OneLogin, a pioneering startup in the identity-as-a-service realm, is in an interesting position: Its market is surging, but the competition it faces is only getting fiercer. While its early position afforded a degree of market leadership, the company’s missteps put it on unstable footing.
But 2018 could be OneLogin’s year. The company has a revamped product that amplifies its strength against competitors like Okta and Microsoft, new funding on the way, and the technical foundation to execute on the vision of a new management team.
“I think the key point is that they’ve got a new management infusion; if they pick up some more capital, I think this is the watershed run for them,” Gartner research vice president Gregg Kreizman said in an interview with VentureBeat. “They’ve got to really get out there and show organizations that they are viable, compete on more than price — because I think that’s kind of where they are right now when they come up against an Okta or a Microsoft — and remain viable in the game.”
The company offers access management software for web applications both in private datacenters and in the cloud. Its competitors include Microsoft, Centrify, Ping, and Okta, which was one of last year’s marquee tech IPOs. But that market is only growing. Large enterprise tech players like IBM, Oracle, and CA, which already offer traditional identity and access management software to their customers, are pushing products that compete directly with OneLogin.
To win in that rough and tumble market, OneLogin has a lot of work to do.
OneLogin’s hack … and the aftermath
In May, OneLogin — a company charged with ensuring the security of its users — got hacked. An attacker was able to break into one of OneLogin’s AWS accounts, and the ensuing cleanup required customers to change all the security certificates that connect the services they use with the identity provider. Some people who had passwords stored in OneLogin’s manager had to change those, as well.
The company’s second quarter revenue plummeted following the disclosure, as employees and customers alike bailed on OneLogin. (It rebounded to a degree in subsequent quarters.)
OneLogin CEO Brad Brooks told VentureBeat in an interview that he saw the hack as an existential threat to the company’s business. It was necessary for OneLogin to upgrade its security practices in the wake of the breach to ensure that code was shipshape. What’s more, he said another breach of that caliber would be “game over” for the company.
“There are some customers that did leave us. They said, ‘You know what, [we] can’t handle it,’” Brooks said. “Most of them stayed with us. And the conversation we had with all those customers was first, here’s what happened. Second, here’s all the practices we’re putting in place, here’s the type of people who we’re hiring, here’s what we’re going to do going forward.”
Brooks also said that OneLogin’s history of dealing with a breach could make it a more appealing vendor.
“Because that [breach] is a visible scar on our bodies, isn’t that the company you want looking after your practice going forward?” he asked. “It has made us who we are. It didn’t kill us, but it certainly made us stronger.”
Todd Brillon, a systems integration director at NTT Data Services who helps set other companies up with OneLogin services, told VentureBeat that he thought the service was made better in the aftermath of the security incident. He cited frequent attacks on credit card data as evidence that an attack of that sort could have happened to other companies.
“You feel confident, still, as a partner,” he said. “They had a little bit of a mixup, they figured out where it was, and they did everything possible to fix it. I feel like it’s a more solid platform than it was yesterday. So, every day forward, those steps that they’ve done have made their system a lot more solid and secure.”
While the immediate aftermath was rocky, it looks like there’s a light at the end of the tunnel. Many of the company’s existing clients have stuck around. Facebook and Uber, two of OneLogin’s marquee customers, signed new contracts with the company. Airbus announced after the hack occurred that it would become one of the biggest enterprises to adopt OneLogin.
Of course, businesses may not want to do all the work necessary to vet other vendors and replace existing workflows that they already use OneLogin for, and those executives who might be alarmed by the company’s security breach may not have the clout to force their companies to switch vendors.
Kreizman said that Gartner surveyed roughly 30 OneLogin customers and summed up the results: Two or three businesses chose to shut off the service altogether, with the others remaining. In today’s security landscape, clients seem more accepting of their vendors getting breached, and OneLogin provided quick, clear disclosure and remediation steps that helped boost confidence.
Brooks came in to shake up the security firm’s C-suite and provide new executive blood, along with key know-how about bringing a technology product to market.
OneLogin’s new C-suite
When he started his presentation to OneLogin’s sales team at the company’s kickoff in January, Brooks was wearing the same “passion clothes” that he donned for his first day at the company in August. While his outfit was fairly standard executive wear of a blazer, slacks, and button-down shirt, it was accented with red shoes, red cufflinks and red “knock ’em dead” socks that were a gift from his daughter.
On stage and in interviews, he comes across as a coach who’s at once affable and unwilling to pull punches about the challenges facing the team in front of him.
“This was a company six months ago that was having some existential conversations with itself,” Brooks said in an interview with VentureBeat. “It had been through a breach, it had some system issues in terms of uptime in the previous year. From that, there had been some churn challenges with some customers. But more importantly, there were just morale issues across the board.”
In Brooks’ view, OneLogin’s biggest challenges came with its go-to-market strategy, an area that he focused on throughout his career as a technology executive. The company had been through three chief marketing officers and four sales leaders in the past three years. He hired new heads for both those departments after joining as CEO, along with a new vice president of engineering.
Brooks knows a thing or two about high-flying cloud technology companies with big market opportunities. Prior to joining OneLogin, he served in a variety of c-level roles at DocuSign, starting as the e-signature company’s chief marketing officer before expanding to cover product and engineering leadership.
“The one itch that I definitely wanted to scratch was being the CEO,” Brooks said. “The responsibilities [at DocuSign] had gotten all the way up to that point, except that, and so I said, you know what, no hard feelings, but I’m going to find something that gives me that opportunity.”
Thomas Petersen, OneLogin’s cofounder and former CEO, moved into the CTO role, and he heads product development for the company.
OneLogin’s product plans
OneLogin’s product team spent time last year holding back on new feature development to shore up technical debt in the company’s codebase. Now, the team has a revamped product that it hopes will propel the company into the future.
The OneLogin Access offering is a new iteration of the company’s Web Access Management product, which it acquired with Cafesoft in 2015. Like its predecessors, OLA will provide a single tool for managing identities across on-premises applications and public cloud environments. That capability sets OneLogin apart from some of its competitors, which could help the firm win new clients, especially among enterprise customers. These often have a ton of applications running inside private datacenters that they need to manage employee access to just like a software-as-a-service application.
This capability is one that sets OneLogin apart from its competition, Kreizman said. Neither Okta nor Microsoft are direct competitors with the on-premises integrations offered by OLA’s predecessors, though they have partnerships in place to provide similar functionality.
OLA sets itself apart from its predecessor through fitting into a software container for easier deployment. In addition, customers will get a cloud-based control panel that will allow them to push most identity management changes down to on-premises web servers, without requiring interaction with individual machines.
On top of that, OneLogin is in the midst of rolling out a redesign to its software that’s supposed to make it easier to use. Those changes won’t hit all at once. The company is rolling them out slowly and making incremental shifts to ensure users are comfortable with what’s being tweaked.
Fresh funding for OneLogin
To fuel the business’ ambitions, Brooks is going on the road, drumming up support from new and old investors. All of OneLogin’s board members have committed money to the company’s upcoming funding round, which is expected to close within weeks.
“I’m happy to say I still feel I get to be in one of the top two — or maybe three, if you count Microsoft — players in the space,” said Rory O’Driscoll, a partner with Scale Venture Parters, told VentureBeat in an interview.
In his view, OneLogin is a key player in a massive market, and continuing to invest in the company’s growth is a straightforward decision.
Devdutt Yellurkar, a partner at CRV, said in an email that the firm participated in the round, and is “super excited by what Brad and his team are doing at OneLogin.”
The funding will be useful for following through on Brooks’ plan to massively expand OneLogin’s employee base. He told members of the company’s sales staff that he expects the company to have more than 200 employees at the end of this quarter, with more than 260 at the end of 2018. That’s up from more than 165 employees at the start of 2018.
In addition to the existing investors, new players are expected to join the deal, though OneLogin wouldn’t say which firms are involved.
OneLogin isn’t the only player in the identity market, though, and its competitors aren’t all resting on their laurels. Microsoft’s competing Azure Active Directory product is one of the linchpins of its cloud strategy, serving as an onramp for customers into the tech titan’s cloud platform. Okta, meanwhile, is coming off one of 2017’s major tech IPOs with a ton of market momentum.
Brooks told the audience at the company’s sales kickoff that he’s focused on one key metric: cumulative active users, or CAUs. (His presentation was punctuated with a bit of cowbell to emphasize the point.) That will measure usage growth of OneLogin’s product, something that Brooks considers essential for the company’s future. (A focus on usage is something he took from working with Satya Nadella at Microsoft, years before he was CEO.)
OneLogin unsurprisingly doesn’t plan to disclose its CAU data publicly. However, the company pledged to provide regular updates to how many paying customers it has. At the end of 2017, 2,000 organizations paid for OneLogin’s services.
In Brooks’ view, his company will be able to effectively face its competition because of how nimble it can be as a startup, and the fact that it’s not tied to a particular cloud ecosystem. Customers who want to ensure that their technical progress isn’t hampered by a reliance on a single platform could be drawn to OneLogin.
The company’s financial goal, Brooks said, was to become the next great company with $100 million in annual recurring revenue within the next two and a half years — roughly half of Okta’s subscription revenue total for its last fiscal year. If anything, that encapsulates the company’s situation fairly well: OneLogin has the growth potential to reach a financial milestone that puts it a cut above an average business, while also facing the competitive pressure that could hamper the whole enterprise.