often set up the server to use existing passwords and manage the life-cycling of passwords themselves. Once comfortable with using the software, customers often switch to password-management mode, which means the Osirium software takes care of the password life-cycling – this is more secure as no users would know the passwords to any devices.

To provide an additional level of security, the Osirium Change Management tool requests a change/incident ticket reference and comment before a task or tool is opened by a user. Once the ticket has been opened, all subsequent connections and tasks are tracked under this ticket reference. Multiple tools and tasks can be used under each ticket, and multiple users can work under the same ticket. Admin reports show all connections made under each ticket reference. Osirium can be integrated with ServiceNow to validate ticket references entered into the Osirium Change Management tool.

Each time Osirium engineers encounter a new device they have not seen before, they go through a process to register it so it is compatible with Osirium’s software. It is then automatically added to the ‘Plays well with’ list that contains all devices that can managed by the Osirium server.

Osirium’s MAP server is an innovative way to enable customers to continue to use devices that rely on legacy applications and operating systems. Companies often have key business processes or devices that rely on software that is no longer supported by the original software vendor. This legacy software could contain vulnerabilities and could therefore be a key target for hackers. Sysadmins often end up installing a variety of different legacy applications and different versions of operating systems either on their own machines, or on dedicated (often shared) desktops, all of which increase the risk of a security breach.

The user loads the legacy software management application onto the MAP server. When the user wants to access a device that uses legacy software, the Osirium server will determine which management tool is required and will project its window onto the user’s workstation. This means that the user is isolated from the legacy software. Instead only the Osirium server is allowed to communicate with the MAP server, effectively isolating it and creating a ‘security cell’ for the legacy software.

The PTM software enables a business to automate frequently performed tasks that require privileged access such as user password resets or switching/closing off firewall ports. This enables companies to delegate the task rather than the privilege, ie the user will be able to perform specific tasks on a device but will not have more general privileged access to the device. We view this is a form of robotic process automation, with the focus on security.

Analysis of the use of task automation by several customers has shown that time savings of up to 98% per task are possible, which has the benefit of freeing up staff to undertake more complex work. By predefining tasks and reducing the amount of user input required, accuracy is greatly increased, which improves both efficiency and security. This is particularly helpful for companies that outsource a high volume of support activity, as it means that third parties do not need to be granted as much privileged access. An MSSP can delegate the top 20 or 30 tasks to first-line support, sure in the knowledge the tasks will be performed securely and accurately. As long as the user is authenticated by the Osirium server, the user will then have access to all their individual delegated tasks.

We understand that the level of task automation enabled by Osirium’s software is well ahead of that offered by other PAM vendors, and was the key reason for Gartner’s inclusion of the company in its Cool Vendor list.

PSM software is designed to record sessions undertaken by a privileged user. The customer defines which user activities are recorded. This means that as well as knowing who accessed data, when and where, the business can track exactly what was done during each active session. The software records only the active window, and only records when there is activity. It does this by taking one screenshot every second. So a privileged user could be logged into an account for an hour, but only actively interact with the account for five minutes – in this case the recording would show how long the user was logged in for, but would only record the live five minutes. This reduces storage requirements, but more importantly makes it easier for sessions to be reviewed in the event of an issue. Recorded sessions can be searched by keyword. The recording is usually set to show a red box around the window that is being recorded – this in itself can act as a deterrent to unauthorised behaviour. The red box can also be switched off so the user does not know they are being recorded. All keystrokes by the user are also logged. The company estimates that more than half of customers take this module, usually for audit or compliance reasons.

This is Osirium’s newest module. The idea is that privileged user behaviour is monitored to create a base line for ‘normal’ behaviour. For example, if someone accesses a device at an unusual time, this is flagged up. The software presents the results in terms of active threat (unusual activity) and latent risk (connections between people and high privileged device accounts that are never or rarely used).

The R&D team develops enhancements to the PxM platform on a continuous basis. Over the last year, this has included further development of the MAP solution for legacy software, introducing Elastic Stack to reduce the processing load on a customers’ infrastructure generated by behaviour analytics undertaken by the PBM module, and adding ‘App-less’ access for third parties (a web access gateway). This provides a web connection between a third party (typically an outsourcer) and the customer’s infrastructure such that the third party does not need to run the customer’s applications on their own infrastructure.

Other significant projects that are underway include:

In January 2016, the company filed three patents in the area of privileged access and related automation innovation in the UK, Europe and the US; it is hard to predict when the final decision will be made whether to grant the patents – the process can take up to five years from filing.

As well as the management team having direct relationships with enterprise and MSSP customers, the company has several telesales people and uses marketing automation tools. To help build the brand, the company has invested in the website and digital marketing, holds regular webinars and presents at industry conferences. The company recently hired a new marketing director, Chris Heslop, who has previously worked with the team at MIMEsweeper and more recently held senior positions in field marketing for Vocollect and Honeywell.

Few customers can be named owing to commercial confidentiality. In August 2016, Osirium signed up a global asset manager on a three-year contract to secure 3,000 devices – this has been renewed twice since the original contract and expanded to cover a larger number of devices. Other customers include ThinkMoney (financial services), two English police forces, a European car manufacturer, several NHS trusts, a multi-national defence company, a global mobile network operator, a reinsurer, several retailers (online and bricks and mortar) and a professional services provider. The relationships with these direct enterprise customers give Osirium the opportunity to learn what additional features customers may require and helps shape the R&D process.

The company has signed up distributors in key geographies. A crucial part of the process is providing training and support to distributors and resellers so that they are able to sell and install the software. Business development directors have been hired in the Middle East, Asia-Pacific and Germany. Progress in building the channel includes:

Osirium also runs a partner programme, and by the end of H118 this comprised 12 partners in the UK. The company is not directly targeting the US. This is a notoriously difficult market for non-US companies to crack and is the home market of the highest number of competitors. Nevertheless, Osirium software is already in use in the US and we expect penetration to increase as Osirium signs up more multi-national customers.

Osirium’s financial performance and share price will be sensitive to the following factors:

Osirium sells its software on a subscription basis. Customers typically buy a licence for 12 months and pay in full upfront. A small number of customers sign up for three years, with some paying the whole amount in advance and others being billed annually. There are one or two customers paying on a monthly basis as device numbers increase. The majority of customers deploy the software on-premise, although now that the software is available on AWS and Azure, we expect cloud deployment to increase in popularity.

Licences are typically priced on the basis of the number of devices managed, with the minimum licence for 50 devices. Currently, the PAM and PTM modules come under one licence with PSM requiring a separate additional licence. PBM is bundled in with PAM/PTM but the company plans to make this available as a standalone module. Osirium has a ‘land and expand’ strategy. It typically aims to sell a licence to a customer for a minimum number of devices to resolve a specific problem; once the customer is comfortable with the technology, this can be expanded to include more devices, and additional modules such as PSM.

The company generates some service-based revenues (10–15% of total revenues), but this is not a target area for substantial growth. With the channel strategy, Osirium would expect the channel partner to undertake the implementation work.

At the end of last year, Osirium launched a freemium product, PxM Express. This is designed to provide the full functionality of the PxM platform to businesses with up to 25 servers or network devices. It can also be deployed by larger organisations looking to test the software prior to making a wider investment decision. It has 17 customers using this product – it is too soon to ascertain the conversion rate to the paid product.

The largest cost is for staff; having added headcount during H118, the company does not expect to increase headcount materially from this point. Included in other operating costs are premises costs (rent of headquarters in Theale), sales and marketing costs and other admin costs. The company capitalises development costs; these are amortised over a five-year period, starting in the year of capitalisation.

Osirium traded in line with management expectations in H118. Bookings increased 37% y-o-y and revenues increased 78% over the same period. Within that SaaS software revenues increased 87% and revenues from services 46%. As indicated when the company raised funds in March, it has increased headcount to support product development, customer support and sales and marketing. This has resulted in an increase in operating expenses (excluding depreciation and amortisation) of 25% y-o-y. The EBITDA loss was marginally higher y-o-y at £991k. The company capitalised development costs of £589k in H118 and amortised £353k. The company closed H118 with a net cash position of £3.3m, benefiting from the March fundraise which netted proceeds of £4.0m.

We have made minimal changes to forecasts post H118 results. We have increased our operating cost forecast for H218, FY19 and FY20 to reflect the pace of hiring in H118. We estimate that the company has sufficient cash to fund the business until FY20. If it is able to accelerate bookings growth ahead of our forecast, this would have a positive impact on cash flow due to the upfront billing of subscriptions.

As we do not expect Osirium to reach profitability within our three-year forecast period, we use a reverse discounted cash flow analysis to calculate the assumptions underlying the current share price. With a WACC of 11% and a terminal growth rate of 3%, we arrive at the current share price using the following assumptions for the period after our 2018–2020 explicit forecasts:

The table below shows selected acquisitions in the PAM market – the pace of acquisitions has accelerated this year. After Bomgar’s spending spree, it is now of a similar size (in revenues) as CyberArk.