Volume 00 · Foundations

Identity Security, explained

A plain-English guide to the space you're building in. No jargon without a definition. Every concept gets a picture. Written for someone new to identity security who needs to understand it deeply — not just recite the buzzwords.

What you'll know by the end

1. What "identity" actually means in cybersecurity — and why it's the most important surface to protect today.

2. The difference between authentication, authorization, and identity management — words often used interchangeably but meaning different things.

3. What MFA, SSO, PAM, IGA, ZTNA, IAM, and CIAM mean — and which one your customer actually needs.

4. How the Identity Security Platform space is structured, who the players are, and where e91 fits.

5. Why this matters commercially — and how to talk about it with any audience.

Chapters
Chapter 01

What is "identity" in tech?

In the physical world, identity is who you are. In tech, it's a bit different — and the difference is the whole reason this industry exists.

When a human walks into a bank, three things happen invisibly. The guard looks at their face (recognition). They show an ID card (verification). The system decides whether to let them into the vault (authorization). In digital systems, none of those things happen automatically — every one of them has to be replicated in code. And every one of them is a place attackers can attack.

So in tech, "identity" is a bundle of three things: a claim ("I'm Priya"), proof (something only Priya would have), and permissions (what Priya is allowed to do once we believe her).

Analogy

Think of identity like an airport. Your passport (the claim) says who you are. The immigration officer scanning your biometrics (the proof) verifies it. The visa stamp (the permission) tells you which gates you can go to. Identity security is the entire airport security system — not any single piece.

Figure 01 · The three ingredients of digital identity
Three ingredients of identity: claim, proof, permissions Three horizontal cards showing the parts of a digital identity. PART 1 The claim "I am Priya Sharma" Who you say you are Examples: username, email, employee ID Trivially easy to fake PART 2 The proof "Here's my password + OTP" Evidence only you should have Examples: password, phone OTP, fingerprint This is where MFA plays PART 3 The permissions "Priya can access accounts" What you're allowed to do Examples: read, write, admin, approve This is where IGA and PAM play

Most people lump all three of these together and call it "login." They're different problems, solved by different products, bought by (sometimes) different teams. A huge part of understanding this space is keeping them straight.

Chapter 02

Why this industry exists

Identity didn't used to be a security category. For most of computing history, security was about the network perimeter — a firewall, a DMZ, a VPN. Identity was an afterthought. That changed for three reasons, all commercial.

  1. 1

    The perimeter dissolved

    Ten years ago, "inside the company network" meant safe. Today your employees work from a café in Bengaluru on a personal laptop, accessing an app hosted in AWS Singapore, to read a database in Azure. There is no perimeter anymore. The one thing that's still identifiable is who is logging in. Identity became the new perimeter.

  2. 2

    Breaches are now identity-led

    Verizon's annual breach report has tracked this for a decade. In 2024, over 80% of breaches involved stolen credentials or compromised identity — not broken firewalls, not unpatched servers. Attackers don't break in, they log in.

  3. 3

    Regulators finally noticed

    RBI, SEBI, IRDAI, CERT-In, DPDP — every Indian regulator now mandates identity controls: multi-factor authentication, access reviews, audit logs, privileged-access restrictions. Identity moved from "IT hygiene" to "board-level compliance requirement."

The one-sentence market thesis

Identity is where the breaches happen, where the regulators look, and where buyers have budget. That's why identity security grew from a ₹200cr Indian market in 2018 to a projected ₹3,500cr+ market by 2028 — and why every global cybersecurity leader (Okta, CyberArk, SailPoint, Microsoft) is now an identity company.

Figure 02 · The perimeter shift — why identity matters now
The old perimeter model versus the new identity-as-perimeter model Two side-by-side illustrations showing old and new security paradigms. THE OLD WORLD · 2005–2015 The network was the perimeter Corporate firewall App server Database Employee desktop All assets inside one wall · Password was enough Identity was a checkbox, not a discipline THE NEW WORLD · 2020–NOW Identity is the perimeter SaaS apps (100s) Cloud workloads Remote laptops Mobile devices Partners, contractors APIs, services Identity platform Verifies every access Identity is the only constant · everything else varies
Chapter 03

The three words everyone confuses

If you internalize only one thing from this document, let it be this chapter. Authentication, authorization, and identity management are three different things — and every conversation, pitch, and RFP response depends on knowing the difference.

Figure 03 · The three questions
Three questions: Authentication, Authorization, Identity Management Three cards each with a question, the answer it provides, and the product category. AUTHENTICATION · AuthN "Are you who you say you are?" Proves your identity Example: password + OTP Products: MFA, SSO, Passwordless AUTHORIZATION · AuthZ "What are you allowed to do?" Controls your access Example: admin rights, file read Products: PAM, ZTNA, policies IDENTITY MANAGEMENT · IAM "How do we manage who exists?" Lifecycle of identities Example: onboarding, offboarding Products: IGA, directory, provisioning
Airport analogy · continued

Authentication is immigration checking your passport and face. Authorization is the boarding pass scanner deciding whether you can enter gate 47 at 2pm. Identity management is the airline issuing your ticket, cancelling it if you miss the flight, reissuing it for a new destination, and eventually archiving your booking history.

Common confusion

"We have MFA, so we're covered for identity."

MFA is authentication only. It answers "is this really Priya?" It does not answer "what is Priya allowed to do?" or "should Priya still have access after changing roles?"

Correct framing

"We have MFA for authentication. We need PAM for privileged authorization, IGA for lifecycle, and eventually ZTNA to tie it all together."

Identity security requires all three pillars. Missing one leaves a specific type of breach vector uncovered.

When a CISO says "we need identity," you have to figure out which of the three they mean. Most of the time, they conflate them — and part of your job is to help them see the full picture without making them feel uneducated. A good discovery question: "When you say 'identity,' are you thinking about proving who someone is, controlling what they can do, or managing the lifecycle of user accounts?"

Chapter 04

How a login actually works

Let's walk through what really happens when an employee logs into an enterprise app. Once you see this flow, everything in the identity space clicks — you'll know exactly where each product fits.

Imagine a bank employee trying to access the core banking system in the morning. Here's what happens in the ~2 seconds between typing their password and seeing their dashboard:

Figure 04 · A login, step by step
End-to-end login flow showing all identity components Vertical flow of 6 steps showing how authentication and authorization happen. 1 User types username + password Priya enters priya.sharma@bank.co.in and her password into the login screen 2 Identity Provider verifies the password The app hands credentials to Azure AD / Okta / LDAP — the "directory" that stores user accounts 3 MFA challenge · the second factor The IdP calls e91's MFA platform. Priya gets prompted for a 6-digit code from her Authenticator app 4 Session token is issued System returns a signed token (JWT) proving "Priya, authenticated at 9:14 AM, valid for 8 hours" 5 Authorization check · what can Priya do? The app asks: "Priya is in Retail Ops group. Is she allowed to view this customer's account?" — IGA answered that question earlier 6 Privileged access · does she need elevated rights? If Priya tries to run an admin action, PAM intervenes — records the session, may require a second MFA challenge Every step above was audited and logged Tamper-proof audit log records the full journey for forensics and compliance — required by RBI, DPDP, CERT-In

What this flow tells you

Every identity product maps to a specific step in this flow. MFA is step 3. SSO compresses steps 1-4 across many apps. IGA controls what happens at step 5. PAM intervenes at step 6. And the audit log at the bottom is the one thing every regulator asks about first.

The reason identity security is a platform business, not a product business, is that these steps are all connected — a weakness at any one of them compromises the whole chain. That's why customers eventually want one vendor across all of it.

Chapter 05

The identity security stack

Every product in this space fits into a layered stack. Once you see the layers, you'll understand why vendors like Okta, CyberArk, and SailPoint are built the way they are — and where the gaps are for e91 to own.

Think of identity security as a six-layer stack. The lower layers handle foundational plumbing (storing who exists). The middle layers handle authentication and authorization. The upper layers add intelligence and governance. Most buyers start with the middle and grow outward.

Figure 05 · The identity security stack, top to bottom
Six-layer identity security stack Six horizontal layers showing the identity security product stack from intelligence at the top to directory at the base. LAYER 6 · INTELLIGENCE Identity Threat Detection & Response Detects risky patterns — impossible travel, credential stuffing, suspicious elevation attempts ITDR · UEBA Players: Oort, Varonis, Exabeam LAYER 5 · GOVERNANCE Identity Governance & Administration Reviews who has access to what, automates joiner-mover-leaver, certifies compliance IGA Players: SailPoint, Saviynt LAYER 4 · PRIVILEGED ACCESS Privileged Access Management Protects admin accounts, records privileged sessions, vaults critical credentials PAM · PEDM Players: CyberArk, BeyondTrust, Delinea, ARCON LAYER 3 · AUTHORIZATION & ACCESS Zero Trust Network Access, conditional access Decides in real time whether a user can access a resource — based on identity, device, location, risk ZTNA · CASB Players: Zscaler, Cloudflare, Netskope, Palo Alto LAYER 2 · AUTHENTICATION · e91 lives here MFA · SSO · Passwordless · FIDO2 Verifies that the user is who they claim to be. Handles the second factor. Issues session tokens MFA · SSO · FIDO2 Players: Okta, Duo, Microsoft Entra, e91 LAYER 1 · DIRECTORY Where identity data actually lives The system of record for user accounts — names, groups, attributes, password hashes AD · LDAP · Azure AD Players: Microsoft AD, Azure AD, OpenLDAP

Strategic reading of this stack

Okta plays from Layer 2 upward — they own SSO/MFA and stretch into ZTNA and IGA. They treat the directory layer as something they can replace (Okta Universal Directory).

CyberArk plays from Layer 4 downward — they own PAM and expand into broader privileged identity.

SailPoint plays Layer 5 mainly — IGA is their home turf.

e91 starts at Layer 2 (MFA) but is architecturally designed to expand upward through SSO, PAM, IGA, and ZTNA — without requiring the customer to replace their directory (Layer 1). That IdP-agnostic approach is the key strategic difference.

Chapter 06

The acronym jungle, decoded

Identity security is drowning in acronyms. Here are the ones that actually matter — in plain English, with why each exists and when it comes up in a customer conversation.

MFA
Multi-Factor Authentication
Requires two or more proofs of identity — typically password plus a time-based OTP, push notification, or FIDO2 key. The most common starting point for any identity project.
SSO
Single Sign-On
One login that works across many applications. The user signs in once in the morning and can access every app they're authorized for without typing their password again.
IAM
Identity & Access Management
The umbrella term for the whole category. "IAM" can mean any combination of MFA + SSO + directory + basic authorization. Often used loosely. Ask clarifying questions when a customer says "IAM."
CIAM
Customer Identity & Access Management
IAM, but for external customers (not employees). A bank's retail app, a fintech, an e-commerce checkout — anything where millions of end-users need to sign in. Different scale and UX than workforce IAM.
PAM
Privileged Access Management
Protects the "keys to the kingdom" — admin accounts, root passwords, database credentials. Vaults them, rotates them, records sessions, requires extra MFA. RBI mandates PAM for all critical systems.
IGA
Identity Governance & Administration
The lifecycle side — who gets access when they join, how it changes when they move, and how it's revoked when they leave. Also handles access reviews (the auditor's favorite feature).
ZTNA
Zero Trust Network Access
Replaces the traditional VPN. Instead of letting anyone inside the network by default, every single request is verified — based on identity, device posture, and risk signals. "Never trust, always verify."
FIDO2
Fast Identity Online v2
An open standard for phishing-resistant authentication. Uses cryptography tied to a physical device (YubiKey) or the phone itself (passkey). RBI is pushing Indian banks toward FIDO2 for customer logins.
IdP
Identity Provider
The system that holds user accounts and verifies logins — Azure AD, Okta, on-prem Active Directory, LDAP. Every enterprise has at least one. Your MFA platform plugs into whatever IdP they already have.
SAML / OIDC
Security protocols for SSO
SAML is the older enterprise standard. OIDC (OpenID Connect) is the newer cloud-friendly one. Both do the same thing: let one IdP tell an application "this user is authenticated, let them in."
TOTP / HOTP
Time-based / HMAC-based One-Time Password
The 6-digit codes you see in Google Authenticator. TOTP rotates every 30 seconds. HOTP is counter-based for legacy hardware tokens.
ITDR
Identity Threat Detection & Response
A newer category that watches for identity-specific attacks — compromised sessions, unusual login behavior, privilege escalation. Think EDR, but for identity instead of endpoints.

How to use this in a sales call

Don't throw all the acronyms at a buyer. Listen for which one they use first — that tells you where their mental model starts. If they say "MFA," they're thinking authentication. If they say "IGA," they're thinking audit. If they say "PAM," they have a concrete regulatory pressure. Meet them where they are, then widen the conversation.

Chapter 07

Who buys what, and why

A huge mistake new identity-security entrepreneurs make is treating all buyers the same. "The CISO" is not one person — they behave very differently depending on the segment, the product, and the compliance pressure they're under.

BFSI
Biggest spenders. RBI CSCRF mandates MFA, PAM, IGA for all critical systems. Audit cycles drive predictable budget.
MFA · PAM · IGA · CIAM
Government
Slower procurement, but bigger deals. MeitY empanelment and data residency are non-negotiable. Air-gap deployment opens defense.
MFA · PAM · SSO
Critical Infrastructure
Power, telecom, oil/gas, railway. CERT-In directives force cyber hygiene. Often underserved by global vendors.
MFA · ZTNA · PAM
Large Enterprise
Mix of regulatory and security-maturity drivers. Typical journey: MFA first, then SSO, then PAM, then IGA over 24 months.
MFA · SSO · PAM
Fintech / Digital-native
Different buyer (CTO, CPO) — wants API-first, developer-friendly CIAM. DPDP consent management is the wedge.
CIAM · MFA
Mid-market Enterprise
Buys later, buys less. Usually waits until a compliance or insurance requirement hits. Good volume play once established.
MFA · SSO

The buyer-journey pattern

Almost every buyer in identity security follows the same journey: MFA (compliance pressure) → SSO (user experience) → PAM (audit pressure) → IGA (next audit cycle) → ZTNA (strategic modernization). This is why the MFA anchor is so strategically important — it's the front door to every subsequent sale.

Chapter 08

The market & the players

Identity security is a ~$20 billion global market, growing at 15% annually. In India, it's smaller (~₹3,000cr in 2024) but growing faster. Here's who the competition actually is.

Figure 08 · The competitive landscape
Competitive map of identity security vendors Three columns showing global leaders, Indian incumbents, and new entrants. GLOBAL LEADERS Okta MFA, SSO, IGA · SaaS only Microsoft Entra Bundled with M365 · captive CyberArk PAM leader · expensive SailPoint IGA leader · enterprise focus Duo (Cisco) MFA mid-market · US-focused INDIAN INCUMBENTS ARCON PAM leader in India · legacy stack eMudhra Digital signing + IAM · PSU-focused miniOrange SMB MFA/SSO · Pune-based ILANTUS / CyberArmor IGA and PAM · mid-market IN Saviynt Indian-origin · but US/global focus NEW ENTRANTS e91 Air-gap + PQC + IdP-agnostic JumpCloud Unified cloud directory · US-based 1Kosmos / HYPR Passwordless specialists Transmit Security CIAM · financial services Beyond Identity Passwordless + device trust

The map above matters for three reasons:

  1. 1

    Global leaders have structural blind spots in India

    Okta can't do air-gap. Microsoft Entra forces you into M365. CyberArk is too expensive for mid-market. Each has a gap — e91's strategy targets those gaps deliberately.

  2. 2

    Indian incumbents are aging

    ARCON has been around since 2006 — its architecture shows its age. eMudhra is strong in digital signing but weak in modern identity. The space is open for a next-generation Indian challenger.

  3. 3

    New entrants are narrow — e91 is platform

    Most new entrants pick one slice (passwordless, CIAM, device trust). e91's platform approach — starting at MFA and expanding through the stack — is uncommon, and it's what creates the long-term defensibility.

Chapter 09

Where e91 fits

Now, with the full map of the space in front of you, it's obvious where we play — and why.

Figure 09 · Our position on the map
Positioning map of e91 versus global OEMs and Indian incumbents A 2x2 positioning map showing e91 in the upper-right quadrant. ↑ Modern architecture ↓ Legacy architecture Global-first → ← India-first Global leaders quadrant Okta MS Duo The opportunity quadrant e91 Starts here Global legacy (older stacks) RSA CA Indian incumbents (aging) ARCON eMudhra The upper-right quadrant — modern + India-first — is uncontested today
1

Architecture

Modern, cloud-native, stateless, horizontally scalable. Not a repackaged 2010s stack.

2

Deployment

Cloud, on-premises, or fully air-gapped. The air-gap capability is uniquely ours in India.

3

Compliance

DPDP, RBI, SEBI, IRDAI, CERT-In pre-mapped. Not an afterthought.

4

Integration

IdP-agnostic. Plugs into whatever they already have. No rip-and-replace.

5

Future-proof

Post-quantum cryptography ready today. When RBI mandates it, we flip a flag.

6

Platform arc

MFA → SSO → PAM → IGA → ZTNA, on one unified architecture.

Chapter 10

The one-page summary

Everything in this document, distilled. If you remember only this page, you'll sound fluent in any identity security conversation.

Identity security — definition
The discipline of ensuring that the right person has the right access to the right resource at the right time — and nothing more. It spans authentication (proving who you are), authorization (what you can do), and governance (how identities are managed over their lifecycle).
Why it's a big market now
The corporate perimeter has dissolved. 80%+ of breaches involve stolen credentials. Regulators (RBI, CERT-In, DPDP) mandate identity controls. Budget is moving from "network security" to "identity security" — and it's not going back.
The six-layer stack
Directory → Authentication → Authorization → Privileged Access → Governance → Intelligence. Most buyers start in the middle (authentication: MFA/SSO) and expand in both directions over time.
The buyer journey
MFA first (compliance pressure) → SSO (UX) → PAM (audit pressure) → IGA (next audit cycle) → ZTNA (modernization). Any vendor that lands MFA well and has a platform roadmap owns the rest of the journey.
The e91 thesis
Be the modern, India-first, platform identity vendor. Plug into existing directories (not replace). Deploy anywhere (including air-gap). Stay ahead of crypto (PQC-ready). Expand upward through the stack — MFA today, PAM and IGA next, ZTNA after that.
The bottom line

How to think about this space

Identity security is not a feature, it's a foundation. Every security initiative now starts with identity and builds outward. The companies that win in this space are the ones with a platform thesis — not single-product specialists.

India has a unique opportunity. Global leaders can't easily serve air-gapped, data-residency-bound, or rupee-priced environments. Indian incumbents have aging architectures. The middle is wide open for a modern, India-first platform.

e91's job is to own that middle. Start with MFA because that's where budget is clearest and compliance pressure is highest. Use the MFA anchor to land, then expand through the identity stack — methodically, with platform leverage on every new product.

That's the space. That's why we're in it. That's how we win.