Osirium Technologies — Product innovation supports order growth

Osirium’s privileged access security software helps protect critical IT infrastructure from unauthorised use of privileged IT accounts, whether from hacking or internal threats. Osirium’s PxM software platform introduces innovative concepts such as the virtual air gap (to prevent passwords being shared and from making it onto users’ workstations) and task automation (to delegate tasks rather than privilege). The recent development of secure privileged process automation and endpoint privilege management solutions has expanded the company’s addressable market. Osirium is following a land and expand strategy – selling licences to enterprise customers to help resolve pain points, then expanding licences to cover a larger number of end devices or users, additional modules and additional functionality. Management is also targeting the mid-market, where the ease of deployment and maintenance of Osirium’s software makes it an ideal solution to sell through channel partners. The complexity of established solutions means fewer mid-market businesses use privileged access management (PAM) software than enterprises, so this is a market ripe for development. The company has distributors and resellers covering the UK, the Middle East and North Africa. To support partners, Osirium recently hired a channel director, and to support customers provides 24/7 global technical support.

Osirium saw strong bookings momentum in H1 (£1.03m, +69% y-o-y) from a combination of contract renewals and new customers. Due to a number of multi-year deals, revenue grew only 11% y-o-y while deferred income was 70% higher y-o-y. The company reported an EBITDA loss of £1.2m during the period versus £1.0m a year ago. Net cash at the end of H119 was £0.89m and post period end the company received an R&D tax credit of £0.47m. While our bookings forecasts are maintained, we have revised our forecasts to reflect the operating costs and capex incurred in H119, resulting in a wider EBITDA loss in FY19–20. We forecast a shift to a net debt position of £0.5m by the end of FY19 – the company noted that it planned to raise funds in H2.

After a decline in the share price over the last year, Osirium is trading at a discount to peers on an EV/sales basis. As it is an early-stage company several years from profitability, we have performed a reverse DCF to analyse the assumptions factored into the current share price, using a WACC of 11% and a terminal growth rate of 3%. We estimate the share price is discounting average bookings growth of 23% for FY21–28, break-even EBITDA in FY24, average EBITDA margins of 1.9% for FY21–28 and a terminal EBITDA margin of 35%. In our view, bookings growth and confirmation of funding are the key drivers of share price performance.

Osirium’s financial and share price performance will primarily be sensitive to the rate at which its software is adopted. This includes the rate at which enterprises and managed security service providers (MSSPs) sign up to use the software, the amount of upsell to existing customers, and the rate at which channel partners sign up new customers. Achieving high renewal rates will also be crucial to maintaining a high level of recurring revenues. The mix between direct and channel sales will influence the rate of revenue growth. There is already an active market for PAM software and several well-established and well-funded competitors.

Osirium is a UK-based provider of privileged access security software. Although small from a revenue perspective, the company has signed up a number of blue-chip enterprises and MSSPs, providing validation for its innovative, subscription-based software. Over the last year, the company has expanded its product range from privileged access management (PAM) to include secure privileged process automation (PPA) and privileged endpoint management (PEM). The company is focused on building its customer base and expanding into the mid-market.

Osirium was founded in 2008 by David Guyatt (CEO) and Kevin Pearce (technical services director). Working together to develop solutions to customers’ cybersecurity issues, they identified that PAM was an area ripe for innovation. They developed a solution that was adopted by several blue-chip customers and, from there, decided to standardise the technology into modular solutions: the PAM module and the PTM1 module. Between 2011 and 2015 the company raised funds of £4m to support development and rollout, and in February 2016 the Osirium PxM 2.0 platform was launched. In April 2016, the company listed on AIM to access growth capital, raising net proceeds of £5.1m from the issue of 5.66m shares at 156p per share. In March 2018, Osirium raised a further £4.0m from the issue of 3.14m shares at 134p per share. The company is based in Theale, UK, with a staff of 50.

Osirium’s technology was originally developed to meet the exacting demands of enterprise customers. More recently the company started moving into the mid-market, where the risks relating to misuse of privileged access are as relevant, although companies may not have the same level of IT resource to manage this risk. Consequently, a large proportion of the potential market is a greenfield opportunity, as mid-market awareness of the need for PAM is growing. Osirium’s technology has been designed to be easy to implement and simple to use and maintain, reducing the amount of external and internal IT resource required to get the technology up and running and to use on an ongoing basis.

In the longer term, the company wants to have a thriving channel-driven mid-market customer base complemented by direct relationships with enterprise and MSSP customers. It uses a direct sales approach for enterprise customers and has developed a channel strategy to access the mid-market (companies with 200–2,000 employees).

Osirium is headed up by CEO David Guyatt. David has an extensive background in the cybersecurity software market and has worked for many years with other members of the management team. In the 1990s he worked with the COO, Catherine Jamieson, CTO, Andrew Harris, and technical services director, Kevin Pearce at cybersecurity integrator Integralis. While there, they developed several products, including MIMEsweeper (email security and content filtering software), which was spun off into Content Technologies in 1998. In 2000, Baltimore Technologies bought Content Technologies for $1bn, and then sold it to Clearswift Systems in 2002. David joined Clearswift as a non-executive director in 2002 and was CEO from 2003–05. In 2008, he was approached by Kevin Pearce with an idea for a PAM solution, which led to the founding of Osirium. Catherine Jamieson joined Osirium in 2009, with Andrew Harris joining in 2011. CFO Rupert Hutton joined Osirium in 2015; he served as CFO of AIM-listed Atlantic Global for 12 years.

The majority of IT users within a business have standard access to the software and devices that they need to use; this enables them to use the applications and devices but does not give them any rights to change any elements of the underlying software or device. System administrators (sysadmins) and developers need to have enhanced access to IT infrastructure and applications to maintain services on a day-to-day basis, resolve problems encountered by other users and to test new services and devices within a corporate network. This enhanced access is described as privileged and typically each device and application requires a separate user name and password for this (privileged account). As privileged accounts can make substantial changes to systems such as creating or deleting users, accessing customer data or configuring the company’s internet access, they are extremely powerful. Incorrect or malicious use of a privileged account could shut down a business’s internet presence preventing online sales, could leak personal or commercially sensitive data or in extreme circumstances, impact on implanted medical devices.

In some cases, only one privileged user will have access to the password but in other cases, passwords are shared by a group of privileged users. The increasing prevalence of outsourcing increases the number of privileged users. For example, if a company outsources its IT support to a third party, users within the third-party company will need remote privileged access to the company’s IT to resolve problems. In some cases, outsourced IT providers in turn outsource some of their services to another third party, extending the number of privileged account holders. With this increasing complexity, shortcuts are taken including uncontrolled sharing of passwords, giving poor visibility into who has what access and where.

Historically, cybersecurity has focused on protecting businesses from external security threats, putting in place solutions to protect the perimeter, such as firewalls, and to protect endpoint devices from malware, such as anti-virus software. This is still a crucial element of IT security, but businesses also need to consider the threat from internal users as well as the need to secure assets against hackers if they do manage to breach the network. To complicate matters, with the increasing use of cloud-based software, the perimeter is no longer clearly defined. Any connected system is at risk, so as use of internet of things (IoT) increases, it provides a larger attack surface (ie number of points within a network that could be attacked to breach the network). Companies should aim to minimise the attack surface by ensuring users only have the level of privileged access they require for each device/application to do their jobs effectively (known as ‘least privilege’).

Hackers particularly target privileged accounts, as they can be used to access more users or data within a business. Once a hacker has breached the network, it can be very difficult to detect it –some breaches are not detected for months and a few continue for years. Once in, a hacker may place malware on the system that is not used until an attack several months later, or the hacker may quietly siphon off data over a long period of time.

The most obvious internal threat is a ‘bad actor’, an authorised privileged user who decides to leak data or access to outsiders for a variety of reasons including money, revenge, blackmail, or terrorism. A prime example of this was Edward Snowden and his leaks of NSA information. Another internal risk comes from elevating the rights of existing users – this means that if a hacker does manage to penetrate the system, he could obtain access to a large number of devices. A report by Verizon2 in 2019 estimated that 34% of attacks were perpetrated by insiders.

For certain industry-specific regulations, demonstrating control over privileged access is a requirement. Examples include PCI DSS regulations for debit and credit card payments, and HIPPA regulations for US patient healthcare data. In the EU, the directive on security of network and information systems (the NIS Directive) requires operators of essential services (OES) in critical national infrastructure and digital service providers (DSPs) to:

While a company must be responsible for user identity policy and process and for deciding what levels of privilege to grant to users, PAM software can assist in implementing these policies. It can also reduce a company’s dependence on spreadsheets containing passwords and the use of shared passwords, and should improve operational efficiency for sysadmins. Such software should enable a company to manage the ownership of all privileged accounts, whether individual or shared, and should prevent the elevation of privilege above the necessary level. The software should have reporting capabilities and threat analytics and should integrate with other applications and overall security architecture. Early this year, market research firm Gartner released a report on best practice in PAM, with the four pillars being:

Gartner estimates the PAM market generated revenues of $690m in 2015, rising to $900m in 2016 (+30%). It is forecasting the market to grow to $2.274bn by 2020 (CAGR 27% 2015–20), with demand driven by regulation, the shift to the cloud and adoption spreading to smaller organisations. In June, Gartner produced a top 10 list for CISOs,3 listing priorities for new security projects once basic security measures had been put in place – PAM was named as one of the ten priority projects.

There is a well-established market for PAM software, with a number of competitors focused on PAM software as well as a number of broader software vendors with PAM offerings alongside other cybersecurity offerings. CyberArk is the market leader, established in 1999, and is Osirium’s biggest competitor in the enterprise market. In the mid-market space, Osirium traditionally competed more with smaller players Thycotic, Bomgar, BeyondTrust and Wallix. Consolidation accelerated in 2018 with Bomgar buying several PAM vendors (see page 14) – it is now of a similar size to CyberArk and brands all solutions as BeyondTrust. Since being acquired by Thoma Bravo, Centrify has spun out its identity and access management business into a separate company, Idaptive, with the remaining business focused on PAM. Customer numbers per Exhibit 1 reflect the differing size of customers by vendor, eg Thycotic offers a freemium product in the SME market based on its cloud-based password vault.

As Osirium has grown over the last three years, it has been recognised by market research analysts Gartner and KuppingerCole. Gartner featured Osirium as a Cool Vendor in Identity and Fraud Management in 2017 and recognised it as a niche player in its inaugural Magic Quadrant for PAM software published in December 2018. Gartner analysts highlighted that Osirium’s task-management capabilities were best in class.

KuppingerCole analysts recognise that Osirium’s innovative features (virtual air gap, automated tasks) take a different approach to its competitors and therefore make it hard to assess on a like-for-like basis, but also highlight that these features may be exactly what is required by some customers. KuppingerCole reviewed the recently launched PPA solution, highlighting that it could be used more broadly across a business, for example in HR or finance. It also noted that PPA was able to address a challenge that is not dealt with well by existing ITSM4 offerings or PAM tools.

Over the last year, the company has invested in expanding its product offering, adding privileged process automation and EPM to existing PAM capabilities.

Osirium’s PxM platform offers four modules: PAM, PTM, privileged session management (PSM) and privileged behaviour management (PBM). Exhibit 2 shows the platform architecture. The solution consists of software loaded on to a server (Osirium server) and an application that is loaded on to the desktop of privileged users. The Osirium server is installed as a virtual appliance and acts as a proxy server between the privileged user and the end device. End devices managed by Osirium software include servers, routers, switches, databases and load balancers. Also available via the desktop client is the web management interface. This is the interface that allows the customer (ie the superadmin) to manage and implement role-based access controls.

Although many customers deploy Osirium’s software on-premise, the software is also available on AWS and Azure for cloud deployment.

Once the superadmin has defined which devices the Osirium software will manage, the Osirium server connects to each of these devices using its library of device knowledge. The software identifies all the privileged accounts associated with each device. This means the superadmin can remove obsolete accounts (eg those belonging to leavers or used for test purposes) and assess whether privileges have been correctly assigned. Via the web management interface, the superadmin can grant privileged access to users.

All passwords for privileged accounts are saved on the Osirium server in the Osirium Keystore. When a privileged user wants to access a device, they must authenticate themselves on the Osirium server using the customer’s preferred method, eg user password or two-factor authentication. The user is presented with a list of all devices for which they have privileged access and under each device they can see which tools and tasks they can access (as Osirium describes it, ‘Identity in, role out’). They then select the device they want to access and the Osirium server provides the correct password to the device. This is the Osirium virtual ‘air gap’ – the user never actually sees the passwords for the privileged accounts. Instead, as long as the user’s identity is verified by the Osirium server, they can access all their privileged accounts with the passwords never making their way on to the user’s workstation. Analysis by Verizon in 2014 calculated that 86% of passwords are obtained from user workstations, with only 10% via phishing and 4% from brute force (ie repeatedly guessing the password until the correct one is found). If the password is not available on a workstation, this significantly reduces the ability of a hacker to obtain it. Other features of the PAM module include:

The PTM software enables a business to automate frequently performed tasks that require privileged access such as user password resets or switching/closing off firewall ports. This enables companies to delegate the task rather than the privilege, ie the user will be able to perform specific tasks on a device but will not have more general privileged access to the device. We view this is a form of robotic process automation, with the focus on security.

Analysis of the use of task automation by several customers has shown that time savings of up to 98% per task are possible, which has the benefit of freeing up staff to undertake more complex work. By predefining tasks and reducing the amount of user input required, accuracy is greatly increased, which improves both efficiency and security. This is particularly helpful for companies that outsource a high volume of support activity, as it means third parties do not need to be granted as much privileged access. An MSSP can delegate the top 20 or 30 tasks to first-line support, sure in the knowledge the tasks will be performed securely and accurately. As long as the user is authenticated by the Osirium server, the user will then have access to all their individual delegated tasks.

We understand that the level of task automation enabled by Osirium’s software is well ahead of that offered by other PAM vendors and was the key reason for Gartner’s inclusion of the company in its Cool Vendor list. This also ties in well with the fourth pillar of PAM best practice we refer to in the recent Gartner report (see page 5).

PSM software is designed to record sessions undertaken by a privileged user. The customer defines which user activities are recorded. This means that as well as knowing who accessed data, when and where, the business can track exactly what was done during each active session. The software records only the active window and only records when there is activity. It does this by taking one screenshot every second. So a privileged user could be logged into an account for an hour, but only actively interact with the account for five minutes – in this case the recording would show how long the user was logged in for, but would only record the live five minutes. This reduces storage requirements, but more importantly makes it easier for sessions to be reviewed in the event of an issue. Recorded sessions can be searched by keyword. The recording is usually set to show a red box around the window that is being recorded – this in itself can act as a deterrent to unauthorised behaviour. The red box can also be switched off so the user does not know they are being recorded. All keystrokes by the user are also logged. The company estimates that more than half of customers take this module, usually for audit or compliance reasons.

This module monitors a privileged user’s behaviour to create a base line for ‘normal’ behaviour. For example, if someone accesses a device at an unusual time, this is flagged up. The software presents the results in terms of active threat (unusual activity) and latent risk (connections between people and high privileged device accounts that are never or rarely used).

Over the last 18 months, Osirium has invested in developing its task automation technology to provide wider process automation functionality and in May launched its privileged process automation (PPA) solution. This was previously known by the project name, Opus. Based on several years’ experience in providing privileged task automation technology and customer feedback, PPA provides a significantly more powerful approach to securing privileged process automation. New features and functionality include:

Early adopters of PPA have found tasks that were complex enough to need second or third level administrators to deal with them can now be delegated to first-line support engineers.

The company highlighted a variety of use cases for PPA (see Exhibit 4). While we would expect PPA initially to be of interest to IT operations teams, it is possible that some privileged automated processes could ultimately be delegated to other business departments. For example, HR teams typically request that new joiners are provided with email addresses and added to particular email groups. PPA would allow the IT department to create an automated process to do this, which could be delegated to authorised HR staff and bypass the IT department entirely. PPA is also likely to be of interest to DevOps and NetOps teams.

As PPA can operate using credential vaults other than Osirium’s PxM platform, it can be used by customers using PAM software from a different vendor. Osirium has found that within some companies, different PAM software is used for different processes. This gives Osirium the potential to sell into all processes using PAM software rather than just those processes that depend on its PxM platform. The company is selling PPA as a separate module with per-user licensing. It can be licensed on its own or alongside the PxM platform. Osirium signed up its first customer for PPA in August – this is an existing PxM customer.

Osirium has developed a privileged endpoint management (PEM) solution that it expects to launch in Q4. An endpoint is a remote computing device that communicates with the network to which it is connected. Examples include desktops, laptops, smartphones, tablets, workstations and servers. Endpoints often represent a vulnerable entry point for hackers, giving them the ability to take control of the device (for example to launch a botnet), to use the device as an entry point into an organisation, to access data on the device, or to hold the device owner to ransom. Anti-virus software is commonly used to protect endpoints, but this may not be sufficient to fully secure the device. Endpoints need administrator rights (ie privileged access) to perform certain functions, eg downloading new applications or updating existing applications. A business must weigh up the risk of giving the user these admin rights with the cost of reduced productivity if the user has to request permission to access commonly used applications or resources. PEM software is designed to enforce least privilege ie all local admin rights are removed from the user and only whitelisted applications can be run with elevated privilege. When necessary, the user can request elevated privilege from the IT support desk – this can be on a permanent or time-limited basis.

Last year Osirium announced a strategic technology partnership with RazorSecure to jointly deliver cybersecurity solutions specifically for the critical national infrastructure (CNI), transport and industrial internet of things markets. RazorSecure develops machine-learning-based EPM software – this builds a baseline of ‘normal’ activity to define what processes and applications are expected, how they are likely to use resources and therefore making it easier to identify rogue behaviour. RazorSecure’s technology is used in CNI, in particular in the rail network, where it is able to detect intrusion and generate automated responses on systems that are not always connected. RazorSecure has adapted its EPM software for use by Osirium, with Osirium’s new PEM solution due for official launch in Q4. The product will be licensed on a per-user basis.

As for PPA, the PEM solution can be sold independently of the PxM platform, thereby widening Osirium’s addressable market. We would expect, however, that the company would initially market the solution to its existing customer base – it expects to sign its first customer by year end.

The R&D team develops enhancements to the PxM platform continuously and we would expect it to continue to develop the new PPA and PEM products as customers provide feedback. The company is developing the ability to cluster instances of Osirium servers together (‘mesh’) to ensure high availability, based on the concept of a Raft database.6 This means that a much higher number of devices could be managed by an installed instance. The goal is that the servers should be able to communicate with each other to enforce the rule that there is only one instance of an ID at any one time. This should also provide fault tolerance, with the ability to reconfigure the mesh in the event of any of the clustered servers failing.

The company invests in patent applications to cover several of its key technologies. It has four active patent families with global reach, and a focus on the US and Europe. Osirium was recently granted a European-wide patent providing a wide scope of protection covering its password recovery process. US patent grant is expected in the next six to 12 months.

As well as the management team having direct relationships with enterprise and MSSP customers, the company has several telesales people and uses marketing automation tools. To help build the brand, the company has invested in the website and digital marketing, holds regular webinars and presents at industry conferences.

Few customers can be named owing to commercial confidentiality. In August 2016, Osirium signed up a global asset manager on a three-year contract to secure 3,000 devices – this was renewed for a further three years in May and over the last three years the contract has been expanded to cover 4,500 devices. This week, the company announced that an existing customer (a UK provider of software and IT services to the public sector) that had signed up in February to secure 250 devices for 12 months had expanded the contract to a total of 2,600 devices over three years.

Other customers include ThinkMoney (financial services), English police forces, a European car manufacturer, several NHS trusts, a multi-national defence company, a global mobile network operator, a reinsurer, several retailers (online and bricks and mortar), British universities and a professional services provider. The relationships with these direct enterprise customers give Osirium the opportunity to learn what additional features customers may require and helps shape the R&D process.

The company recently hired a channel director to manage distributors and resellers, an important route to market for Osirium. A crucial part of the process is providing training and support to distributors and resellers so they are able to sell and install the software. Progress in building the channel includes:

Osirium also runs a reseller partner programme that currently comprises 16 partners. The company is not directly targeting the US as this is a notoriously difficult market for non-US companies to crack and is the home market of the highest number of competitors. Nevertheless, Osirium software is already in use in the US and we expect penetration to increase as Osirium signs up more multi-national customers.

Osirium’s financial performance and share price will be sensitive to the following factors:

Osirium sells its software on a subscription basis. Customers typically buy a licence for 12 months and pay in full upfront. A small number of customers sign up for three years, with some paying the whole amount in advance and others billed annually. There are one or two customers paying monthly as device numbers increase. The majority of customers deploy the software on-premise, although now that the software is available on AWS and Azure, we expect cloud deployment to increase in popularity.

PxM licences are typically priced on the basis of the number of devices managed, with the minimum licence for 50 devices. Currently, the PAM and PTM modules come under one licence with PSM requiring a separate additional licence. PBM is bundled in with PAM/PTM but the company plans to make this available as a standalone module. Osirium has a ‘land and expand’ strategy. It typically aims to sell a licence to a customer for a minimum number of devices to resolve a specific problem; once the customer is comfortable with the technology, this can be expanded to include more devices, and additional modules such as PSM. PPA and PEM are licensed on a per-user basis.

The company generates some service-based revenues (10–15% of total revenues), but this is not a target area for substantial growth. With the channel strategy, Osirium would expect the channel partner to undertake the implementation work.

At the end of 2017, Osirium launched a freemium product, PxM Express. This is designed to provide the full functionality of the PxM platform to businesses with up to 10 servers or network devices. The company also enters into proofs of concept with potential customers so they can trial the software for a limited period of time. Currently, c 80% of PoCs convert to an order.

The largest cost is staff. Included in other operating costs are premises costs (rent of headquarters in Theale), sales and marketing costs and other admin costs. The company capitalises development costs; these are amortised over a five-year period, starting in the year of capitalisation.

We recently revised our forecasts when the company issued its half-year trading update in July. Revenues grew 11% y-o-y while bookings were 69% higher y-o-y. This resulted in a 70% increase in deferred income, reflecting the number of multi-year contracts signed in the period. The company retained 100% of customers in H1. Operating expenses (excluding depreciation and amortisation) were 17% higher reflecting an increase in headcount and higher spend on marketing events. The company had a net cash position of £0.89m at the end of H119 – this does not include the £0.47m R&D tax credit that has since been received.

The company expects to meet market expectations for bookings in FY19. We have increased our operating cost forecast for H219, FY20 and FY21 to reflect the amount spent in H119. We forecast a shift to a net debt position by year-end. If the company is able to accelerate bookings growth ahead of our forecast, this would have a positive impact on cash flow due to the upfront billing of subscriptions. The company has noted it is planning to raise funds in H2.

The share price has declined over the last year, reflecting a slower pace of bookings growth than originally expected. Compared to cybersecurity peers trading on an average EV/sales multiple of 4.6x this year’s revenues and 4.2x next year, Osirium is now trading at a discount (FY19e 2.4x, FY20e 1.7x). In our view, the key factors to trigger upside will be evidence of bookings growth at least in line with expectations for this year and confirmation of funds raised.

As we do not expect Osirium to reach profitability within our forecast period, we use a reverse discounted cash flow analysis to calculate the assumptions underlying the current share price. With a WACC of 11% and a terminal growth rate of 3%, we arrive at the current share price using the following assumptions for the period after our 2019–2020 explicit forecasts:

The table below shows selected acquisitions in the PAM market – the pace of acquisitions accelerated last year. After Bomgar’s spending spree, it is now of a similar size (in revenues) as CyberArk. We view this as confirmation that PAM is now understood to be a crucial part of a company’s IT security.